Weak human firewalls force businesses to adopt advanced access controls. Read our blog to get familiar with access controls that mitigate some of the risks associated with human factors.
When it comes to protecting businesses from cyber threats, all means are good. Companies can have all the latest and greatest layers of protection, but they remain as strong as their weakest link. It may be uncomfortable to say, but the weakest link of every business is its workforce members. Despite being trained on security awareness topics, employees are often exploited by hackers to gain access to business assets. Furthermore, the increasing tendency to “work-from-home” or “work-from-a-cafe” blurs the organization’s protection perimeter and makes employees even easier targets. According to the Economist, 40% of all American working hours are spent at home, even though a large share of people must physically go to work. Such hybrid workforce conditions, together with the weakness of the “human firewall,” challenge the ability to secure enterprises against compromised passwords and unauthorized access. Thus, along with awareness training, businesses should supplement their human firewalls through advanced access controls.
Employees are seen as the organization’s weakest link not because they are ‘incapable.’ Humans are curious by nature, so they often click on suspicious links and open malicious email attachments, visit websites they shouldn’t be, connect to unsecured networks, or use the same password across multiple accounts. Such “nothing-will-happen-to-me” mindset makes employees the main target of malicious actors worldwide, especially if they go out of the organization’s protection layers and use unsecured networks or devices to access data. Sooner or later, such negligence may end with breached data and stolen identities. Therefore, it is important to build a strong and reliable human firewall to adequately respond to cyberattacks and keep organizations’ data and systems safe.
The human firewall is a virtual line of defense people constitute to combat an organization’s security threats. It backs technical controls, so together they minimize the probability and impact of cyber threats. One of the ways to strengthen the human firewall is by conducting regular security awareness training and supplementing it with strong technical access controls. What is the security awareness training, and how should it be conducted we already described in one of our previous posts Security Awareness Training. Important Things to Know. In this article, we are focusing on access controls and authentication mechanisms that may help to augment the issues of the human factor.
Employees may not even imagine how their actions outside the office can put their company at risk. Taking their work laptops home and connecting them to unsecured homes or public networks endangers everything they do or store on that laptop. Furthermore, it is not even necessary to bring the work device home – one may just access a document by logging into the work email or cloud-file storage from a home device. Hackers frequently use unsecured public or home Wi-Fi to access corporate data, so every attempt to access data or files from an unsecured device or network puts your company at risk.
To minimize risks, organizations should consider all Wi-Fi encryption standards as flawed and should not be trusted (remember about the zero trust approach). Using a Virtual Private Network (VPN) while outside the office offers an additional layer of protection for keeping data safe. Having a VPN installed on your employees’ mobile devices safeguards their online activity from falling into the wrong hands via unsecured Wi-Fi spots. So, employees could work at home, in a cafe, or even at the airport with more protection.
The value of VPNs lies in their ability to offer access to organizations’ data and applications from any location. However, modern hybrid-cloud reality requires the entry of next-generation VPN solutions to effectively deliver remote access to cloud resources. Particularly, cloud-optimized VPNs are needed for secure connectivity between the data center and clouds. To solve the access issues related to cloud-based assets, some organizations use Software Defined Perimeter (SDP). SDP is a way to hide Internet-connected infrastructure (servers, routers, etc.) so that external parties and attackers cannot see it, whether it is hosted on-premise or in the cloud. SDP solutions propose a great degree of protection, but the VPN is still critical to many organizations. While VPNs remain a vital player in the enterprise infrastructure, SDP serves as a next-generation VPN.
To reinforce organizations’ protection layers and minimize password-based vulnerabilities, businesses use Multi-Factor Authentication (MFA). MFA is an authentication method that requires users to provide two or more verification factors to access a resource. MFA is based on one of three types of additional information: knowledge (password or PIN), possession (e.g., hardware MFA tokens, smartphones), and inherence (fingerprints or voice recognition). The most frequently used in practice are one-time 4-8 digits passcodes, generated periodically or each time authentication request and received via email, SMS, or a mobile app.
With the dynamic nature of the digital environment, access controls are also evolving. While some are debating the appropriateness of hardware MFA tokens that may be easily lost, others are testing new user-friendly solutions, such as SIM-Based MFA. This method utilizes SIM cards as a secure possession factor with a unique advantage. Every employee already has it on their mobile phone and is motivated to keep it safe. SIM authentication works similarly to how cell phone networks verify their customers when they make calls and charge them correctly. No additional credentials are needed to ‘log in’ to a mobile network – authentication happens automatically in the background between the SIM card and the operator. When deployed in a mobile phone, every SIM card has a unique identifier which makes MFA an advanced and cryptographically secure solution for identity verification.
Managing access is a challenging task, especially for large-sized businesses. With many existing accounts and a dynamic workforce, e.g., new hires, promotions, relocations, etc., granting and maintaining the right access to the workforce can be messy. Despite the complexity of the task, employees’ roles should be arranged, and the best way to do it is to think of roles as labels attached to an identifiable access pattern. There are two main approaches to how these labels are generated and utilized. First, role engineers create attribute-based functional “business roles.” Second, specialists rely on the discovery of the existing access patterns, labeling them as “IT roles ” (so-called “role mining”). At the same time, granting roles should occur based on the least privileged access principle, which means employees should have access only to the systems and applications needed to do their job and only with the necessary permissions.
One of the most advanced strategies that help arrange the access management process utilizes Artificial Intelligence (AI) and social engineering solutions. Basically, the AI-based strategies can be executed on the principle that strongly similar identities should be granted identical access. In other words, the access profile of your sales manager should not significantly differ from their peers. The critical observation here is that ‘peer’ relationships among colleagues are not terribly different from the ‘friend’ relationships found in social networks. Logically, organizing access approvals can then be represented via a social-like structure similar to a network of friends sharing common interests.
It is necessary to talk separately about situations when employees change their positions or leave the organization. Businesses should conduct periodic access reviews to allow the company to keep track of what information users can access so that they can change or cancel access when necessary. Access reviews perform an important security function as they prevent an attack from someone who’s left the organization (position) but still may retain access to critical information.
Along with the reviews, businesses should also implement access monitoring tools that can continuously check access activities and flag inappropriate access attempts and behaviors. The monitoring also helps maintain individuals’ accountability and makes them more responsible for their activity.
Despite the uncomfortable fact that humans are the weakest link of every business, they are indispensable. Given the hybrid working conditions and evolving cybersecurity threats, businesses must supplement their human firewall with robust access controls. Using VPN when accessing unsecured Wi-Fi spots, implementing MFA to minimize password-based vulnerabilities, and using proper access management and access review tools are the important layers of cyber protection. Furthermore, all these tools are not just your business security. In many cases, it is also a compliance necessity.
Discover more interesting topics with our blog, and feel free to contact the Planet 9 team if you have any questions. We’ll be happy to assist!