This blog was contributed by Darren James, Head of Internal IT at Specops Software.
Remote workers are starting to return to their old workspaces, but the offices they’re entering aren’t the same offices they left in March 2020. Having realized that workers can function well in a remote environment, many organizations are adopting hybrid work in which employees work both remotely and in the office.
Shifting to remote work during the pandemic created many new IT challenges, and some of these have been heavily discussed. From Wi-Fi outages and phishing emails to the deterioration of the office perimeter, these issues have presented valuable lessons that IT leaders continue to learn about navigating remote work.
But if IT leaders are to successfully ensure hybrid workforce continuity, they must look beyond these front-and-center hurdles and focus on a less discussed threat to the hybrid workforce: password security-related issues.
Passwords have long been at the forefront of cybersecurity risk due to excessive reuse and lack of enforceable policies and standards, among other factors. But with hybrid work here to stay, IT and security leaders will be forced to address password vulnerabilities soon, because they’re more troubling for the permanent hybrid workforce than they were within permanent office environments.
The Challenges Threatening Hybrid Workforce Password Security
Shifting to the permanent hybrid workforce presents organizations with three major password security issues that they must address.
The first challenge is that hybrid work has made the traditional office perimeter obsolete, making devices and networks more vulnerable to compromise. Many employees are unknowingly using insecure or vulnerable personal devices for work, and then bringing those devices into the corporate environment one or two days per week. Having poor password hygiene, such as using breached passwords, increases the risks to these devices, thereby proliferating the risk to the entire organization.
The second hybrid work specific challenge is tied to the IT service desk, which has seen a dramatic rise in daily inquiries over the past 18 months. Savvy adversaries, ever aware of enterprise trends, have begun to impersonate remote employees to obtain the credentials required for unauthorized access. A very recent example of IT service desk social engineering occurred when hackers posed as employees of the video game company EA, manipulating an unsuspecting employee over Slack to reset a password that ultimately allowed them to access proprietary game source code, compromising their intellectual property.
Password recovery is indicative of an unprecedented continuity issue facing many areas of the permanent hybrid workforce: How does an organization ensure that processes are both uniform and as secure as possible for both the in-office and remote parts of the hybrid workforce? And how can they do so without overburdening their already-strained IT helpdesks?
The Secure Paths Forward
There are three actions that IT security leaders should take to reinforce password security and guard against bad actors, all while ensuring permanent hybrid workforce continuity.
First, instituting a sound password policy can help safeguard both remote and in-office workers alike. Many organizations, such as the National Institute of Standards and Technology (NIST) have issued best practices for creating strong passwords that organizations can reference.
Second, creating and enforcing an end-user verification policy for their IT service desks can help IT leaders guard against scams like employee impersonation. This policy should combine employee awareness training with technology to serve as a dual defense against complex attack techniques.
Finally, supporting IT service desks to address both in-office and remote work issues can strengthen the “hybrid” part of the hybrid workforce. Implementing secure self-service solutions for password resets, key recovery, and unlocking locked AD accounts can help reduce the workload thrust upon the IT service desk in the shift to remote work without compromising cybersecurity.
This new hybrid work environment represents a major paradigm shift in how we work and live. It’s easy to just focus on heavily discussed issues like email and network security when implementing this transition. But password security represents a real threat to the new hybrid workforce. If IT leaders are to ensure permanent hybrid work’s success as it becomes the new normal, they must focus on improving password security to protect their organizations and maximize continuity.