When it comes to measuring identity and access management (IAM) maturity, many companies limit their thinking to on-prem systems and endpoints. But desktop computer firewalls and other in-office considerations become irrelevant once employees get home and either log on to their home networks or use their personal devices to access company data.
As the way we work has changed, the way we think about IAM has to change as well. Regardless of how long COVID-related lockdowns last, the shift to remote work was in force well before the start of the pandemic. Asking critical questions and enacting the appropriate solutions are important steps in protecting your modern workforce from cyber crime.
Here are four such questions to get you started:
Question #1: Do you have policies in place controlling the access users have to sensitive information while working remotely from personal devices?
Maintaining productivity while employees are away from the office is important — nobody wants to jump through multiple sign-in or network access hoops.
But granting access to sensitive information too freely can create unintended vulnerabilities. For instance, imagine that an employee is reviewing plans for an upcoming new product release on a personal tablet… and then accidentally leaves the device in a taxi.
Mistakes will happen; you can’t control every employees’ behaviour while they’re away from the office. But you can control their access to critical information — as well as implement tools that allow you to wipe data from misplaced devices — to keep your data secure.
Question #2: Have you educated team members on proper security protocols for remote networks and remote network usage?
How many of your employees log on to public Wi-Fi networks at cafes, hotels, or airports? Even if your organisation takes steps to educate users on internet security, the number may be more than you think.
One study from the University College London (UCL), found that “not only did many applications still fail to encrypt data in motion, many users continue to use unsecured public Wi-Fi networks.” Over the 150-hour experiment, researchers were able to find “private photos, emails, documents, and login credentials being transmitted in clear text without encryption” via public Wi-FI networks that were set up for the experiment.
Further, Norton’s 2017 Wi-Fi Risk Report found that:
- More than half of the survey’s 15,532 participants used free public W-Fi
- Eighty per cent of public Wi-Fi users dealt with sensitive information such as email and online banking while on these networks
- Sixty per cent of participants feel their personal information is safe when using public Wi-Fi
Although you may be able to enact certain restrictions that limit what employees can access when connected to unsecured Wi-Fi networks, education has a role to play here as well. Periodic training and regular reminders can help reinforce the importance of using secure networks to access company data.
Question #3: If employees are working remotely, does your IAM policy address risks associated with allowing others access to their employer-issued or personal devices?
Though it’s becoming more and more common for each member of the family to have their own device, companies still need to consider the possibility that employees may allow others access to the devices they use for work.
Take Proofpoint’s 2018 User Risk Report, which surveyed 6000 technology users across six countries, including the US, UK, France, Germany, Italy, and Australia. Roughly 55% of participants admitted to sharing their employer-issued devices with family members or trusted friends, who used them for activities including checking email, engaging with social networks, streaming media, shopping online, and more.
Even the most trusted contacts accessing a work device create unnecessary security risk; for example, by accidentally allowing unauthorised users to view confidential data and by increasing exposure to phishing threats. A far better approach is a blanket policy that prohibits access by others to devices used for work — one that’s codified and communicated to all relevant stakeholders.
Question #4: Have you implemented a policy around printing out sensitive data on home networks?
Another easy security win is limiting employees’ ability to print out sensitive information when they’re away from the office.
Certainly, you may not be able to fully restrict this behaviour if you have employees who work remote full-time. However, you can:
- Limit user roles and privileges around printing so that only those employees that truly need to be able to print whilst remote can do so.
- Educate employees on steps to take to secure their home networks.
- Educate them on the importance of not leaving printed materials lying about, including the potential security risks that could arise from documents inadvertently falling into the wrong hands.
Empower Your Modern Workforce Through IAM
The questions above reveal the breadth of security considerations that have arisen from the transition to modern work, where even something as commonplace as printing out documents can introduce unanticipated risk.
Your company’s IAM policies go a long way towards empowering your modern workforce and securing their activities. If you don’t already have an IAM policy in place — or if you aren’t sure it fully addresses the concerns of a modern workforce — download Mangano IT’s free checklist, “Measuring Your Identity and Access Management (IAM) Maturity” for more questions to better understand and improve your existing security posture.