Why strengthening password security is critical to permanent hybrid work
With nearly half of U.S. adults fully vaccinated, employees who worked remotely during the COVID-19 pandemic are starting to trickle back into offices. As they return though, many will face a different kind of workplace: one that consists of both in-office workers and remote workers.
Leaders and employees agree that this hybrid workforce should be the norm moving forward. In a recent survey from PwC, 68% of executives said that a typical employee should spend at least three days per week in an office. Meanwhile, 55% of employees said they wanted to work remotely at least three days per week once COVID-19 concerns go down.
While hybrid work offers many employee and employer benefits, it has also brought about a set of well-known and well-discussed risks in securing systems and devices against cyberattacks. Properly addressing the deterioration of the office perimeter, insecure Wi-Fi and email phishing are remote work lessons IT leaders are continuing to learn.These risks present an array of challenges, but IT leaders must think beyond network and email security to ensure hybrid workforce continuity. They must instead focus on something that doesn’t get as much attention: fixing password-related security issues. These issues are most expressed in poor password hygiene and a lack of secure end-user verification at the IT help desk.
While these are an issue by themselves, they’re even more problematic for the permanent hybrid workforce.
How Did We Get Here?
While the shift to remote work facilitated many cybersecurity challenges for companies of all sizes, the two most ubiquitous obstacles as reported on by the press were tied to network and email security.
Being forced to use personal and public Wi-Fi networks essentially eradicated the traditional office security perimeter, which opened organizations’ internal networks and their security layers to increased cybersecurity risk. Meanwhile, email threats like phishing rose 64% in 2020, according to email management company Mimecast. Phishing is a common tactic for harvesting credentials to use in later attacks. And according to data from Arkose Labs, credential stuffing attacks surged, with more than 770 million identified in Q3 2020 alone.
A lot of focus has been devoted to combating these issues, and organizations have adopted several solutions. Historically, virtual private networks (VPNs) have been a popular solution for securing networks; however inherent vulnerabilities make them the target of many cyberattacks. It is common to use the Active Directory password to authenticate to the VPN, as was the case with the recent Colonial Pipeline ransomware attack. VPN risk is a primary reason 80% of organizations in a survey reported being likelier to evaluate software-defined perimeters (SDP) or zero-trust network access (ZTNA) solutions because the pandemic yielded a greater need for remote access.
But in addressing these issues, IT leaders neglected the password security issues at the forefront of cyber risk. These issues threaten any environment, but they’re even more threatening to a permanent hybrid environment—the rise of bring-your-own-device (BYOD) policies and working from home has presented many organizations with insecure personal devices, and the FBI has seen a sharp rise in cybercrimes since the COVID-19 pandemic began.
Securing a traditional workforce and a hybrid workforce in a streamlined way that ensures continuity is a difficult task, but it is impossible without strong password protection and enforced user verification.
What Problems Do We Face?
Most companies don’t have standard password policies that enforce good password hygiene. Poor password hygiene is problematic in general— billions of passwords from various hacking operations are freely available on the dark web.
The permanent hybrid workforce brings to light password concerns because of how vulnerable remote workers’ devices are. Sharing devices with others or inadvertently logging onto a rogue access point or malicious network significantly threatens an organization’s security— if a remote employee’s device is compromised, a bad actor can easily access the organization’s network as well.
Retrieving or changing one’s password can also threaten permanent hybrid worker continuity on multiple levels. Many organizations require employees to initiate this process through their IT help desk, but without proper user verification policies in place, an unauthorized user could gain access to confidential data by impersonating an employee and calling that employee’s help desk.
This is known as a social engineering scheme and increased calls to IT help desks have left many of them susceptible to social engineering calls. Since a help desk agent must verify that a caller is the true owner of the account before establishing a new password, employing a user verification policy ensures that an agent won’t inadvertently give an unauthorized user access without knowing it. User verification protects an organization’s data while also ensuring continuity between the in-office and remote parts of a permanent hybrid workforce.
IT help desk agents are strained as-is — 94% of company leaders in a global survey said technology problems had affected their employees and business while employees were working remotely.
A self-service password reset solution, however, eliminates the password reset task from IT help desks’ responsibilities. This help ensures hybrid workforce success in a few ways. For one thing, it frees up the help desk to focus on the many other issues that remote workers and in-office workers will encounter at their jobs. It can also guard against social engineering schemes.
But adopting a self-service password reset solution ensures that remote users and in-office users can manage their passwords the same way. In doing so, it reinforces the permanent hybrid workforce as a unified working environment for remote workers and in-office workers.
What’s The Path Forward?
IT leaders face a few challenges when shifting to a hybrid work environment.
First, they must institute a sound password policy to safeguard remote devices as much as on-premises devices. Many organizations, such as the National Institute of Standards and Technology (NIST) have issued best practices for creating strong passwords that organizations can reference.
IT leaders must also enforce their cybersecurity measures to prevent bad actors from using social engineering to gain unauthorized access to their organization’s data. Creating and enforcing an end-user verification policy for their IT help desks can help them guard against social engineering scams like employee impersonation.
Lastly, they must support their IT helpdesks to be able to adequately address both in-office work issues as well as remote work issues. Implementing a self-service password solution could help relieve them of some of their workloads while also securing password changes against cyberattacks.
Organizations across the world are trailblazing an exciting new frontier in implementing a hybrid work environment across their workforces. Network and email security are important for IT leaders to address in charting this new course. But focusing on improving password security to maximize workforce continuity will significantly help IT leaders successfully transition into making a permanent hybrid workforce their new normal.
About the author: Darren James is a Product Specialist and cybersecurity expert at Specops Software. He works as a lead IT engineer to help customers reduce costs, improve security and increase productivity. He holds Microsoft certifications within IT Service Management, O365, Enterprise Administrator, Server Administrator and Security. Darren has more than 25 years of experience working in technical IT roles, centering around Active Directory, IT security, cloud, larger-scale migrations, integrations and identity and success management.