Computing Profession

Securing the Enterprise When Employees are Remote

Security experts say hybrid organizations need to take a risk-based approach to security, which can involve three key strategies: zero trust, validating users rather than devices, and monitoring data and network access patterns for anomalies.

Permitting workers to split their time between their home and office can improve job satisfaction and, in some cases, productivity. However, hybrid work arrangements can introduce additional layers of complexity and risk to an organization's technology systems and data. As such, IT departments need to consider several security technologies, processes, and policies to guard against cybersecurity threats that can be more easily exploited by workers that are on the go, or are working in unsecure environments.

For starters, security experts interviewed for this article highlight the importance of insisting that hybrid workers utilize virtual private networks (VPNs), which allow a direct, secure connection between their device and a corporate system, as well as virtual desktops (which ensures all activity and data remain within a corporate, secure environment) when accessing company information offsite.

IT leaders also must reinforce to hybrid workers that the most basic strategies used to mitigate security risks within a traditional enterprise environment are still relevant, no matter where a worker may be physically located, or what type of device is being used to access network resources.

"Before purchasing the newest endpoint protection software or cloud-based identity solution to help secure assets and connectivity, leadership should instead begin by authoring policy and standards that support the both the organization's remote work strategy and the overall business strategy," says Jon Anderson, manager of Schellman & Co., a global cybersecurity assessor. "The policy and standards should include language which clearly defines expectations regarding the physical security of the remote work environment, rules for the use of corporate equipment, security considerations for working from public locations, remote network access requirements, employee bring-your-own-device responsibilities, and incident reporting guidelines."

Steve Tcherchian, chief information security officer and chief product officer at cybersecurity solutions company XYPRO, says that if a worker is permitted to use their personal devices, such as laptops or smartphones to access any company resources or networks, children, spouses, or others in the household should not have any access to these devices, given the possibility that malware or viruses could've ben inadvertently downloaded. Says Tcherchian, "You don't want a game or app your kids downloaded three months ago to be the reason your company's network is now compromised."

For hybrid workers, providing them with ongoing training in short bursts may be the key to establishing good cybersecurity practices that become second nature, even when the user is not under the watchful eye of the onsite IT team, explains Rahul Mahna, managing director at EisnerAmper's Outsourced IT Services team. "We don't have a one- or two-hour cybersecurity training, like some firms do," Mahna says, noting that EisnerAmper will conduct phishing tests every quarter, and then if a worker fails a random phishing test, they're immediately prompted with a two-to five-minute video to teach them what they did wrong. "We found a really high [information] retention rate and level of understanding with those learning 'snacks,' versus making them sit down for a couple of hours of extended cybersecurity training."

Security experts say organizations need to take a risk-based approach to security, which can involve three key strategies: zero trust, validating users rather than devices, and monitoring data and network access patterns for anomalies.

"Employees will be connecting from everywhere," says Murat Kantarcioglu, a professor of computer science at The University of Texas at Dallas and director of the Data Security and Privacy Lab at UT Dallas. "And this requires the use of a zero-trust architecture, where you don't trust anyone or anything."

A zero-trust security architecture requires all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data. Many organizations have adopted the NIST 800-207 standard, which recommends specific authentication and authorization functions that must be performed before granting access to a specific resource, and was initiated in response to the growing use of distributed network assets, remote users, and bring-your-own-device policies which gained popularity during the pandemic.

Organizations have used some sort of multi-factor authentication to control access to a company resource. This authentication works on the principal of so-called trusted devices, which presumes that the recipient of the code is also the owner of the device it was sent to. A typical process involves a user entering a login credential, and then, a second verification code is sent either via an SMS message, or through an authentication app on a second device. The user must then enter that code to gain access to the requested asset or network.

However, criminals and scammers have tricked some users into sharing the access codes, often by calling users and pretending to be a legitimate organization such as the post office, bank or even an IT professional from a company, and asking for the code that was just delivered to your phone by text or email. That's why some companies are moving to a security concept known as identity access management, where individuals, rather than devices, are consistently verified and authenticated.

Through the ubiquity of cellphone cameras and facial recognition techniques, users can be authenticated and verified each time they need to access a sensitive application or system. One such system is offered by Nametag, which employs the use of AI to scan a user's government-issued identification to ensure its legitimacy, and establish a person's identity. Then, a user shares a photo of themselves so it can be matched to the photo on their government-issued credential using AI, which compares the specific, non-changing features on a person's face, such as the distance between their pupils, across the two images to ensure confidence in the match.

When a system uses Nametag to grant access privileges or otherwise verify a user, a small mobile application (App Clip on iOS devices, Instant Apps on Android devices) is sent to the device, which serves as an authentication application. To grant access, the user must log into the phone using Face ID, or they can simply snap a selfie, which is compared to the verified government ID credential that can be accessed in the cloud using a secure encryption key stored in the app.

According to Aaron Painter, CEO of Nametag, this method of verification combines the convenience of multifactor authentication with the benefits of using a trusted verification asset (the user's face) to ensure secure access to systems, or the secure sharing of personal details.

"So what we've done is we've merged this world of one time ID verification with the world of multifactor authentication," Painter says. "We bring them together, and we've created a way to make it reusable so that you have someone do an ID scan, but then we're able to trust the device that they're using, so that [the credentials] are reusable. And we can essentially re-verify them every time they sign in or every time they're prompted."

The third piece of managing hybrid workers is to periodically monitor and analyze their device usage, data usage, and system-access patterns. A spike in user's frequency of accessing company systems or data, a change in which specific applications or data stores are accessed, or instances of a user logging in from multiple locations within a short period of time could each be signs that a user has been compromised. 

"Social engineering attacks are still there; users need to be vigilant, and companies needs to warn their employees, but there are other ways that attacks can be successful, even if the end user is very careful," Kantarcioglu says. "So tracking what users are doing, monitoring what information is being accessed and downloaded, and [analyzing] from which geographic locations users are working needs to be implemented" to better secure corporate systems and resources in an age of hybrid and remote workers.


Keith Kirkpatrick is Principal of 4K Research & Consulting LLC, in New York, NY, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More