HR Tech Startup Reduces Threat of Phishing with Beyond Identity

Company Overview

A growing startup in the HR software industry helping organizations with their performance needs with around 700 employees.

Challenge

The Senior Director of IT and Security for a San Francisco-based software startup was responsible for establishing a comprehensive security program for the company, to include risk assessment, SOC 2 certification, and external penetration tests, with a goal of reducing risk exposure.

The program would also have to be scalable. The company had successfully grown from 70 to 240 employees with only one dedicated IT person, then further expanded to 700 employees supported by a small IT staff. As the company continued to grow, it also experienced an increase in contractors using non-corporate devices and no way to prohibit employees from using personal devices.

If the company experienced a breach of their SaaS systems, a bad actor could potentially get into Salesforce, extract customer lists, send fake invoices and spam, insert malware, or cause other detrimental outcomes. A penetration test revealed a relatively low number of employees falling for phishing attempts, but “it only takes one,” the Director of IT said, to make for a very bad day. “We wanted to get to the root cause and take away passwords. If there’s no password, there’s nothing to be phished.”

Solution

The Director of IT is a strong believer in win/win solutions for both security and the user experience. Making security easy for the user is a key factor in reducing the attack surface and making the company less exploitable. He also wanted the ability to enforce device policies without using mobile device management (MDM), which employees often resist. After researching potential passwordless authentication solutions, he contacted Beyond Identity about Secure Workforce.

“We got to see the Beyond Identity solution and how it actually works in the first call, without a lot of sales BS,” said the Director of IT. “The passwordless authentication really is a win/win, and the ability to check device posture is key. We don’t want non-corporate devices logging in to Okta.”

The company scheduled a proof of concept. “We had a dedicated Slack channel for any questions, and they got answered very quickly,” the Director of IT said. “The POC was a very pleasant experience in a non-pushy way. It was a good fit for us.”

Results

“It’s been a game-changer for our employees and enabled us to disable the password manager in browsers,” the Director of IT said. “They go to Okta, and they get logged in—it’s just a very seamless experience.”

The company first rolled out Secure Workforce to a test group, who were “blown away” by the passwordless experience. “It’s been a game-changer for our employees and enabled us to disable the password manager in browsers,” the Director of IT said. “They go to Okta, and they get logged in—it’s just a very seamless experience.”

After the initial test group, the company pursued an aggressive rollout to the entire company, achieving 93 percent enrollment within three weeks. “Usually, people do something right away or don’t do it at all,” the Director of IT said. “We sent multiple reminders and then started locking down apps for people who weren’t enrolled. We knew it worked and just wanted to get the enrollment completed because we have limited resources.” Since the vast majority of employees loved the passwordless experience, there was little to no pushback.

The ability to check device posture also ensured the company could enforce rules, such as only allowing corporate devices to log in to Okta. And with the uptick in contractors without corporate devices, the IT department can create rules enforcing laptop encryption, antivirus installed, OS up to date, and other protocols depending on what resources they need to access. “We don’t want a contractor to work on a laptop that’s not encrypted, and there’s no excuse for not doing that anymore,” the Director of IT said.

The IT department operates on the assumption that a breach will eventually occur, but the goal is to mitigate the impact by reducing the blast radius to the smallest area possible. “Perimeter security is collapsing, if not dead,” the Director of IT said. “The endpoint is the new perimeter.” Beyond Identity Secure Workforce is a foundational tool for securing those endpoints.