Security concerns associated with the Great Resignation
The term “The Great Resignation” was first coined in 2021, and the workforce management trends it refers to have continued this year – and likely will in 2023 and beyond. Organisations must find a way to fill the productivity gaps introduced by the Great Resignation. Increasingly, enterprises are turning to external consultants for help. Unfortunately, this practice can introduce new security vulnerabilities.
For example, if consultants use public or unsecured Wi-Fi for business, hackers can access the network. Ideally, encourage consultants to set up a Wi-Fi account to be used solely for their business, separate from the one they use for personal devices or other client work. Given their mobile nature, this is not always possible, but at a minimum, prohibit the use of public or unsecured networks. It’s also a good practice to require that consultants use their VPN to access files or systems if they are not physically in an office.
If companies fail to frequently audit access policies to ensure that external groups can only access the systems they need, this is another avenue that hackers can easily exploit. It’s also essential to immediately cut off access after parting ways with a consultant and periodically confirm that former contractors no longer have access. Ensure an established timeline for auditing access policies – and never allow it to slip.
Addressing password hygiene is another critical consideration. According to the most recent Verizon Data Breach Investigations Report, over 80 per cent of hacking incidents involved stolen credentials. And studies have repeatedly shown that at least 71 per cent of people reuse passwords. If just one of the sites associated with a reused password has been breached, then all other accounts protected by that password are also at risk.
With workforce management challenges on the agenda for 2023, it’s essential to implement policies and procedures addressing the inherent security vulnerabilities of the Great Resignation.
Exploring MFA weaknesses
Another critical IT security trend is hackers increasingly attempting to bypass multi-factor authentication (MFA). This has long been touted as a secure means of authentication – users must present two factors from independent categories of credentials to log in. But threat actors have found a way to get around this.
In August of this year, attackers guessed the password of a dormant Microsoft account and were able to apply their MFA to it, thereby gaining access to the victim’s network. This incident is just one example to underscore that threat actors are increasingly employing methods to bypass the second factor.
We can expect this to increase in the year ahead. All IT leaders should be aware of this threat and mandate additional protection around MFA to stay ahead of hackers. Do this by implementing strong device trust to limit or block access from unmanaged or unknown devices.
Adopting a risk-based viewpoint
Another item that should remain on your IT security agenda this year is shifting to a risk-based approach for evaluating business deals and vendor agreements. This could entail requesting data about the prospective partner or provider’s cybersecurity posture, event incidents, and cyber insurance coverage.
This approach helps organisations understand any cybersecurity risks posed by their partners and/or vendors so they can take necessary steps to ensure these don’t become an attack avenue for threat actors. Here are a few questions that can help you evaluate your relationships through a security lens:
- Is the organisation aligned with security compliance frameworks?
- Where and how is customer data stored, and is it segmented from company data?
- Are security technologies such as firewalls, endpoint security, asset visibility or SOC implemented?
- What internal measures exist to address the risk of insider threats, and staff training?
The answers to these questions will help determine the strength of a prospective vendor’s security foundation. Given the prevalence of third-party security incidents, always walk away if the responses are less than satisfactory.
Third-party risks are generally top of mind for IT and security teams but less so among other departments. As such, tech leadership must educate all stakeholders on viewing business relationships through a cybersecurity lens.
No substitute for planning
With just a few weeks remaining in 2022, addressing existing cybersecurity concerns is very important.
As the adage states, “There is no substitute for good planning.” Allocating time and resources to the mentioned areas will give your organisation a sure cybersecurity footing to navigate the new challenges 2023 will bring.