In the wake of the COVID-19 pandemic, organizations responded by rapidly transitioning from on-site to remote work. This opened the door to malicious actors, increasing their phishing and social engineering attacks. By embedding malicious files into COVID-19 email themes, cybercriminals have been targeting anxious users. Compounded with user anxiety, remote work raises success rates for attacks involving credential fraud, leaving mission-critical systems and data of organizations at risk.
Identity and Zero Trust Access Governance: The Starting Point
Security analysts have, time and again, said that the perimeter is shifting away from traditional controls such as firewalls and concentrating on user access implementation. The transition to a truly remote workforce due to the Coronavirus pandemic, for many organizations, increases the significance of access governance frameworks that protect data. When infected by malware, any of those devices used by employees while working remotely can lead to a system-wide attack.
To speed up protection, organizations need to find a way to shift towards a Zero Trust model, one that verifies and never trusts. This ensures the identification of all computers, users, software, and data in the organization. Then work towards the establishment for each of those categories of appropriate controls.
It may be easier to identify people, computers, and data for organizations that have a mature cybersecurity strategy since that information is already included in risk assessments. To speed up a Zero Trust policy and add contextual factors such as location, time of day, and application to restrict user activity, organizations may take advantage of current identity and access controls.
Applying Adaptive Multi-Factor Authentication (MFA)
Organizations using adaptive MFA can apply those contextual controls to modules within applications. MFA acts as the key for unlocking access to apps, but even inside that access, organizations need to have additional access control layers.
Organizations can use contexts to usher in inter-application MFA, for example, time of day or location. The adaptive MFA ensures that the users are who they say they are by having this additional authentication, rather than implicitly trusting them.
This increased level of access protection prohibits the use of compromised credentials by malicious actors in the organization’s Software-as-a-Service (SaaS) environment. It could be necessary for cybercriminals to obtain access to the application. Nevertheless, the extra security layer that comes with the use of adaptive MFA across sensitive data and applications guarantees that the organization adds another “gate” that needs to be opened, thereby protecting the information by restricting abnormal access.
Applying Data Masking
Organizations also think encryption serves as an unfailing security technology. The data is threatened by an incorrect implementation or intruder capable of cracking the algorithm.
Another layer of security is added against stolen credentials by implementing data masking by incorporating contextual controls to restrict what information is available to a user. And when a cyber-intruder gains access to an application, geographic location-based data masking, by rendering the sensitive data “invisible” to them, protects sensitive data.
As a means of “protecting from over-the-shoulder” threats when users are in public places, many organizations suggest masking data. Even with the almost entirely distant workforce, however, data masking can provide a much-needed additional level of security as a social distancing strategy.
Since companies are trying to protect data from attacks through social engineering, they need solutions that help protect the identity perimeter. Adding additional network-level security layers will no longer work as more organizations turn to remote work either as a preventative measure for Coronavirus or to minimize costs in the longer term.
Data security solutions are now available that allow organizations to enhance their identity and access governance mechanisms dramatically and protect their mission-critical ERP applications. They provide control and visibility, which in traditional ERP applications such as PeopleSoft and SAP are fundamentally lacking. Using these data security tools, organizations can build contextual access policies and fine-grained data protection controls and monitor user access as a way to prevent potential credential theft.