Businesses of all sizes are facing increasing commercial, environmental, regulatory and social pressures to introduce more flexible working practices for their staff. Yet remote working brings with it new network security concerns. In response, companies may recognise that they have to move in this direction, both in response to these ongoing pressures and as part of specific business continuity initiatives such as pandemic planning. The key question is how to manage their growing remote workforce in a way that minimises the risks involved - and doesn’t break the bank.

Businesses are rightly concerned about the risks of hacking and data loss in the face of increased remote working – when travelling, at home or other remote locations – requiring increased remote access to the corporate network. 

There are two primary risks to be borne in mind here. Direct risks are the more obvious transactional threats of stealing money or data in an unauthorised way for financial gain. Yet the greater threat for many companies is the indirect risk of loss of trust in the brand, which strikes right at the heart of the business. 

The concept of securing remote access on the web is not new. At the same time, it's not difficult to keep 99.99% of hackers out of the corporate network, if the business takes a few simple and well-documented precautions.

Fifty years ago, in the days of huge mainframe computers, static passwords were used more as a means to identify individual programs or data rather than as an aspect of security. And in this they were perfectly adequate. However, though the underlying technology has remained fundamentally unchanged, in today’s remote, web-based world things are very different. 

In an environment in which unauthorised access no longer requires specialist hacking expertise but can be achieved by an eight-year old of average intelligence, or by utilising information freely available on social networking sites, static passwords offer a totally inadequate level of protection. (And how many staff make a bad situation worse by writing complex or random passwords down and sticking them to the side of the monitor as they cannot remember them?).

As a result, the concept of two-factor authentication (2FA) – the use of two different elements used in conjunction to prove a user’s identity - evolved to provide greater authentication assurance. 

For many businesses, the reason why they did not switch to a stronger form of password protection was simple: historically, two-factor authentication (2FA) was costly and time consuming to implement and so remained the exclusive domain of large corporates with big budgets and IT teams. However, technology has moved on and any business can now ensure the highest level of remote access security at an affordable cost.    

There are many different ways of attacking a company’s network. In response, most businesses have put in place firewalls and anti-virus defences. The result is that, for hackers, ID theft and authentication now represents the ‘lowest hanging fruit’ in attacking a network.

The way to prevent this form of ID theft is to provide those staff who validly need to get onto the network with credentials that make it much more likely they are who they say they are – an issue that becomes more problematic if you are dealing with them electronically on the other side of the world rather than face-to-face. And herein lies the weakness of a VPN, which otherwise does an excellent job of encrypting data between two points, such as when an employee working at home wishes to access your corporate data. The VPN creates a secure tunnel which a hacker finds very hard to penetrate or break that encryption.

The problem is, the hacker doesn’t have to. In the case of an online banking transaction, for example, if by stealing a customer’s ID a hacker can persuade the bank that they are that customer, the bank will readily respond to a request such as transferring money from one account to another.

Unlike static passwords, 2FA requires users to have both a token generating a One Time Password (OTP) and a secret PIN. The token acts as the key to the network, creating a new password each time you as the user logs on and the PIN validates that you are the rightful owner of that token. As a result, 2FA adds a crucial layer of security that makes the system near foolproof, as a new password is generated for each new log-on and each password will only work once. This ensures therefore that passwords cannot be stolen, shared or forgotten.

The latest 2FA solutions act as a simple, cost-effective and powerful ‘gatekeeper’ that enables the business to take control of their online assets, making them available in a networked world fully confident that only authorised users will be able to gain access.

The term 2FA implies a single solution, yet this is far from the case. Most modern platforms include a variety of authentication methods designed to suit different budgets, levels of security and types of user experience required. 

For those businesses that prefer to manage authentication in-house, server-based password validation solutions will be more appropriate. Though the underlying robust technology is well-proven and has remained fundamentally unchanged over many years, the more recent development of automated provisioning and new types of software and SMS-based tokens has made strong authentication much cheaper and easier to implement and administer.  

The latest solutions include a complete suite of applications designed to implement and operate strong passwords using 2FA to enable efficient password validation. The server acts as the authentication component, typically securing remote access, domain and desktop logon or web portal access, in protecting the network from unauthorised access. 

Yet for smaller businesses in particular, the emergence of a managed service is proving especially attractive. This provides all the security of a server-based 2FA solution: however, as a cloud-based, Passwords-as-a-Service (PaaS) solution, this delivers on-demand strong authentication services, securing all network access points without the need for upfront investment, integration of expensive servers or ongoing support overhead.

The key here is simplicity. When users wish to connect to the corporate network over a VPN, they are asked to identify themselves using their unique OTP and PIN. This request is then sent to the hosted service – located in secure multi-national data centres – which then authorises the user to access the network.

The hosted service also provides a simple-to-use portal which provides all the functionality required to allow the service provider or end user customer to set up the system, allocate and deploy tokens and manage the ongoing process of adds, moves and changes. 

No matter how beneficial an authentication solution is on paper, it will not be readily accepted by individual users unless it is easy to use and is appropriate to the way they work. And here, the development of a wide range of token types, which can be ‘mixed and matched’ within the business, offers the flexibility needed to fit with both the needs of the business and the working practices and lifestyles of its staff.

Hardware tokens, such as a key fob or calculator style token, are generally recognised as the most robust form of strong authentication and are ideally suited to high-risk environments where containing fraud is of greater concern than the cost of the token. 

Software tokens are incorporated onto the computing device itself, such as a desktop or laptop. Intelligent software tokens are also available on smart cards and USB devices and can provide a range of additional security Benefits, such as physical access authentication when integrated with door access control systems.

Most recently, the introduction of SMS tokens offers even greater flexibility, as they do not require software to be physically installed on the authentication device. By pushing OTPs on demand to a mobile or BlackBerry device, users can authenticate to the network anytime and anywhere.    

As businesses come under growing commercial and regulatory pressure to maintain compliance and full security in times of crisis – in response to natural disasters such as flooding, or man-made interruptions including train strikes or city centre bomb attacks - 2FA solutions are now emerging that significantly reduce network access risk during a business disruption.

Disaster recovery and 'in case of emergency' (ICE) planning often involves an increase in the number of staff working from home or other remote locations. To ensure the network stays secure, users can adopt secure, on-demand ICE strong authentication as part of a server-based or hosted solution.

This operates by allowing the business to secure the log-in process for staff on those occasions when they have to work remotely, by maintaining a pool of ‘frozen’ software or SMS 2FA tokens that can be ‘defrosted’ and issued to users within minutes.  

Just as the nature of the risk to corporate networks has changed dramatically over the past 50 years, so the level and range of protection solutions available to mitigate that risk has never been greater. 

The highest levels of protection are now equally available to businesses of whatever size and the continuing emergence of more flexible token types will meet the growing demand for easy-to-use authentication in a wide variety of remote environments.  

So where next? The ability of cloud-based solutions to reach out across multiple portals and applications will also provide the ideal platform for such appealing concepts as ‘Federated ID’. This development will provide the ultimate in flexibility, by allowing an individual user to use the same token for access to their own home shopping account as well as in their business dealings.