At a time when companies are looking to hire more remote workers, CIO/CISOs believe it’s time to rethink security with Zero Trust and multifactor authentication, finds a new study
As organizations are working with newer technologies and geographically distributed teams today, they are looking to hire more contractors and remote workers without any strict requirements for physical presence in offices. While this trend of recruiting fosters collaboration and workplace productivity, it often engages in a tug-of-war with security, as the key challenge with remote workers lies in securing access to sensitive systems and data for which CIO/CISOs are often left at a crossroads. A recent report released by Okta, shows how approaches such as Zero Trust and Multifactor authentication are helping technology/security leaders rethink security in their organizations.
Why security is the No. 1 priority
In its recent survey of 1,050 decision makers including CIO/CTO/CISO and others leading the technology functions in organizations, Okta finds that 63% respondents said they are eyeing an increase in the number of remote workers (including contractors) as companies are utilizing the time saved by avoiding long commutes to increase employee productivity, as well as work-life balance. In contrast, such a strategy entails an element of risk. Some 45% of respondents pointed to security as the biggest factor preventing them from hiring more contractors, while 39% said they see remote workers as a security threat.
The cost of a data breach — both financially and in terms of brand reputation — is growing. A separate study done by Ponemon Institute, titled 2018 Cost of a Data Breach Study found that on average, companies took 197 days to identify a data breach and 69 days to contain it. The time required to identify and contain breaches were highest for malicious and criminal attacks and lower for breaches caused by human error. Needless to say then that security should be part of an organization’s mission statement.
As Dr O.A. Balasubramaniam, Sr. Vice President-IT at Roots Group of Companies, states, “Technology advancement has changed the workplace scenario, and information is one of the most valuable assets to every organization, yet often one of the most vulnerable one.”
He believes that as there is a direct economic cost of such attacks to the business, such as theft of corporate information, disruption to trading, and repairing costs of systems as well as reputational damage to organizations, all businesses, no matter its size, needs to ensure the proper knowledge on cyber security, tools involved, up-to-date on the latest cyber security threats and the best methods for protecting data.
“Cyber attacks could irreparably damage the business, so security needs to be the top priority,” Balasubramaniam adds.
Therefore, with these new ways of working, companies need to move beyond traditional security parameters.
Enter Zero trust, MFAs
To respond to security threats, Okta study found more companies are looking at Zero Trust, a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
John Kindervag, Field CTO at Palo Alto Networks, who created the concept of Zero Trust, coined the term, and promoted the approach while serving as a vice president and principal analyst at Forrester Research, approaches Zero Trust from a unique position. He mentions in a recent security roundtable, “Although the idea is fairly straightforward— trust is the root cause of all data breaches and most other negative cyber-security events; we don’t need trust in digital systems when the only beneficiaries are attackers—putting the concept into motion can prove challenging.”
Going by this concept of security approach, Okta researchers found that one-third of respondents said they already have a formal strategy for Zero Trust and are actively working to secure their companies with this approach. Another 25% said they're creating a formal plan out of a Zero Trust strategy, while 24% said they’re considering it but don’t yet have any formal plans to implement it.
In today’s security landscape, it’s no longer about the network — it’s centered on the people who access your systems, and the identity access controls for those individuals. And therefore, the road to Zero Trust is paved with strong multi-factor authentication (MFA), states the study researchers.
Some 61% of respondents said they use security questions, while 54% have implemented software-based one-time passwords. A little over half the CIO/CTO/CISOs use SMS, voice verification, and/or the emailing of one-time passwords, with 36% adopting physical keys and U2F (Universal 2nd Factor) tokens.
Among the different MFA methods, one-time passwords provided by software, physical and U2F tokens and biometrics are considered the strongest, while security questions and one-time passwords provided on email are seen as the weaker lot.
The stark reality
The survey also found a strong disconnect between how quickly respondents expect to respond to a security breach and the reality of how long such responses can actually take. Some 73% of respondents said they expected their company would identify a security compromise immediately or within 24 hours, while 78% said they would respond to such a breach immediately or within 24 hours. Further, 60% of respondents said they’re very prepared to handle a security breach.
The worrisome finding is that CIOs are particularly confident in their company’s preparedness and so are the respondents from some of the most vulnerable industries, including technology, financial services, manufacturing, retail, and healthcare.
As the Okta report states, “The gulf between expectations and reality shows why security can be such a challenge even for the world’s largest companies.”
Nonetheless, pursuing Zero Trust strategy and using any of the strong MFA types can surely reduce the burden of technology leaders in securing the remote workers and likewise the enterprise to a large extent.