Remote work, MFA and identity risk: what teams missed in 2020

TL;DR: Remote work, MFA adoption, cyberattacks and regulatory pressure shaped 2020, according to Axiad, while SolarWinds and FireEye showed how persistent compromise can escalate across agencies and enterprises. The bigger lesson is that authentication controls alone do not close identity attack surface when access, device trust and lifecycle governance lag behind.

NHIMG editorial — based on content published by Axiad: The Major Cybersecurity Themes of 2020

By the numbers:

• In the beginning of 2020, more than half of CIOs expected an increase in remote workers.
• By last fall, only 57% of businesses were utilizing MFA.
• 91% of people understand that repurposing passwords is a security risk, but 66% still do so.

Questions worth separating out

Q: Why do remote work models increase identity risk for IAM teams?

A: Remote work expands the identity trust boundary beyond managed office networks, so IAM teams must account for home networks, personal devices and inconsistent access conditions.

Q: When should organisations treat MFA as necessary but not sufficient?

A: Organisations should treat MFA as necessary but not sufficient whenever users can still recover access through weaker routes, reuse credentials or operate on unmanaged devices.

Q: How do security teams know whether zero trust is actually improving access control?

A: Security teams know zero trust is improving access control when access decisions are continuously evaluated, exceptions are rare and recovery paths do not bypass policy.

Practitioner guidance

• Eliminate fallback password recovery paths that bypass MFA Audit temporary password issuance, email-based resets and help-desk exception flows.
• Tie remote access to verified device and session conditions Require device checks, session policy and conditional access enforcement for remote users instead of relying on authentication alone.
• Map MFA controls to audit evidence and exception handling Document where MFA is mandatory, where exemptions exist and how those exemptions are approved and reviewed.

What's in the full article

Axiad's full blog post covers the historical detail this post intentionally leaves for the source:

• A year-by-year recap of 2020 cybersecurity themes, including remote work, MFA and regulatory pressure
• The article's discussion of SolarWinds and FireEye as the most consequential breach narrative of the year
• The original commentary on remote workforce adoption, including how many CIOs expected growth early in 2020
• Axiad's framing of how CMMC and PSD2 affected authentication planning in defence and payments

👉 Read Axiad’s analysis of the major cybersecurity themes of 2020 →

Remote work, MFA and identity risk: what teams missed in 2020?

Explore further

View Full Forum →  |  NHI Foundation Course →