GRC Tuesdays: Securing Operations During Increased Disruption
2020 has highlighted, working from home is no longer a perk for employees, but it is essential in some circumstances. As a matter of fact, 74% of Chief Financial Officers interviewed by Gartner expect that some of their employees that were forced to work remotely during the crisis will continue to do so longer term – even when things revert back to normal.
And Gartner is not the only one getting this feedback: I can’t count the number of companies that have publicly made similar statements across the Globe in these last few months.
Nevertheless, this is easier said than done. Many companies were forced to make this decision rapidly when restrictions and lockdowns were declared, and this has had unexpected consequences such as a surge in cyberattack. If most are wary of security when working from public places like cafés or airport, it seems that there is a sense of security in being at home. Nothing bad can happen from home, right?
Unfortunately, this is not always the case. And, should companies decide to make some remote working more permanent, then they will need to ensure that it is done in a low risk, compliant and efficient manner so as to enable their employees to be as performing remotely as they are when in the office.
Access Governance and Security Reinforced During Disruption
In order to scale and support a growing remote workforce, I believe companies will need to centralize identities and authentication of all users – permanent employees but also temporary assignments due to ill or quarantined employees for instance.
This includes managing the elevated access that so-called “Superusers”, administrators or even contractors may need temporarily for maintenance or troubleshooting purposes of a live system. To do so, IT Security departments will need to provide access to the right scope and amount of time, but will also need to be able to monitor and review what has been performed in the system with these elevated user rights.
Doing so will help the company achieve 3 objectives:
- Remain compliant by ensuring that segregation of duties (SoD) are duly identified and mitigated
- Reduce the risk of internal or external fraud by ensuring that only the right level of access is provided and that excessive authorizations are manage adequately
- Improve efficiency by simplifying and even automating access requests based on HR triggers so that users who changed roles, teams or are on a temporary assignment don’t linger and can be productive straightaway with their new authorizations
Efficiency is actually one of the key aspects here in my opinion. Indeed, a user can only be productive if he is given access to the right tool to perform a task. And that’s what I meant with providing this user with the right level of authorization straightaway when they change roles.
But there’s another facet here: most tools require secure authentication. And since passwords have been identified as one of the weakest links in the security chain, all business critical solutions will require a complex password. In some cases, access will only be granted if the user is able to provide two or more proofs of identity. This is a Multi-Factor Authentication (MFA) approach and one that is more and more adopted to limit opportunities for attackers to access valuable assets.
As per some reports, the average user requires 5 or more passwords to get access to all systems on a regular workday. This doesn’t include MFA so each password could actually be composed of more than a passphrase and include an additional PIN or anything else.
Let’s add another weight to the balance: for security reasons – as I am sure you will be very aware – every password has to be changed at least four times a year.
This results in 2 outcomes:
- There is a direct productivity impact for employees who must log on to these solutions so will need to remember many different and complex passwords, input them, and then wait for the solution to launch. This process is estimated at an average of 12 seconds per log on. This doesn’t seem a lot, but take those 12 seconds, multiply it by the number of systems a user needs to access in a typical day, then multiply it by the average number of workdays per year and finally by the daily rate of the employee and the figures starts to become sufficiently high to be a burden on the employee. And that’s without forgotten or wrong credentials!
- Erroneous credentials which actually brings me to the fact that between 20% and 50% of all help desk calls are for password resets. It’s worth noting that the average help desk labour cost for a single password reset is about 15€.
Together, these 2 unwelcome outcomes directly impact the company both financially and operationally.
Thankfully, there are options to reduce or even remove this burden from both the employee and the support centre. For instance, Single Sign On (SSO) solutions. Interestingly, in addition to increased productivity, there’s also another benefit of Single Sign On in increased security. Since password complexity is no longer an issue, highly secure password policies can be enforced effortlessly.
Securing Operations During Increased Remote Collaboration
CFOs but also Compliance & Risk Managers need to minimize the impact of the crisis, maintain business continuity and enable the company to emerge from uncertain times even stronger. The question then becomes: how do they sustain remote working capacity, keep confidence in access security at extended scale, and lower cost of digital identity and user profile management across multiple landscapes at the same time?
This is where I think an end-to-end access governance approach helps answer this question:
Access Analysis where the intent is to detect and remediate segregation of duties and critical access risks by:
- Identifying risks by process, user, or role
- Visualizing risk scoring and trending
- Remediating high-impact issues and improve security
Role Design to define and maintain compliant roles in business-friendly terms and language by:
- Creating business roles based on organizational functional requirements
- Tuning roles based on machine learning algorithms
- Reducing the number of roles necessary to manage access
Identity Lifecycle to automate user provisioning across landscapes with embedded risk analysis by:
- Enabling seamless access requests and provisioning across hybrid landscapes
- Providing intuitive, easy-to-use guided access request process
- Automating access request approval and provisioning based on HR events as mentioned earlier in this blog
Access Certification to improve transparency and accuracy of periodic access assignments by:
- Ensuring correct access as people move teams or leave the company
- Reducing possible audit findings and improve security
- Reducing risk through proactive engagement with business process owners to review access
Privileged Access to centrally manage critical or temporary access by:
- Utilizing privileged access for faster resolution and monitoring of critical access
- Integrating check out of superuser accounts, monitoring and activity logging
- Streamlining monitoring and oversight with automated reviews
Single Sign On to authenticate users and enable a secure, seamless experience by:
- Improving productivity by eliminating multiple authentication procedures
- Providing one password to remember and enforce strong password policies
- Minimizing password-related helpdesk calls
Monitor Landscape to rapidly identify anomalous user activity as an indicator of potential cyber crime by:
- Finding application-specific threats related to attacks by using attack detection patterns
- Analyzing vast quantities of log data and correlate information to get a complete picture of landscape activities
- Conducting investigations based on generated alerts
What about you, how does your company secure its operations – especially for remote workforce? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Thank you for a great blog and I agree it is very relevant for any environment with remote working users. What is your view on improving data protection. Maybe even dynamic data protection to ensure remote users needs additional authentication to access sensitive data outside the company domain.
Thank you for your message!
You make a very good point: in addition to typical Role Based Access Control (RBAC) that is mentioned in this blog, Attribute Based Access Control (ABAC) – including geographical access policies for instance to comply with data privacy and protection regulations, can further strengthen a company’s data protection process and make it "dynamic" as you correctly suggested. What about you, what else would you recommend?
I think one of the areas I would recommend to focus on for companies, especially with remote workers, are changes in behavior. Studies show that the RDP (remote desktop protocol) is being used extensively for cyber attacks. As the average time for containing such attacks are around 280 days I think it is key that there is a laser focus on the slightest deviation both within the ongoing business transactions but also around actual application - interfaces, execution of critical functions and so forth. The reason for this laser focus is that companies of course needs to look at preventing a cyberattack but the mindset needs to change in my view. Companies need to think, we have been attacked, we have been breached, how can we identify this as early as possible and start mitigating/ remediating? They need to be faster than human to detect these anomalies and the earlier they can identify an attack the earlier they can contain it and shortening the 280 days to say 7 days will reduce the risk and extend of an attack significantly.
That said, many times broad access or broadening access is being used as an enabler for launching attacks - this also means that if there are no proper controls in place - once you have the access, you can do whatever you want. So even internal controls plays a central role in your security defenses as these ensures either four principals or workflow approval processes cannot be circumvented.
Those would be my initial recommendations.
Thank you, Bo, for your detailed reply. I couldn't agree more.
I think the IT Security department's mantra should be: "Don't Behave Like a Hacker, But Think Like One".
MFA is going to be a big step forward for my company as we are seeing a huge uptick in phishing attacks, some of them successful. Emails aren't read on only laptops/workstations anymore. They are read on tablets and phones so the phishing can be deceptive to the untrained eye.