While the move to the home office means work can be done in our most comfortable attire, it also means security teams have had to relentlessly try and secure company data and stop any unauthorised access to accounts with employees being spread far and wide.
Unauthorised account access is by no means a new security threat. Our research showed that 37% of professionals agree that it is one of their top concerns. But with the move to remote working, there is an increased risk of Account Takeover (ATO) and other Business Email Compromise (BEC) attacks.
The potential impact of these types of attacks is enormous, and they can lead to sustained and varied impersonation campaigns. In fact, BEC attacks accounted for 50% of cybercrime losses in 2019, with the average attack costing $75,000.
With the traditional perimeter fading from relevance, security teams need a new solution to fight unauthorised access. Context and identity will have to go hand in hand.
Context and identity go hand in hand to fight unauthorised access
With teams dispersed away from the safety of the organisation’s network, IT teams are continually having to review risk. Context becomes king.
If the login is requested from a strange location, time, day or device, a secure authentication solution should pick this up and ensure further verification before allowing access.
For example, you need to consider:
- Where an employee is – is that their normal location? Have they alerted you to a change at all?
- When are they trying to connect – what time of day, or day of the week, is the access being requested? Is this expected behaviour?
- What device is being used – is this a familiar device?
- What documents they are trying to access – do they have access to those documents? Is it unusual behaviour for them to try and gain access?
With this comes a move towards a Zero Trust approach based on an ‘authenticate then connect’ model. This is where employees are only allowed to connect to the services, they have permission for once they have been authenticated.
This should ideally happen with adaptive Multi-Factor Authentication (MFA).
The three ‘somethings’ to ensure identity
Administrator, finance and executive accounts are the most sought after by cybercriminals. With so many routes to harvesting login details and breaking into accounts, it is clear password management alone is not enough to keep cybercriminals at bay.
According to our report, 41% of professionals are using the same passwords across accounts, which is the dream of hackers everywhere, so it’s time to change the locks on the digital doors. There must be a new perimeter, one where context is, quite literally, one of the keys.
There are three ‘somethings’ you need to consider when it comes to secure authentication for employee identity:
- Something you know: This is your standard password. Making sure that employees practice good password hygiene – changing it regularly, not using easy to guess words and combining letters, numbers and symbols – is important.
- Something you have: The authenticator in place to provide One Time Passcode (OTP) via SMS or app.
- Something you are: ‘Something you are’ adds biometrics to the mix –finger vein and palm vein patterns for example. Without something you are, you’re relying on device-based authentication only. The biometric factor, such as the fingerprint, must be linked to a specific user – not just enrolled on the device generally.
Adaptive Multi-Factor Authentication (MFA) is extremely valuable here. It ensures any stolen credentials cannot be used to gain access to your organisation’s environment, challenging the user based on contextual flags such as location or device, and providing flexible delivery of session-specific, real-time generated one-time passcodes.
Clearly, working from home requires an added level of trust in staff to go about their day-to-day, but, when it comes to securing this new flexible and elusive perimeter, things shouldn’t be left to chance.
In taking on board the authenticate then connect approach, considering all ‘three somethings’, and acknowledging where MFA can help fortify account security, your operation has the best possible opportunity for protection – while emphasising to the wider business that security is non-negotiable.
You can find out more about Multi-Factor Authentication, context identity and how to secure authentication here.