Julie PreissJune 11, 2021
How Hybrid Workplaces and the Human Factor Create New Security Dilemmas
A thought-provoking Wall Street Journal article published June 8 describes a cybersecurity nightmare accelerated by today’s hybrid workplace. The author deftly lays out key reasons why this is a hacker’s dream including: the age-old issue of poor patching; a Pandora’s box of potential infections when employee devices are plugged back into the corporate network; and what he calls “the human factor.”
This blog focuses on that last point – the human factor.
People always have been at the center of the cybersecurity conundrum because human error is inevitable. People connecting to your corporate network aren’t security experts. They will reuse weak passwords, click links, download things they shouldn’t and ignore software updates. They move from place to place and one device to another all the time. Approximately 88 percent of all data breaches are caused by human error. That isn’t going to change.
When you factor COVID into the mix, things get more complicated. For the last year, employees have connected from remote locations using corporate or non-corporate devices. The odds are good that many of these devices have been infected with malware while in the wild. Also, anyone hired during the pandemic likely has never been to a corporate office. When they walk in and connect for the first time, your IT team will have to scramble to get them onboarded and recognized by the NAC. Speaking of NACs, most have sat idle for the last 12-18 months and will require significant effort to reboot. Is it worth it to dust-off an antiquated technology that doesn’t offer proper protection to begin with?
Network admins and security teams are on the other side of the people equation. Consider the challenge of having employees working on-site, remote or a mix of both. Managing policies based on where workers are from one day to the next is yet another nightmare.
Solving for the human factor
So, how do you solve for the human factor? One answer is training on basics like phishing and password hygiene. But the world’s best training isn’t going to help when an employee inevitably makes a mistake that has security repercussions. How we protect networks must recognize the human factor – and a slew of other risks. The best way to minimize the impact of human error is with a Zero Trust strategy, which reframes how we think about network security.
Historically, security focused on the network, not users. This perimeter-centric approach made sense during the advent of the internet but it’s not sustainable. People aren’t stationary and the perimeter is evaporating. Networks are hybrid and distributed. People connect to network resources housed in a corporate data center, a public or private cloud, or all of the above.
When you concede to a vanishing perimeter, you must admit that perimeter-centric security built on implicit trust won’t cut it anymore … and here’s why. Once a user connects to the network, they’re granted access to more resources than needed to do their job. As a result, when a breach inevitably occurs, it is easy for an attacker to go undetected, move laterally within the network and cause widespread damage.
That’s why Zero Trust adoption has exploded. In fact, the White House recently issued an Executive Order requiring federal agencies to adopt a Zero Trust architecture. Here’s how a Zero Trust approach solves for hybrid workforce human factors.
Workplace vs. Anyplace
A Zero Trust Network Access (ZTNA) solution works across IT environments. Whether your employee is plugged into the corporate network or their favorite café, the level of protection is the same and based on least privilege access. They only get access to the resources needed to do their job and nothing more. This significantly reduces your attack surface if you’re breached. The attacker has no where to go; all other network resources are invisible.
For an employee, the experience doesn’t change just because their location does. They don’t have to sign into a clunky, slow VPN from the café then do something different in the office. They simply securely connect without effort or friction. Just as important, a ZTNA solution adjusts privileges in real time. Meaning, access is conditional, based on many factors.
We empower organizations to defend their networks from wrongful access and continuously monitor for user behavior changes once a connection is made. Appgate SDP employs the principles of Zero Trust, or least privilege access, which dictates users can only access the resources needed to do their job. Access is conditional, based on many factors, and if any one of those factors change during the online session the user can be denied access in part or in full to resources and applications.
Network and security teams also reap the benefits of ZTNA when dealing with the hybrid workforce. A good solution will dramatically simplify policy administration. Administrators manage one set of policies for a user, regardless of location or device. They can also free themselves from the burden (and cost) of configuring and managing outdated NAC and VPN hardware. ZTNA provides a consistent configuration experience across the IT environment.
These are just a few ways a ZTNA solution can reduce the risk of a cybersecurity nightmare scenario. We cover the basics in our ZTNA: Everything You Need to Know ebook. As the world gets more complicated and interconnected, solving security challenges has to evolve if we’re to stay ahead of them.