Ahhh, the joys of the internet:
For information workers, the internet has also enabled them to grab their work laptop, jet off across the world and get their work done from virtually anywhere.
Sounds perfect … for them.
You might not be quite as enthused about this location flexibility, though. It’s made geolocation security monitoring more complex — but also more important than ever.
In the old days (aka just a few years ago), most knowledge workers went to an office. They accessed all their applications, accounts and files from that one location.
But with the proliferation of remote work, that single-location status quo is rarely the case anymore. Employees work from home, coworking spaces, coffee shops, airports, hotels and more.
With all that movement, an increasingly important piece of any MSP’s job is to keep track of where clients’ end users log in from.
Not in a creepy way — just in a “trying to stop overseas hackers from stealing critical company info” kind of way.
Setting “approved” geolocations for all of your clients’ end users can be a huge boost to your cybersecurity monitoring. It provides a standard for what’s normal — so you can raise the alarm when something abnormal happens.
For example, within a given timeframe (say, one workday), you would expect end users to access all their SaaS applications or company files from the same location.
The problem is when they log into the company shared drive from their known location (in Florida), but then seemingly log in again five minutes later from Australia.
Unless they’ve figured something out about time travel … that’s probably a sign of a breach.
Many hackers now have mastered the art of being in two places at once — at least virtually — thanks to virtual private networks (VPNs).
Let’s say a hacker in Germany is trying to attack the account of an executive who works for a Silicon Valley tech company.
That hacker may be in their dungeon office in Berlin. But when they use a VPN, the login looks like it’s coming from San Francisco.
If anyone were monitoring login records at that company, this wouldn’t look unusual. So the hacker skates right into the executive’s account and starts exfiltrating data.
On the flip side, maybe that Silicon Valley exec has family in Germany — so they actually were logging in from Berlin on their company laptop.
Hmmm.
Here lies the problem with only using geolocation as an indicator of attack. This monitoring should happen in tandem with approved device monitoring.
If a login happens in an unapproved location and via an unapproved device, it’s likely a sign of account compromise.
Try to avoid them in the first place: Okay, duh. But proactivity is important. Communicate regularly with your clients about who’s traveling where so when that random login shows up from Dominica, you’ll know it’s just Devon from marketing taking his vacation. (Lucky him.)
Conduct regular geolocation audits: Beyond just keeping tabs on people’s vacations, you should frequently review where everyone’s “home offices” are. People move, join coworking spaces, etc. The more you know, the less time you’ll spend chasing your tail when Jamie from accounting starts logging in from her new home office across state lines.
Establish incident response protocols: Even with security measures in place, sometimes a breach will happen. Once you see a login from an unapproved location, you (and your whole team) will know exactly what to do next — from locking the account to notifying the client.
If someone is hacking into your customer’s account, SaaS Alerts can help you at three different stages of the breach:
Prevention: Easily specify approved geolocations for any end-user account. Stay in regular communication with your customer about whether their employees plan to move or travel — then hop back into SaaS Alerts to make the switch.
Early detection of unauthorized location access: SaaS Alerts provides continuous event analysis and security alerts so you can easily keep tabs on when something (or somewhere) is wrong.
Automated remediation: Set up specific indicators of compromise — for example, an account logs in from an unapproved geolocation and from an unapproved device. Then, set up automations for what needs to happen afterwards. (Access denied!)
When you can rely on SaaS Alerts’ automations to do the initial work of kicking out a hacker, that takes the pressure off you to be online all the time.
Because as awesome as the internet may be, you still need a break, especially from chasing hackers.