Hybrid working has resulted in more complications relating to a company’s cybersecurity. But, even if it is a very small company, there are still simple steps to take to ensure that the business is as secure as it can be. Neil Riva, a Principal Product Manager at JumpCloud focusing on identity and authentication, explains four steps which SMEs can take to build a security posture that can withstand the increased threat.
Draw a defined perimeter around a defined castle. That was the premise behind a castle and moat approach to IT security-built on what is now an outdated perception of identity and how to best protect it. A moat protects little when the castle is no longer there. Today, the cloud, the COVID-19 pandemic and the global remote workforce all underscore the irrelevance of this model. A new take on identity management is necessary, especially for small- and medium-sized enterprises (SMEs).
From a network perspective, if employees are using home or public networks, the effectiveness of company firewalls and controls are limited. Devices introduce additional challenges; IT teams are trying to manage a complex mix of company-issued and personal devices (some Mac, some Linux, some Windows) for a remote workforce that may not be aware of or – compliant with – company policies and security best practices. And remote work has required employees to adopt more cloud-based applications, increasing the likelihood they reuse usernames and password combinations to simply do their job. A domainless enterprise approach which takes into account this paradigm is needed.
At the same time that the IT landscape has become more complicated with application sprawl, and more expensive given the various tools required to secure it, the threats to SMEs are increasing. In Verizon’s 2021 Data Breach Incident Report (DBIR), the company found that SMEs are experiencing the same types and frequency of attacks that have, until now, been more specific to enterprises.
For SMEs looking to build a security posture that can withstand the increased threat, a holistic approach that layers security across all attack surfaces is critical. Below are the four steps to do it:
1.Establish user identity
User and password combinations don’t positively identify users; they simply confirm that someone has possession of functional credentials. Look for tools that go further. Multi-factor authentication (MFA) combines at least two verification methods; something you know, something you have and/or something you are. Whether it’s a token, a push app on a cell phone or a fingerprint scanner, requiring MFA supplies strengthened security at a time when company information is being accessed around the globe. Implementing single sign-on (SSO) for IT resources also reduces the risk wrought by users juggling too many accounts.
2.Secure the device
Establishing a user’s identity is meaningless if a device is compromised. At minimum, ensure a trusted device that is managed by a cloud directory and able to apply organisation’s IT policies. Consider implementing mobile device management (MDM) for company-managed devices. Enrolling devices in an MDM allows admins to establish recognised and trusted devices and instantly wipe or lock a device in the cases of theft or loss. If your organisation allows employees to use their personal device for work, a good practice is to install company-managed agents that admins can activate in the case of an emergency. Invest in anti-virus software and make it available to all end-users, no matter who owns each device.
3.Require context
Defaulting your IT security to a least privileged access model can eliminate the risk of accidental access to sensitive data. Giving permission to each person to access what they need – and nothing more – should be the basic foundation when setting up access policies. First, double-check your permissions to ensure appropriate access levels have been established; revise them if necessary. Next, consider deploying conditional access policies based on the context of users’ activity, like limiting access based on IT-determined groups or requiring step-up authentication when a user is trying to log in outside of their normal activity, hours or location. Context and condition avoid an overly permissive IT environment, mitigating the threats posed by stolen or shared credentials and compromised devices.
4.Trust the network
There is no doubt that network security was easier to establish when workers entered a physical building with a key card, then sat down at a designated terminal to log in. In a time of hybrid workforces, network security may be more complicated, but can still be as effective. For SMEs on the smaller side, whitelisting individual IP addresses might be an option. For larger ones, limiting traffic to a range of IP addresses, using geofences to restrict traffic outside of approved geographic areas, or deploying a virtual private network (VPN) can prevent unauthorised access by bad actors.
The frontier of IT security
The pandemic accelerated changes in the IT landscape that now look permanent, and SMEs are now tasked with securing their users without adding excess cost or friction. Workers will continue to log in from around the globe – and do so on an increasingly complicated combination of devices. A holistic approach to IT security addresses potential vulnerabilities at each point of access, delivering a multi-layer model that can successfully manage your organisation’s identities in all contexts.