*Disclaimer: This article originally appeared on Forbes.
With COVID-19 forcing organizations of all sizes to shift employees to remote work, some may be concerned their company’s cybersecurity measures are inadequate. Though COVID-19 is the most drastic recent example of necessitating working from home, it certainly won’t be the last. Hurricanes and other natural disasters often require employees to work remotely, just on a more localized scale.
Most organizations use a variety of technologies to ensure employees have the capabilities and programs they need when working remotely, such as virtual private networks (VPN) and virtual desktop infrastructure (VDI). However, these tools can introduce security risks to an organization due to a greater attack surface with less centralized control.
The traditional network perimeter strategy grants trust based on location and network. If a user is within a network, it’s automatically assumed that their connection is safe and secure. Users inside the network have trusted private IP addresses, while those working remotely have access to VPNs and also have trusted private IP addresses within the network. The problem with this model is that it often assumes that all employees use company devices on company networks. However, organizations now, especially in light of the COVID-19 outbreak, commonly adopt bring-your-own-device (BYOD) policies. This means more employees than ever are using their own devices to access company information, and they’re doing so from outside of the company network.
Companies have tried to combat the culture shift to remote working by implementing added security measures to critical or confidential information. Unfortunately, this only serves to create a false sense of security because hackers can and will exploit security gaps and weaknesses in other, less protected systems.
When evaluating company security, organizations should adopt a zero-trust approach to mitigate the cybersecurity risks that are all too real in today’s world. A zero-trust approach does not distinguish between internal or external users or devices; rather, it operates under the assumption that all users, endpoints and networks are untrusted and thus need to be verified.
Here are three tips on how to utilize a zero-trust approach to security:
1. Enforce Least Privileged Access
Enforcing the principle of least privilege means reducing access to the minimum number of systems a user requires for their job, for the least amount of time they need it, and then revoking that privilege or access once it’s no longer required. As many organizations manage access manually, following this principle can be a complicated and time-consuming process. However, there are solutions that help automate the enforcement of least privilege access.
For example, by leveraging self-service capabilities, users can request access to a system or application through an automated mechanism. From there, the business owner for the particular application or system reviews the access request and can either approve or deny it. If approved, the business owner should set a limit on how long the user has access. This way, escalated privileges are only granted for the minimum time required. A good rule of thumb is to ensure your most sensitive applications and data have the shortest time frames for elevated privileges to reduce risk.
One significant advantage of this practice is that the business owner doesn’t have to set a reminder to manually remove access; rather, access is automatically removed when the specified time frame expires. This principle also offers another critical benefit: Every request, grant, revoke or other access control action is auditable.
2. Leverage Privileged Access Management
Privileged access management (PAM) is a subset of access management that provides additional protection for privileged accounts. Typically, privileged accounts refer to administrative or “super user” accounts for systems, such as operating systems and directory services, and may also include databases and applications.
Through fine-grained access controls, PAM limits risk and verifies the right users are equipped with appropriate access. Often, organizations leverage PAM through password vaulting, or a process that checks passwords in and out to approved users, while continuously creating new, randomized passwords at a set interval. This process limits risk by ensuring no user has unfettered access to privileged credentials.
3. Use Multifactor Authentication
With the known weaknesses in traditional username and password authentication, multifactor authentication (MFA) should be at the forefront of any zero-trust approach. MFA enables end users to use additional forms of authentication to safeguard businesses from unauthorized access and can even eliminate the use of passwords altogether.
When your workforce is working remotely, the need for robust yet user-friendly authentication is crucial. Modern MFA methods that leverage a user’s existing smartphone, like one-time password (OTP) soft tokens and push notifications are convenient and secure methods for users working from home.
In addition, I recommend using flexible authentication policies that take contextual factors into account and adapt the level of authentication required to the level of risk involved. For example, an authentication policy can be set up so that more stringent authentication is required when working remotely than might be required when working in the office.
When a global crisis disrupts normal workflow, it shines a light on how important it is to implement security measures that keep company data safe no matter the circumstance. Taking a zero-trust approach to security will heighten security awareness within an organization, as well as drastically reduce the risk of a cyberattack.