Coronavirus proved that most employees can successfully work from home. In fact, a recent PwC survey found that 83 percent of executives shared that shifting to remote work was successful for their company. As pandemic-related restrictions continue to lift (barring any potential setbacks from the Delta variant), many employees are hesitant to return to the office full-time - citing better productivity; family and health benefits and an overall preferable work-life balance.
Employers for the most part are embracing this employee sentiment. A recent survey commissioned by PwC found that a hybrid workforce will become the new, post-pandemic normal. Based on the survey, 68 percent of executives said that a typical employee should work in an office just three days a week. The same report found that 55 percent of employees would prefer to work remotely at least three days per week after Covid-19-related concerns minimize.
JPMorgan Chase Co-President Daniel Pinto agrees, recently saying that, “going back to the office with 100 percent of the people 100 percent of the time, I think there is zero chance of that. As for everyone working from home all the time, there is also zero chance of that.”
While hybrid work offers many positives for employees and employers, there are several IT and IT security-related challenges to setting up and maintaining the digital infrastructure for a permanently hybrid workforce. Chief among those challenges are risks and inefficiencies related to password security.
Why proper password hygiene matters
While talk about ‘passwordless’ authentication has generated buzz, the changeover from traditional passwords won’t happen overnight. Besides, many who have used fingerprinting or biometrics for authentication have used traditional passwords as failsafe methods when the other methods fail. So, passwords aren’t going anywhere anytime soon.
Thus, the permanent hybrid workforce brings to light password security concerns for a few reasons. First, remote workers’ devices are increasingly vulnerable when outside of an office’s perimeter. Sharing devices with others or inadvertently logging onto a rogue access point or malicious network can significantly threaten an organization’s security— if a remote employee’s device is compromised, a bad actor can easily access the organization’s network as well. Having poor password hygiene, such as using breached passwords, increases the risks to these devices, thereby proliferating the risk to the entire organization.
Second, retrieving or changing one’s password can also threaten permanent hybrid worker continuity on multiple levels. Many organizations require employees to initiate this process through their IT service desk, but without proper user verification policies in place, an unauthorized user could gain access to confidential data by impersonating an employee and calling that employee’s service desk or even worse, penetrate the corporate network to introduce malware or ransomware.
A very recent example of IT service desk social engineering occurred when hackers posed as employees of the video game company EA, manipulating an unsuspecting employee over Slack to reset a password that ultimately allowed them to access game source code.
Password recovery is indicative of an unprecedented continuity issue facing many areas of the permanent hybrid workforce: How does an organization ensure that processes are both uniform and as secure as possible for both the in-office and remote parts of the hybrid workforce? And how can they do so without overburdening their already-strained IT helpdesks?
Creating a culture of proper password security
Many IT leaders have a lingering misconception that creating and implementing strong password policies takes a lot of work for little reward. Many also don’t realize the scope of the problem caused by poor password hygiene among employees or the potential cyber threat.
However, password security has grown more end-user-friendly in recent years. Additionally, expert guidance and security software can help IT leaders secure their organizations easier than ever before. So, there’s no reason to be wary of creating strong password policies— organizations can implement this necessity today.
Specifically, there are three actions that IT security leaders should take to reinforce password security and guard against bad actors, all while ensuring permanent hybrid workforce continuity.
First, instituting a sound password policy can help safeguard both remote and on prem workers alike. Many organizations, such as the National Institute of Standards and Technology (NIST) have issued best practices for creating strong passwords that organizations can reference, which including:
- Setting a minimum password length of 8 characters to encourage the use of longer passwords
- Giving users the ability to use space characters in passwords to allow them to use phrases as passwords
- Screening new passwords against a breached password list and lists of specific words or phrases to avoid (like the organization’s name)
Additionally, the Cybersecurity Maturity Model Certification has also issued password security guidance for organizations to implement:
- Don’t allow password reuse for several generations
- Permit temporary password use for logging onto systems, but require an immediate change
- Only store and transmit cryptographically protected passwords
Other risk-reducing best practices organizations should consider include:
- Eliminating the use of common password construction patterns
- Supporting user-oriented features such as passphrases (longer passwords that are memorable) and length-based password aging which rewards users with less frequent password expiration due to the length and strength of their password
- Continuously blocking the use of leaked passwords
Secondly, as part of the broader password strategy, creating and enforcing an end-user verification policy for their IT help desks can help IT leaders guard against scams like employee impersonation. This policy should combine employee awareness training with technology to serve as a dual defense against complex attack techniques and enable users to reset their passwords with MFA from anywhere, using any device while providing clear password policy rule feedback to reduce multiple failed password change/reset attempts.
Finally, supporting IT helpdesks to address both in-office and remote work issues can strengthen the “hybrid” part of the hybrid workforce. Implementing a self-service password solution for key recovery and user identification for instance, could help relieve IT helpdesks of some of their workload while also securing password integrity from cyberattacks.
This new hybrid work environment represents a major paradigm shift in how we work and live. It’s easy to just focus on newsy issues like email and network security when implementing this transition. But password security represents a real threat to the new hybrid workforce. If IT leaders are to firmly establish permanent hybrid work as the new normal, they must focus on improving password security to protect their organizations and maximize continuity.
Darren Siegel, Senior Product Specialist, Specops Software