Having employees work in multiple locations has long presented challenges related to physical and cybersecurity. The pandemic has amplified the risks but also raised awareness of the issue. Today’s employees, as well as contractors, can work pretty much anywhere—but still expect uniform, streamlined access to physical and virtual resources. Legacy identity management and access control systems are straining under the new reality.

Accelerating Trends in Multi-Location Workforces

If you drive on the Interstate, you’ll see branch offices of major corporations set off to the side of the road. What you may not realize is that even before the pandemic, a lot of these offices were half empty. Fewer employees are regularly showing up at their official workplaces. Instead, they might be on the road or getting their work done at shared office space facilities. They might be working from home.

The pandemic greatly accelerated these trends. The traditional “badge in” to enter the premises and start the workday is no longer a constant for the multi-location workforce. Indeed, many of today’s work sites lack coherent physical access controls—certainly not anything that’s easy to track.

The nature of the workforce is evolving in parallel. A business may employ some full-time employees, but supplement them with in-house contractors, off-site contractors and vendors, such as advertising agencies. Some of the people in this hybrid workforce will need a mix of physical and virtual/systemic access to corporate resources.

Security Risks in Multi-Location Workforces

If you’re an executive, you have a fiduciary duty as a corporate officer to protect the shareholder’s assets from risk. This includes protecting intellectual property assets, which are now almost always digital, along with more familiar digital assets like databases, applications and networks. You’re also tasked with defending physical assets like office facilities and equipment.

Cyber and physical security, once separate areas of responsibility, are increasingly merging. For example, if a former employee enters a corporate site and removes a laptop with working network access credentials, he or she has just compromised both the physical and cyber domains. Alternatively, if a Wi-Fi password is taped to the wall, an uninvited visitor can log onto the network.

Risks include data breach and digital vandalism. A malicious actor can steal equipment or abuse the phone system. Safety can be an issue, too, if the site owner does not know who is on the premises. If an employee is assaulted while on-site, that can create liability and reputational damage for the business.

The source of vulnerability is usually a lack of uniform, economical control over physical access—combined with a concurrent lack of visibility into network access. The attacker may be able to enter the premises undetected. Oftentimes, the vulnerability arises out of a grey area in identity and access control. The attacker might be someone who has some authorization to be there but is abusing the privilege, e.g., a contractor who uses a shared password to log into an administrative workstation that he has taken home without permission. 

Practical Considerations

Mitigating risks inherent in a multi-location workforce may come down to practicalities. It can be administratively burdensome to track access to facilities, networks and data assets. Doing so invariably means working with multiple systems that control physical access, network access and application security. When digital assets are in the cloud, the admin becomes all the more challenging. There can be misalignment with other essential systems, such as Human Resource Management (HRM) solutions and procurement software that govern employment status and eligibility for access privileges.

With the proliferation of shared and alternative worksites, including the homes of employees and contractors, there is no more dependable “badge office” to issue physical access credentials. The variation in facility status compounds this issue. A company may own some of its sites, lease others and share others still. This translates into ambiguity over grants of physical access and irregularity in data reporting about access histories.

Emerging Solutions

New solutions are addressing the challenge of risk mitigation for multi-location workforces. The new approach is to unify and standardize physical access controls with employee ID credentials and virtual access privileges. The same digital identity can now provide access to physical sites, networks, applications and data. They may pull identity data from Identity and Access Management (IAM) systems, which also integrate with HRM systems and the like.

The result is a dynamic identity provisioning capability. As an employee or contractor needs access, he or she is provisioned with a digital identity that can be centrally assigned, monitored and revoked. The solution may deploy the identity via a mobile device such as a smartphone.

The mobile implementation of dynamic identity provisioning has several advantages. It gets rid of all the badges, fobs and keycards and replaces them with a device that the employee almost certainly already owns—or can be easily provided to them. With a single, centrally managed and monitored identity, it becomes possible to unify access control for all facility types. These can be expanded to include ancillary locations like gyms, cafeterias and parking lots.

The business should then gain a higher degree of awareness of who is where, and when. Smartphones enable fine-grained location tracking. If a person enters a facility, the system will know how long he or she is there, and when they leave—something that is nearly impossible to do with legacy physical access control systems. Their virtual activities, pegged to the same dynamically provisioned identity, are trackable in parallel.

Conclusion

A workforce spread out across multiple sites creates risk for an organization. Incomplete control over physical and virtual access leads to vulnerability. Insiders, former employees and external threat actors can steal data or otherwise damage corporate assets—without accountability or the organization even knowing what’s happening until it’s too late. Recent trends toward more widespread remote work and shared space make the risks more serious. A new approach, which involves dynamically generating user identities that can work for physical and virtual access, offers a way forward.