In June, the Wall Street Journal asked Chief Information Officers (CIOs) across the globe what kept them up at night. All voiced concerns that the coronavirus has changed how we work, shop, and play, and consequently unveiled new network vulnerabilities. Here we explore two of their top worries, along with strategies and solutions that we think can ease their minds.
Worry #1: There’s been a dramatic rise in web transactions as more people use e-commerce sites to shop from home. CIOs worry about having proper security measures in place to protect this massive transition to online buying.
We are now in our second decade of online buying, Jeff Bradbury, senior marketing director at Hughes North America, says, with general security practices that are proven and solidly in place.
“We secure websites with SSL encryption,” he says. “And we use established technologies and processes to secure backend systems and credit card transactions. These best practices must continue, in addition to conducting proper site maintenance and updating system software as new releases come out, so systems stay current and secure.”
But new tactics are also being deployed, he explains, as e-commerce sites ramp up their security practices due to shifting buying patterns and a greater risk of fraud. One of these is multi-factor authentication (MFA), as opposed to a simple user ID and password, where an e-commerce site will text a code to your phone number or track whether you are using a new or familiar device. Some financial institutions, like Charles Schwab (as outlined on their website), use phone-based voice imprints to validate users. Others use biometrics, like facial recognition or fingerprint technology, to enable mobile transactions.
To further secure transactions, credit card and mobile payment companies have deployed apps, like Visa Pay or Apple Pay, that issue temporary charge numbers for single purchases. This protects the individual credit card number and its owner. Similarly, the EMV (or Europay, Mastercard, and Visa) payment method will soon become the technical standard for smart payment terminals and automated teller machines. It uses enhanced encryption and single-use digital codes to protect data at the time of the transaction.
Mr. Bradbury advises enterprises that process credit card transactions online to consider some type of multi-factor authentication during the payment process to guard against fraud and cybertheft. And for in-store uses, he suggests EMV compliant or mobile pay options that offer increased security. Additionally, consumers should consider whether their favorite e-commerce sites and retailers are taking sufficient steps, like those mentioned above, to safeguard their customer data.
Worry #2: The next big concern (and threat) is the issue of remote or work-at-home employees, most of whom used to sit inside a protected network enclave. They still need to conduct all the same work-related tasks as before, but instead, must now do it from home. CIOs worry about protecting both business-critical and customer data, as well as their work-at-home employees.
Jim Fowler, a CIO interviewed for the WSJ story noted, when the pandemic hit, his company shifted 98% of its 28,000 workers to their homes in just three days. It’s likely the company will see as much as 50% of its workforce continue to work from home.
Mr. Bradbury notes that many enterprises were caught off guard at the start of the pandemic. They were unable to quickly implement more traditional work-at-home or remote solutions like secure Virtual Private Network (VPN) connections. Even still, he says, VPNs are not always a viable, large-scale solution because they can create an inefficient and degraded user experience, due to data flow being forced to ’hairpin’ through a corporate data center before being sent to the end application or data site.
One huge challenge here is moving from dozens or hundreds of VPNs to perhaps thousands or more, each of which forces data to make that round trip through the data center and consequently causing processing delays or latency. Another challenge is acquiring enough VPN licenses and computing capacity to support all employees. Without sufficient licenses, some users may not be able to get on the VPN at all. And without enough computing capacity Mr. Bradbury says, the VPN connection will be slow (with as much as 30 to 50% latency). For these reasons, increasing the number of concurrent VPNs requires that an enterprise allocate and manage IT resources to handle the additional VPN users and avoid performance-related issues – failure to do so will create a bad user experience.
One workaround Mr. Bradbury suggests involves assessing when employees are doing critical work that involves customer- or company-specific data. During those times, the employee should use the VPN. When they perform other tasks, like perhaps accessing spreadsheets or text documents, they can rely on and trust the cloud-based security solutions that are native to those applications, such as the file protections offered by Office365 or Dropbox. Given that most network infrastructure wasn’t originally sized for all of a company’s employees to be on the VPN simultaneously, this tactic frees up the VPN resources for more critical needs and may even reduce the need to expand the network.
“Ultimately, enterprises need to arrive at a solution that allows for an end user to be authenticated and protected as a work-at-home employee. And that requires a multi-layered strategy of cloud- and software-driven approaches,” he explains.
The first layer is for enterprises to have end-point protection on every employee’s PC or laptop, so they are protected against the basic viruses, blacklisted sites, and malware. Next, they should have a software-based firewall to apply security policies based on where employees need to go in order to perform their work—such as to the Internet or to the corporate data center.
As a premier solution, enterprises may want to consider deploying a “zero trust architecture,” where each employee is authenticated whenever they try to access a corporate resource. Having a Zero Trust Network Access (ZTNA) solution is a powerful add-on to the end-point and firewall protections, Mr. Bradbury stresses.
But even taking a half-step in the direction of ZTNA is beneficial. This involves single sign-on credentials plus MFA, where an employee signs on one time with MFA validation and uses those credentials to move from app to app. For example, the same sign-on would enable them to access the VPN, any centralized resources like timesheets, as well as the company’s cloud-based MS Office365 suite. This strategy is a good way to provide a unified and consistent approach to authentication for users across multiple corporate applications and resources.
“There is always a trade off with security and usability,” Mr. Bradbury says. “From the employee’s perspective, you don’t want to lock down a system so much that they can’t do what they need to do. You don’t want to make their jobs more challenging. You have to find the middle ground.”
Fortunately, there are plenty of options and technologies to choose from to find that middle ground – as well as to ensure that CIOs can get some sleep.
Looking for more work-at-home solutions? Check out our blog.