Investigating Logins from Unexpected Locations
How many locations have you worked from in the past month? Have you sent an email, reviewed a document, or posted something on your intranet from anywhere outside your office? I have. Every day.
Years ago, when work was mainly done from a central office, security teams could focus on a perimeter. Now that work happens everywhere, it’s nearly impossible to tell whether a login from an unexpected location is an employee or a hacker.
Action is everything
If it’s a hacker, you’ve got one chance to catch them. You’ll see their spray-and-pray password-guessing attempts from Brazil, Egypt, Australia, the US—they’re constantly hiding their location—not necessarily what they’re doing. But as soon as they guess correctly, they’ll spoof their location to look like an employee’s hometown, and go under the radar. So when you first spot a suspicious location, you have to act.
As a first defense, some organizations use an IP reputation service, automatically blocking known bad IP addresses. This helps if your company isn’t the first to be targeted.
Another option is to just shut the door on all unexpected country locations; a perfect solution if everyone works in the same country. But for companies with international travelers, now someone needs to change the whitelist every time an employee leaves the country. Plus, most IAM solutions don’t have user specific whitelists and blacklists. So when a door is opened for one person traveling to South Africa, it’s open for the entire company.
To avoid that burden, some organizations leave access open to all locations, then call their employees every time they see something that doesn’t look right to them. Beyond the feasibility challenges this raises, the interactions themselves can create frustration on both ends.
Imagine you’re the one traveling. You’re on vacation in Australia, far from your home office in Ohio. After breakfast with your family you log in to check email. Twenty-five minutes later you receive a call from your company’s security team. “Are you in Australia right now?” they ask. You answer with, “How did you know? Are you tracking me or something?” Your family overhears, and now everyone is paying attention.
What was supposed to be a simple activity verification turns into an annoyance that sticks with you all day. But it’s a good thing you picked up the phone, because if you hadn’t, they would have locked your account, another nuisance that would have wasted time, making the security team seem like a burden.
Make investigations quick, easy, and non-intrusive
At a time when work happens everywhere, location investigations aren’t going anywhere. The key is to minimize the effort they take, limit their disruptiveness to your employees, and ensure each interaction makes your organization safer.
Designate a channel
Don’t call. Use a pre-designated channel to reach out to employees. Set expectations that they’ll hear from you via Slack on Channel AtoZSecurity, or via SMS on (123) 456-7891. You’ll get quicker responses and it’s easier on everyone.
If you really want to step up your game, let employees select their preferred channel. That will show them you want to work with them collaboratively.
Use empathy
Be precise with language. More than just refraining from an interrogation-style exchange, choose words that convey empathy and explain why their feedback is important. When employees believe in the greater cause, the safety factor, you’ll inspire them to support something they might not otherwise understand.
Pay attention to employee patterns
Learn how your employees work—and don’t forget. Security systems may continue to throw alerts about a suspicious login location, but you’ll quickly ruin a relationship if you ask someone multiple times about the same activity. Employees working from the road or a vacation home will log in repeatedly, and they don’t want a message from you every time.
Set up a system
Make it easy for employees to enter travel locations on their calendar and add home addresses to their profile. Most modern productivity suites let you view calendar entries that employees have made public.
The same is true for home locations in modern HR information systems. Checking these systems might allow you to skip the contact altogether while still maintaining a low-risk environment.
Automate communications
If you can, make communications automatic. This way you reach employees immediately—when their memory is fresh—and you won’t give hackers a head start. If you can’t check in with your employee for hours, it may already be too late.
Since so many breaches start with an impersonated login, just putting a handle on unexpected locations can give your company’s security a huge boost. Logins are the new perimeter. What are you doing to keep yours secure?
