Updated: Jun 29, 2020
In this new normal, many workers are suddenly forced to work from home and companies are asking, is this safe? First, let me burst a few bubbles, for those that came looking for a quick one-size-fits-all work-from-home security solution that's perfect for everyone then I'm sorry to disappoint you, this is not that kind of plug piece. Despite what the single solution sellers may suggest, doing things correctly, with tolerable performance and minimal expense, requires some consideration.
Since companies, and their associated work roles, have their own unique mix of sensitive data and applications in such a great variety of different places these days, the optimal suite of secure remote work solutions for one type of user, may not be sufficient or appropriate for another.
With a little forethought and planning though, we can protect our work accounts and data, and achieve a fair measure of safety from the prying eyes and password thieves that could be (but probably aren't) lurking on your vulnerable home networks.
Let's start with one of the biggest security challenges teams are likely to face once they decide they want to figure out how to be productive and secure when working from home, the home office network.
Your Home Network
Let me start by saying that there is almost surely no one listening in to your home network traffic right now, even if it is riddled with security vulnerabilities. However, if you're now going to be logging on to work accounts or accessing company data while working from home, then it's a good idea to identify and plug at least some of the common gaps to 'harden' your home networks and computers against cyber threats in the unlikely event of an incident. After-all, most of us could probably leave our front doors unlocked and not have a problem for a very long time, and yet, most of us do recognize the wisdom of locking our doors as a precaution against an unlikely tragedy.
At your office network, you may have an IT department and/or outside company who monitors and patches vulnerabilities for all network connected devices. At home however, most of our devices don't get checked for security updates regularly, and the list of devices on our home network - and therefore vulnerabilities - is growing exponentially. Not only do our computers, tablets and phones connect, but so too now do our TVs, doorbells and thermostats, if not also our watches, refrigerators, home gyms and security cameras. Most of these device makers are pretty good about fixing security vulnerabilities and exploits as they're discovered on their products, but many of them still don't automatically apply those updates reliably. What's more, you don't know what kind of nasty bugs might be lurking on the computers and tablets that are used by your spouse, your mother-in-law, and/or your youngsters - what with all of the clicking and downloading of shiny objects that they're doing if they're anything like mine!
Not every device exploit allows for listening to or capturing all of your network traffic, some only allow a would-be-attacker to learn a little more about other devices that they can control more fully. Or simply to learn who you bank with, the names of your pets, or which organizations you're a member of so they can create cleverly disguised custom emails to trick you into entering your account credentials on their website - which looks just like the one you're used to seeing - and then they'll capture your password to try on 100 other sites and services.
Unfortunately, if we want to address these home network risks, we have to either become our own home network administrators and set reminders to diligently check all of our network connected systems for updates at least once per month, or we have to isolate the network systems that we use for work purposes to create secure work-from-home 'islands'.
One way to isolate our work traffic is to create a dedicated work-from-home network. You may be able to accomplish this by adding a new network to your existing home router. If your current router doesn't support this or if you feel like you could use an upgrade with additional layers of security, one of my favorite new devices for home networks is the Ubiquiti Dream Machine which includes an impressive range of features for under $300.
The Dream Machine, like many other Wifi routers, allows you to create a guest network that can be enabled and turned into a dedicated family/personal network. The Ubiquiti device also includes a intrusion detection and prevention (IDS/IPS) feature which most consumer routers do not. You can even reserve a dedicated amount of your home internet bandwidth for work purposes so your kids' streaming activities won't turn you into Max Headroom during that important video conference with your boss. Just be sure to enable WPA2 encryption and reset passphrases on any and all Wifi networks.
It is also a good idea to thoroughly secure a work-from-home communications, including end-to-end encryption for all work related network connections via VPN or an otherwise secure remote desktop service. While we still have updates for the operating system, applications, anti-malware, drivers, and firmware to worry about (more on updates to come) on our work-from-home computer, at least it's just 1 system and not umpteen various IoT devices. Although, keeping your baby monitor and your new car up to date may be important to you anyway.
A quick word about VPNs, there are many different types and some are not very secure (PPTP for example) and connecting to a VPN does not necessarily encrypt traffic to all destinations. For example, if you connect a VPN to your main office router or server, and then open a web page on the Internet from your home computer, that web traffic is probably not being protected by your work VPN (or, if it is, you probably have unnecessarily terrible performance).
Sadly, the quantity and sophistication of email scams are on the rise and regardless of how diligently we patch our computers and check our anti-malware logs, our efforts can quickly be undone by clicking the wrong link or attachment in an email. Some of these messages are merely annoying while others can capture your online banking credentials or turn your computer into a 'zombie' if they find a cooperative recipient.
One of the best defenses against malicious emails, is for team leaders to regularly communicate the importance of being suspicious of every email. For those of us who dream of a Utopian society where everyone can be trusting and open to all, well, sadly, we're not there yet - so having a security conscious mindset is rather a requirement to keep your team safe these days. If you really want to be serious about it, you can enlist online training modules and conduct test phishing email campaigns that can track and report on users that click things they shouldn't, and then follow-up with additional training that can be assigned to those who need it.
However much you train though, there will still be a certain percentage who will click on the wrong links in messages. Many email services have some built-in message filtering that can be configured to be more restrictive which can help a little. Often the default settings err on the side of allowing more messages through to lessen the risk of having a VIP miss an important one, but of course that comes with the trade-off of allowing more bad actors to get through as well.
Advanced email filtering services powered by Artificial Intelligence (AI) can be a very effective additional layer of defense and can typically be added for just a few extra dollars each month these days.
Your Anti-malware/AV Service
The next layer of defense you have to minimize the fallout from accidentally clicking the wrong link in an email or web page is your anti-malware or antivirus (AV) software.
More important than the specific developer or service is that it is appropriately configured and that the service is running and updating properly. Unfortunately, sometimes these services or updates fail and they don't always let you know.
Being business or enterprise-grade generally means that the anti-malware agent provides management and reporting information to a central server to ensure things are working like they should and send alerts to your support team when things are out of alignment or when a malware detection occurs on any computer that touches your data.
The next risk to be concerned about - whether your team has corporate laptops or if they're allowed to use their own personal computers and devices - is related to ensuring critical security updates are being applied. As with the anti-malware service, a well protected workforce is able to receive alerts and run reports to confirm that devices that are used for work purposes (even home computers) are fully up-to-date.
Why? The reasons are myriad; but generally when vulnerabilities are discovered and reported on, the developers make updated code available to fix the flaw(s) and the hacker community sets about updating their code to make use of the new exploit - knowing that there will be systems that will be slow to apply the updates. This sets the clock ticking in a race between their efforts and your ability to apply those security updates to your device or software.
Sometimes these vulnerabilities are found in the Operating System (OS) software, other times it's the web browser that's at risk but it doesn't end there. You also have to worry about the firmware coded onto the chips of device hardware, as well as line of business applications, even the drivers that control your hardware. Not every exploit allows your passwords to be stolen or your system to be controlled. Frequently the concern is that it allows for a leak of seemingly innocuous information that can lead to some other information, and so on until it eventually leads to a more serious breach.