Work from home brings a new world of risks and opportunities. Addressing these risks involves understanding several key processes and technologies. Work from home (WFH) can be an opportunity to improve your security posture now. Let’s explore some work from home security fundamentals that are a great place to start.
End User Security Training
End users are a powerful link in security of your information resources. The actions of end users can lead to consequential financial risks. End user actions are a key driver in modern malicious threats such as ransomware and phishing. Consistent and ongoing end user security training is a key element in defending your organization from such risks.
Secure your Networks
Enterprises invest much in securing their networks, but the same isn’t true for their workers ‘home’ network. Often there is insufficient scrutiny of the low end network devices that connect these workers to the Internet. Low end SOHO networking devices from large ISPs & networking device manufactures have a history of security issues that are not addressed in a consistent and timely fashion. These insecure devices can be a conduit into your enterprise unless you have standards for such hardware and actively manage it.
Modern IT environments are increasingly without the assumed security boundaries of the past. With WFH, users are not in a network you’ve segmented and locked down with layered security, they are on a network you shouldn’t trust – the Internet. They connect to resources on your corporate network via a VPN (or other secure remote access tool) and to a multitude of resources in the cloud. This requires we build IT systems with the assumption of zero trust. I.e. all IT resource local or cloud, are secured with the assumption of no trust at all. Our security investments to address risk should align in kind with porous, borderless networks and multiplicity of devices. Zero trust should be a consistent assumption on building modern IT environments.
Compliance & Policy Matters
Compliance makes WFH more complex. If you work in a regulated industry that falls under HIPAA (Health Insurance Portability and Accountability Act); EU GDPR (General Data Protection Model) and Payment Card Industry Data Security Standards (PCI DSS) or CCPA (California Consumer Privacy Act) you must address new, ongoing risks with WFH. In much the same way enterprise policies must keep pace with WFH realities. Policies should address the very real risks of work from home and end users should have in-depth education on complying with them. WFH requires unique, ongoing training for users to cement these concepts top of mind.
WFH users are often not issued corporate laptops and desktops, but instead use their own personal devices to connect to the office. These endpoints are often not actively managed or patched, may not have quality anti-malware or comply with your basic corporate security standards. A variety of cloud-based tools from MDM, cloud anti-malware and cloud patch management solutions can go a long way to address these ongoing risks. Virtual Desktop Infrastructure (VDI) and Desktop as a Service (DaaS) are promising alternatives to BYOD. DaaS is desktop hosted in the cloud is highly cost efficient and secure. It offers a secured desktop environment configured and controlled by your organization and solves many of your BYOD security gaps.
Most organizations today are hybrid cloud. They have some on-premise resources and some in the cloud. This speaks to our earlier point of the urgent need to implement a zero trust model across the multitude of cloud and on-premise resources. Everyone from the IT team to end users needs to secure effectively your sensitive data wherever it exists. Thousands of data breaches that involve improperly, insecure and unencrypted data highlight this need. Having IT and end users understand how to secure your information resources is of paramount importance.
The password or single factor authentication is legacy technology. These antiquated authentication systems (passwords) are vulnerable to guessing, phishing and cracking. Authentication systems secure users’ access to systems and data but are often easily exploited or hacked. MFA (sometimes called 2-step authentication) is an approach to authentication which requires the presentation of two or more of 3 authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inference factor (“something only the user is”) MFA involves the traditional username and password PLUS additional factors in the form or hard (hardware tokens like Yubico Yubikey or Google Titan) or soft (software) token such as Google Authenticator or Duo security. Multi-Factor Authentication is the evolutionary step in this technology that helps protect from password theft or data exfiltration. We should embrace MFA, especially considering the current WFH imperative.
There’s much more to securing the work from home story, but this is an impressive start. How’s WFH going in your neck of the woods? What are some of your security challenges? Leave a comment below, we’re happy to hear from you. Need help with securing your WFH users, contact us today.