May 15th, 2020
Written by: Dawn Mallyon
Remote work has achieved a new peak so far in 2020. Some 62% of employed Americans said they have worked from home during the COVID-19 crisis. This large-scale experiment will have a lasting impact, as 74% of CFOs surveyed by Gartner expect at least some of the workers pushed remote by the virus will continue to work from home even after offices reopen.
Not surprisingly the sudden transition to remote work hasn’t been all smooth. Companies are still dealing with a number of issues, from security to maintaining productivity. Others (us included!), are facing new challenges such as setting up employees on operating systems outside the company norm. Access to applications and data employees need to do their work can be particularly fraught. Here’s how to get a handle on four of the most common login issues companies are experiencing right now.
1. Secure logins from attackers
Many companies have adopted or expanded use of SaaS applications, or are using virtual desktop infrastructure (VDI) to get everyone working from home but these options often have public-facing login pages that could put your organization at risk. Increased access increases risk and opportunity for external attackers who may try to guess passwords or attain them through social engineering.
There’s a few ways to ensure your credentials remain secure despite public login pages:
- Externalize login screens. Rather than having a public-facing login page for every SaaS application, you can consolidate them on a single platform so users have one login page for a single sign on that’s more secure.
- Add multi-factor authentication (MFA). This should be standard practice, but many organizations and users still haven’t adopted it. Only 57% of organizations were using MFA at the end of 2019, and while that’s up 12% over 2018, it’s still low. Implement an MFA technology, preferably via a smartphone app, to add an extra layer of protection.
- Don’t ask for passwords first. The same goes for PINs and answers to security questions. These factors can be easy to guess. Require employees to use a hardware token, enter a PIN sent to their phone, or use a smartphone app to confirm they’re authorized before you ask for a password.
- Consider using CAPTCHAs. By making this the first step in authentication, you can ensure it’s a human attempting to sign in, not a bot programmed to attack the page.
2. Enable remote password assistance
There’s several issues that companies can run into specifically around passwords. If you haven’t experienced them already, look for:
- Expiring or expired passwords. Off-site users may not receive notification that their passwords are expiring if they’re not using a VPN. The passwords will still expire even if the user doesn’t know it’s happening. Consider other ways to notify users of expiring passwords and give them the opportunity to update their credentials remotely. Another option is to temporarily delay the expiration until the office reopens.
- Forgotten passwords. This is usually an easy problem to solve when a user can visit a help desk and their computer is connected to the corporate network. But with employees remote, forgotten passwords can become a bigger issue and even leave users with inoperable devices. Make sure you have some kind of remote mechanism to reset forgotten passwords.
3. Tighten access after layoffs and furloughs
If you’re one of the many organizations that has had to furlough or lay off workers in the uncertain economic climate, you’ll have to close off their access either temporarily or permanently. There are a couple ways to do this. You can create a request and approval workflow that has you deactivate login IDs and set a status for each user. For permanent layoffs, you’ll need to take additional steps to move and archive that user’s content.
The other option is to automate the process based on certain data and criteria, which can be set up in an identity and access management tool. When furloughed workers return, it’s just a matter of reversing the process to get them back up and running.
4. Follow best practices for vendors access
Just like you, your vendors are probably working from home. When you need IT work done, you’ll need to grant them remote access.
Make sure you’re following best practices for granting elevated access to third-party users:
- Designate a point person. One trusted user from every vendor should be in charge. Appoint that person to manage the short list of users from their company who need access to your systems.
- Keep vendors off your VPN. Don’t allow your vendors to connect their devices to your VPN. Use another method so you can keep the vendor’s device outside the network perimeter and reduce your attack surface. For example, use a proxy server for vendor devices to safely communicate with your servers without directly connecting to your network.
- Double check they’re still employed. Any time a vendor logs in, double check they still work for that company. One way to do this is sending a PIN to their work email that they must enter to log in. If they no longer work for that vendor, they won’t have access.
Secure access while working from home
Many organizations have quickly adapted to working from home, but there are a number of challenges you’re likely facing right now. With your users scattered, it’s even more important to consider security, who has access to what, and how to quickly resolve problems like forgotten passwords to keep employees productive no matter where they’re working. With increased distance and risk, now is the time to get serious about bolstering security as your workforce transitions to a new normal.