[BreachExchange] Four tips for keeping security worries away this summer

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 6 15:32:09 EDT 2018


https://www.helpnetsecurity.com/2018/07/06/tips-security-worries/

As the summer weather heats up, so does the desire to cut out of the office
early and finish the workday from the park, a local pub patio or maybe the
family cottage.

Now is the time where many of us take advantage of the ability to work
remotely – using portable devices and free Wi-Fi or mobile hotspots to stay
connected. While many managers are fairly flexible on this type of ‘perk’
if the position allows, IT security experts understand that is comes with
some risk. To offset this, steps should be taken to ensure data and access
is secure while at work, home or on the go.

Consider working remotely. Where do you start? The first thing you’re going
to do is to sign into email or your white-listed business application of
choice to access the files you need to do your job. Doing so in the office
versus doing so on a busy summer patio poses different threats. Still,
there are a couple of steps organizations can take to keep remote employees
happy, while maintaining security. Here are four main ones to consider:

1. “Just enough” access

Whether it’s the summer vacation season or the middle of winter, this tip
still applies. Limit the access entitlements that employees have to only
what they need to do their jobs and nothing more. This sounds
straightforward and simple, but it’s often a surprise at how much access
employees can accumulate.

Often referred to as ‘access creep,’ the term refers to the additional
access employees have received over time that was never turned off. This
could be due to a previous role in another department or a special project
the employee worked on. The idea here is that if employees only have the
bare minimum of access and nothing more—should something happen and an
employee’s access is compromised somehow—the risk to the company is lower
than it would have been otherwise.

2. “Only when needed” access

There’s going to be roles that require elevated access to important data,
as it’s the nature of business. But there are things organizations can do
to limit that access with by putting extra protections in place so that the
access is only granted when necessary.

A single sign-on solution is great for enabling employees to be able to
access various applications from one simple location, but implementing a
risk-based authentication that requires additional authentication if
certain parameters are detected will help ensure additional safety measures
are in place. For example, when the employee is detected in the office,
they can click in without issue. When they are trying to access that
application from elsewhere on their personal network though, additional
authentication will be required to make certain they truly are who they say
they are.

3. “Sorry, not now” access denial

In the same vain as the ‘only when needed’ access scenario, there may be
situations or applications that organizations are going to decide they do
not want to allow any access to outside of their strict controls. Through
the use of an advanced authentication tool with Geo-Fencing included,
organizations can configure a policy to limit access to only those users in
the allowed location.

4. “I forgot my password” access

There’s nothing more frustrating than trying to get something done so you
can sign off for the day and getting hit with password request. For
example, consider trying to access a previous application you were working
in to upload work (i.e. Box, Dropbox), and you are asked to enter a
password you don’t remember.

In the case of remote working, due to some of the tips I described above,
it’s not uncommon to be asked for that password once you’re out of your
network. However, unless you’re used to working remotely and can recall it
on the fly, it can be a real inhibitor of getting work done when you’re not
at the office. This is where a self-service password reset tool is not only
a godsend for the end user, but it also alleviates calls to the help desk
and can increase security. The reason for this is that customized—or
pre-written—challenge questions are more secure than verifying a user’s
identity on the phone before resetting a password or unlocking an account.

We should all be allowed to enjoy some fun in the sun this vacation season.
By incorporating some—or all—of these strategies, organizations can better
prepare themselves for the inevitable summer ‘WFH’ requests and allow their
employees to do just that. In doing so, companies will achieve a more
secure environment for their employees who plan on sneaking in some
much-needed family time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180706/75870a69/attachment.html>


More information about the BreachExchange mailing list