Zero-Trust at Home: No-Exception Remote Work
The zero-trust approach has long been a popular strategy for organizations looking for airtight security in the workplace. By consistently questioning who a user is and what they want to do, we expel a potentially harmful blind trust; assumptions go out the window, and users are forced to confirm their identity and their reason for accessing certain applications. But, as we approach the one-year anniversary of the remote work boom, spurred by the pandemic, it is time we embrace the fact that zero-trust needs to not only be applied in the workplace, but also in the home.
Think of it as similar to the security system you might have set up to physically guard your home. The system will let you know if someone is near the house, and will require verification, whether you’re a burglar, a friend stopping by that day or as someone who actually lives there. The same concept applies with zero-trust – whether you’re accessing the internet at home to tackle assignments or just browsing for personal reasons, you need a zero-trust “security system” that requires verification, keeping those with malicious intent on the outside. A simple access notification system – the “doorbell,” in this metaphor – simply doesn’t do enough to ensure proper security.
The importance of zero-trust at home has spiked in the last year, as personal and professional lives have merged to near homogeneity. Even the most careful remote workers encounters a variety of daily risks that manifest independently from their own actions. Organizations may try to mitigate this risk with awareness training, or password security training. In fact, it’s quite possible the company you work for is implementing identity security measures, too. But such measures are only foolproof in a world void of complacency and the occasional mental mistake. Remote work promises to be a mainstay of the post-COVID-19 work world, so the time for remote zero-trust is now.
Here’s how to implement it in your home.
ABQ: Always Be Questioning
If the past year is any indicator, 2021 could break records for the number of phishing attempts and successful attacks. The remote work boom has only motivated cybercriminals to work harder; companies report being targeted by more than 1,000 attacks per month. More than half of U.S. workers claim they’ve been targeted by phishing attempts in the first six months of the pandemic alone. Hackers view the new work environment as a breeding ground for new attack vectors, striking employees on their personal devices with emails and texts hiding malicious links. One wrong click, one minor oversight, and a criminal can get his hands on you and your organization’s data.
These hackers are dependent on employees’ complacency; the best way to combat these attacks is to approach each call, text and email with a healthy level of scrutiny, whether it appears to be from an unknown sender or a trusted coworker. Keep an eye out for messages that call for immediate action. Most organizations wouldn’t ask for rushed decision-making, and it is better to be safe than sorry. Alerts from the FBI in recent months show the severity of these phishing attacks. As a zero-trust defense, question everything.
An End to Password and Device Sharing
The necessity of remote work during the pandemic has illuminated a common security blunder: sharing passwords across work and personal accounts, across work and personal devices. If those passwords or devices fall into the wrong hands, it could compromise multiple personal and professional systems, leading to catastrophic damage for you and your company. As a result, remote employees must view everyone as an outsider from a security perspective. If a camouflaged hacker posed as a friend or loved one and gained entry into your accounts, they could quickly control important corporate networks. Furthermore, if you use similar passwords across different accounts, a hacker only needs to glean it from one login to take down multiple entities.
Given what’s at stake, a zero-trust approach requires an immediate end to password and device sharing practices. Employ solutions such as password managers and create multiple accounts for shared applications (think streaming services like Apple Music and Hulu) to separate work from play. Designate devices for solely professional or personal use and enforce these boundaries. Password sharing is a slippery slope; even if well-intentioned, the ability to secure your networks can quickly fall out of your control. From a security perspective, the zero-trust remote approach requires that you view everyone else as an outsider.
Think Lifestyle, Not Just Strategy
A zero-trust approach requires constant application in order to be successful. Properly questioning all inbound messages and the people behind said messages is a full-time responsibility. Therefore, it is vital for employees to view zero-trust as a lifestyle, rather than a one-time solution.
Zero-trust challenges a person to think differently about their day-to-day interactions, whether it’s an ask for a password or a request to take specific action. The moment that you view zero-trust as a way of life, letting it inform your entire body of remote workplace decision making, is the moment that both you and your organization can breath more easily. Question everything, constantly vet your contacts, and allow this healthy scrutiny to become a lifestyle. Only then can successful remote security be achieved.
