In the wake of COVID-19, many organizations have switched to a mostly or wholly remote workforce. This was necessary to ensure that businesses could continue to operate while keeping employees safe and complying with quarantine and shelter in place orders.
In many cases, companies were unprepared to support a primarily remote workforce. Few companies were fully remote and many had no existing telework program. This meant that the organizations lacked the resources and experience required to work remotely both effectively and securely.
Under ideal circumstances, remote workers introduce unique cybersecurity threats, and COVID-19 circumstances are far from ideal. As companies consider extended support for telework, it is necessary to implement a zero trust architecture to minimize and manage the cyber risks of a remote workforce.
Employees Use Personal Devices When Working
The COVID-19 pandemic and the resulting switch to telework caught many organizations unprepared. Many companies were accustomed to their employees working on-site and lacked sufficient company-owned devices to send one home with every remote employee.
As a result, over a third of employees are still working from personal devices. To do their jobs, this means that these employees are accessing sensitive company and customer data on devices that lie completely outside of the organization’s control.
The use of personal devices for telework introduces a number of new cybersecurity risks for an organization, such as:
- Lack of Cybersecurity Protection: Employees’ computers in the office are likely running the corporate antivirus and potentially other cybersecurity solutions. This helps to identify and remediate malware and other infections on these devices. However, personal computers are unlikely to be running the corporate antivirus, leaving them more exposed to attack.
- Insecure Configurations: Many companies have security policies in place that outline required configuration settings and mandate the installation of security updates on corporate machines. These policies likely do not apply to the personal devices being used for remote work, increasing the probability that they are vulnerable to exploitation.
- Poor Password Management: Most companies have password policies in place that require strong passwords to be used on machines accessing company data. However, many remote workers do not have basic password protections on all of their devices. These same devices may be used for remote work and have access to the corporate network.
- Direct Internet Connectivity: Employees working from the office have all of their traffic pass through the corporate network perimeter and security stack, enabling the organization to perform content inspection and maintain full traffic visibility. The use of personal machines means that remote workers may not be protected by these same solutions, increasing their exposure to attackers.
All of these cybersecurity risks increase the probability that a teleworker’s computer will be compromised by cybercriminals. If this is the case, the attacker can leverage the employee’s direct connection to the corporate network, via the company virtual private network (VPN), to use the compromised personal device as a stepping stone to attack the enterprise.
Zero Trust Improves Enterprise Cybersecurity
With a remote workforce working from personal devices, compromised teleworker machines is not so much a question of “if” as “when”. With little or no control over these devices, organizations need to take steps to minimize the impact of these compromises on enterprise cybersecurity.
This is why implementing zero trust is an essential part of securely supporting a remote workforce. Under the zero trust model, access to enterprise systems and data is granted on a case-by-case basis. After an employee authenticates to the network, access controls based upon their job role are applied to all of their requests, granting them access to only what is necessary for them to do their job.
Implementing zero trust is essential because it minimizes the impact of the compromise of a teleworker’s computer. Instead of a malware infection granting the attacker complete access to the enterprise network, the systems and resources that they are permitted to access are limited based upon the privileges of the compromised account. This restricts the attacker’s access to sensitive data and impedes their ability to move laterally and spread their infection through the corporate network.
Deploying Zero Trust Effectively with SASE
Making the decision to adopt zero trust principles is only the first step in the process. To be effective, these principles and access control policies need to be enforced throughout the organization.
Traditional remote access solutions, like VPNs, are far from suited for this. A VPN is designed to provide the user with full access to the enterprise network, not to restrict access on a case-by-case basis. Secure Access Service Edge (SASE) is a corporate WAN and remote access solution with integrated security and support for zero trust network access (ZTNA). Deploying SASE provides an organization with remote connectivity that offers higher performance and scalability than VPNs as well as the ability to better secure a remote workforce.