Reality has just caught up with us. The new COVID-19 variants (there seems to be a new one every week since the beginning of the year) is spreading around the world at a worrisome pace. Most western countries are back to strict restrictions with potential new confinements looming before Spring. The vaccination campaign is extremely slow. The Biden Administration just revealed on day two that it inherited a nonexistent coronavirus vaccine distribution plan and that it must now start from scratch. Concretely, what it means is that employees will continue to work from home and there is no end in sight for the near future. Also, the FBI recently reported that the number of complaints about cyberattacks to their Cyber Division is up to as many as 4,000 a day. That represents a 400% increase from what they were seeing pre-coronavirus. The targets: corporations of all sizes, governments, and critical infrastructures.
What does this all mean in terms of securing access for your remote workforce? Just for grins, I’m going to start with the solution and list the requirements that any company that’s concerned with cyber criminality should take into account. The solution must include:
User identity proofing: How can you know employees are who they say they are when accessing your company’s systems and apps remotely? If their identities have not been verified indisputably beforehand, then you simply cannot know for a fact who they are. The identity proofing process should take place during the (remote) onboarding stage to avoid any risk of impersonation when a new hire comes onboard. It consists of verifying in real-time an employee’s corporate credentials and personal documents against trusted sources of truth (government databases, for example). For more details, check out the user journey that shows all the steps needed to verify the identity of your workforce.
Passwordless authentication that leverages advanced biometrics: On the topic of password authentication, the magic number is eighty-one: the percentage of data breaches caused by poor password management. And yet, passwords represent the authentication mechanism of choice for just about anything needed to conduct business, including accessing applications via an SSO platform, critical systems as a privileged user, or logging into a VPN solution. 2FA and MFA solutions that leverage passwords do not bring much improvement, because the first authentication factor is a password, a string of characters that its owner may share or, that someone else may know, guess, or infer. And password-cracking software is available online and only for about $40. For a bit more money on the Dark Web, you can purchase a solution that can leverage cheap processor power to cycle through thousands of hash permutations and open an account in minutes through brute-force efforts. The key for flawless authentication is a smartphone-based passwordless solution that uses an advanced, unspoofable form of biometrics to certify the employee is who he or she says he or she is. The biometrics of choice is a liveness test, which is immune to deep fakes. More here.
User data stored encrypted in the blockchain: An overwhelming majority of businesses store user data unencrypted in centralized systems that offer a single point of failure. A cybercriminal only needs to compromise the credentials of an employee who has access to the centralized password repository. And given the level of passwords mismanagement, little efforts are often required. A key particularity of Blockchain is that data can only be written or read. What it infers is that all logs pertaining to users’ activity in terms of authentication get recorded, cannot be tampered with since data written to the blockchain cannot be deleted, consequently making the results of all audits indisputable. More about centralized databases versus Blockchain technology.
Five years ago, conferences organized by the International Labour Office concluded that telecommuting, or in other words remote work, definitely seemed to represent the future of the modern workforce. Today, it’s neither a choice nor a trend. It’s an obligation. And organizations must ensure that their workforce can access computer systems and apps securely, without risking of having their identity compromised due to hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes.