From Security Risk to Security Asset: How Users Can Become the Strongest Link in Your Security Chain

The recent and sudden shift to mandatory remote work put new pressure on IT teams.

Tasked with figuring out how to enable end users to do their jobs from anywhere, they also needed to ensure that company data remained secure. An organization’s ability to safeguard business data and systems is essential. Data breaches—whether exposures of private customer information or trade secrets or attacks that disrupt operations—result in unexpected costs and may cause reputational damage that’s difficult to repair.

An organization’s own users present a significant challenge to maintaining security, especially in the age of COVID-19. Entrust Datacard reported 45 percent of workers received a COVID-19-related email from an unknown sender. Even more concerning, nearly one-quarter of employees say they’ve clicked on a link from one of these unknown senders prior to determining the link’s legitimacy, while only 36 percent deleted the email and just 12 percent reported the email. A recent report found Google registered an increase of 350 percent in active phishing websites from January to March 2020.

Beyond being inundated with phishing attempts, staffers struggle to simply manage an ever-growing number of passwords and log-in credentials. The average person has 70-80 passwords. It’s no surprise that users aren’t diligent about best practices for creating, maintaining, and protecting their identity.

While we’re all navigating the new remote work norm, it’s a particularly opportune time to educate users about identity management, how to best protect against phishing schemes, and how to evaluate solutions that shift the burden of security from the user to technology. You can’t protect against every vulnerability, but you can shift users from security risks to security assets with these three efforts:

1 – Educate users.

The computer password has been around since 1960. Despite industry advancements in these seven decades, the password remains the foundation for most organizations. But longevity isn’t a sign of efficacy; if allowed, users are often lax at password hygiene as part of their identity management. More than half of employees don’t think sharing work related logins represents a risk to their place of employment. Nearly a third of those who had shared theirs reported that they did so because their manager had asked. Much of what IT and security teams think of as good identity management practices may not be nearly as accepted, or as understood, as it might seem. Consider adding a regularly scheduled short training that reminds users about basic security requirements and highlights any developments, new processes, or company policies that may require a different approach.

2 – Eliminate the frustration associated with passwords.

The convenience of a memorized or stored password is too often sacrificed in the name of robust security. Log-in processes that demand too much effort or add multiple steps naturally

tempt users to try shortcuts. Some organizations have switched to biometric models, like face recognition and fingerprint confirmation. But reports of biometric data leaks and issues around worker privacy have limited its widespread adoption.

Instead of replacing the password, organizations should seek to make its use as efficient and user-friendly as possible. Single sign-on (SSO) solutions reduce the time and effort required to log in, allowing users to consolidate authentication across many applications into a single input. If you’re asking users to juggle multiple programs, systems, networks, and more, think about how a SSO solution might make their life easier and your business more secure.

3 – Centralize identity wherever the worker is.

From the advent of the password until recently, when SaaS solutions disrupted the entire IT environment, much of the industry’s focus had been on a secure perimeter around a domain, or physical structure. The coronavirus pandemic decentralized IT operations; organizations increasingly accept that now is time for a domainless enterprise, one where the perimeter is tied not to a single or small number of locations, but is instead connected to every worker, no matter where that individual logs in. Now that distributed and remote workforces are the norm and likely here for the foreseeable future, enabling identity management at the device level is a critical element of modern security.

Device-based identity solutions offer the convenience of a single sign-on for applications, programs, systems, and networks, while simultaneously encouraging rigorous security practices by consolidating all identity management into one easy interface, on the user’s device. With a single click on their device, users can sign on or change their credentials; any changes then get pushed out automatically and instantaneously to all of their bound resources.

The technology to enable better and easier security is there, but more critically, users are open to risk. Seventy-two percent of employees say they are more conscious about their employers’ cybersecurity standards since being dispatched to remote work. The risks of inadequate password management, insufficient training, phishing, and other security threats can be mitigated by better education and tools.

About the Author

Brandon Hawkins is group product manager at JumpCloud, the world’s first Directory-as-a-Service®. Prior to JumpCloud, Brandon served as Head of Product at Artifact Uprising, and led a number product teams at Storyblocks.

Featured image: ©DragonImages