Updated: Jun 29, 2020
In this new normal, many workers are suddenly forced to work from home and companies are asking, is this safe? First, let me burst a few bubbles, for those that came looking for a quick one-size-fits-all work-from-home security solution that's perfect for everyone then I'm sorry to disappoint you, this is not that kind of plug piece. Despite what the single solution sellers may suggest, doing things correctly, with tolerable performance and minimal expense, requires some consideration.
Since companies, and their associated work roles, have their own unique mix of sensitive data and applications in such a great variety of different places these days, the optimal suite of secure remote work solutions for one type of user, may not be sufficient or appropriate for another.
With a little forethought and planning though, we can protect our work accounts and data, and achieve a fair measure of safety from the prying eyes and password thieves that could be (but probably aren't) lurking on your vulnerable home networks.
Let's start with one of the biggest security challenges teams are likely to face once they decide they want to figure out how to be productive and secure when working from home, the home office network.
Your Home Network
Let me start by saying that there is almost surely no one listening in to your home network traffic right now, even if it is riddled with security vulnerabilities. However, if you're now going to be logging on to work accounts or accessing company data while working from home, then it's a good idea to identify and plug at least some of the common gaps to 'harden' your home networks and computers against cyber threats in the unlikely event of an incident. After-all, most of us could probably leave our front doors unlocked and not have a problem for a very long time, and yet, most of us do recognize the wisdom of locking our doors as a precaution against an unlikely tragedy.
At your office network, you may have an IT department and/or outside company who monitors and patches vulnerabilities for all network connected devices. At home however, most of our devices don't get checked for security updates regularly, and the list of devices on our home network - and therefore vulnerabilities - is growing exponentially. Not only do our computers, tablets and phones connect, but so too now do our TVs, doorbells and thermostats, if not also our watches, refrigerators, home gyms and security cameras. Most of these device makers are pretty good about fixing security vulnerabilities and exploits as they're discovered on their products, but many of them still don't automatically apply those updates reliably. What's more, you don't know what kind of nasty bugs might be lurking on the computers and tablets that are used by your spouse, your mother-in-law, and/or your youngsters - what with all of the clicking and downloading of shiny objects that they're doing if they're anything like mine!
Not every device exploit allows for listening to or capturing all of your network traffic, some only allow a would-be-attacker to learn a little more about other devices that they can control more fully. Or simply to learn who you bank with, the names of your pets, or which organizations you're a member of so they can create cleverly disguised custom emails to trick you into entering your account credentials on their website - which looks just like the one you're used to seeing - and then they'll capture your password to try on 100 other sites and services.
Unfortunately, if we want to address these home network risks, we have to either become our own home network administrators and set reminders to diligently check all of our network connected systems for updates at least once per month, or we have to isolate the network systems that we use for work purposes to create secure work-from-home 'islands'.
One way to isolate our work traffic is to create a dedicated work-from-home network. You may be able to accomplish this by adding a new network to your existing home router. If your current router doesn't support this or if you feel like you could use an upgrade with additional layers of security, one of my favorite new devices for home networks is the Ubiquiti Dream Machine which includes an impressive range of features for under $300.
The Dream Machine, like many other Wifi routers, allows you to create a guest network that can be enabled and turned into a dedicated family/personal network. The Ubiquiti device also includes a intrusion detection and prevention (IDS/IPS) feature which most consumer routers do not. You can even reserve a dedicated amount of your home internet bandwidth for work purposes so your kids' streaming activities won't turn you into Max Headroom during that important video conference with your boss. Just be sure to enable WPA2 encryption and reset passphrases on any and all Wifi networks.
It is also a good idea to thoroughly secure a work-from-home communications, including end-to-end encryption for all work related network connections via VPN or an otherwise secure remote desktop service. While we still have updates for the operating system, applications, anti-malware, drivers, and firmware to worry about (more on updates to come) on our work-from-home computer, at least it's just 1 system and not umpteen various IoT devices. Although, keeping your baby monitor and your new car up to date may be important to you anyway.
A quick word about VPNs, there are many different types and some are not very secure (PPTP for example) and connecting to a VPN does not necessarily encrypt traffic to all destinations. For example, if you connect a VPN to your main office router or server, and then open a web page on the Internet from your home computer, that web traffic is probably not being protected by your work VPN (or, if it is, you probably have unnecessarily terrible performance).
Sadly, the quantity and sophistication of email scams are on the rise and regardless of how diligently we patch our computers and check our anti-malware logs, our efforts can quickly be undone by clicking the wrong link or attachment in an email. Some of these messages are merely annoying while others can capture your online banking credentials or turn your computer into a 'zombie' if they find a cooperative recipient.
One of the best defenses against malicious emails, is for team leaders to regularly communicate the importance of being suspicious of every email. For those of us who dream of a Utopian society where everyone can be trusting and open to all, well, sadly, we're not there yet - so having a security conscious mindset is rather a requirement to keep your team safe these days. If you really want to be serious about it, you can enlist online training modules and conduct test phishing email campaigns that can track and report on users that click things they shouldn't, and then follow-up with additional training that can be assigned to those who need it.
However much you train though, there will still be a certain percentage who will click on the wrong links in messages. Many email services have some built-in message filtering that can be configured to be more restrictive which can help a little. Often the default settings err on the side of allowing more messages through to lessen the risk of having a VIP miss an important one, but of course that comes with the trade-off of allowing more bad actors to get through as well.
Advanced email filtering services powered by Artificial Intelligence (AI) can be a very effective additional layer of defense and can typically be added for just a few extra dollars each month these days.
Your Anti-malware/AV Service
The next layer of defense you have to minimize the fallout from accidentally clicking the wrong link in an email or web page is your anti-malware or antivirus (AV) software.
More important than the specific developer or service is that it is appropriately configured and that the service is running and updating properly. Unfortunately, sometimes these services or updates fail and they don't always let you know.
Being business or enterprise-grade generally means that the anti-malware agent provides management and reporting information to a central server to ensure things are working like they should and send alerts to your support team when things are out of alignment or when a malware detection occurs on any computer that touches your data.
The next risk to be concerned about - whether your team has corporate laptops or if they're allowed to use their own personal computers and devices - is related to ensuring critical security updates are being applied. As with the anti-malware service, a well protected workforce is able to receive alerts and run reports to confirm that devices that are used for work purposes (even home computers) are fully up-to-date.
Why? The reasons are myriad; but generally when vulnerabilities are discovered and reported on, the developers make updated code available to fix the flaw(s) and the hacker community sets about updating their code to make use of the new exploit - knowing that there will be systems that will be slow to apply the updates. This sets the clock ticking in a race between their efforts and your ability to apply those security updates to your device or software.
Sometimes these vulnerabilities are found in the Operating System (OS) software, other times it's the web browser that's at risk but it doesn't end there. You also have to worry about the firmware coded onto the chips of device hardware, as well as line of business applications, even the drivers that control your hardware. Not every exploit allows your passwords to be stolen or your system to be controlled. Frequently the concern is that it allows for a leak of seemingly innocuous information that can lead to some other information, and so on until it eventually leads to a more serious breach.
From an IT security standpoint, passwords are among the worst ways to protect accounts and data. Either they're too simple and easy to guess, and the same password is applied to most of our accounts, or they're unique and complex following best practice recommendations, but then of course we have to write them down or save them someplace that may not be totally safe.
Luckily, there are software tools to help us address this particular issue, collectively referred to as password managers. Most of the cloud based 'software as a service' or 'SaaS' offerings provide a free or very low cost version for individual use, as well as Team and Enterprise versions with central management and reporting.
My favorites are the ones that have a reliable auto-logon feature. This tends to operate as an extension to your web browser on your computer or an app on your phone which essentially enters your credentials for you. You'll also want to make sure to pick one that can allow you to require periodically checking with another device to ensure you are who you say you are; for instance, with a finger scan, a notification button on a phone, or even facial recognition for even less interruption of your work flow.
With a well-managed and organized password manager that's built for groups, you can even make great strides toward achieving one of the holy grails of cyber-security, 'zero-trust'. This essentially means that users don't even ever know their passwords, they simply get assigned a set of account credentials. Then software on their computer checks in with an app on the user's phone to verify identity, and then enters all account passwords automatically for them as they access various work relates sites and services throughout the day.
The beauty of this may seem obvious but essentially this allows for complex passwords that don't get written down, saved into shadow IT services or otherwise copied. This also mitigates the threat of some of the nastiest features of certain types of malware, the keylogger and the clipboard hijacker - which can capture your credentials as you type or copy & paste them. When the software enters the credential it is hashed (encrypted) and - as long as you've configured the policy correctly - can't be copied. Boom!
The process described above includes a built-in mechanism for multi-factor-authentication or MFA. If you're not quite ready to adopt zero-trust or a password manager, then please at least enable MFA separately for access to all of your important work accounts and data. I know it can be a pain and it can slow you down if it's not automated, but it really is one of the most effective ways to keep bad actors from logging into your email, or worse - your bank accounts, even if they someone manage to obtain your password. If you have a password manager with an MFA policy, then you don't necessarily need to have MFA set up on all of your accounts, however, some password managers have the ability to serve as your MFA provider and auto-fill those codes after verifying your face or fingerprint as well. If I lost you there, I'll just say that it can be a very secure, and very slick option that can greatly improve productivity and job satisfaction for certain types of workers who need secure access to multiple different accounts and therefore currently suffer from constant logins interrupting their workflow, as well as for those who otherwise have bad password habits or policies in an attempt to avoid those interruptions.
Sometimes safeguarding our data and work can be as much about saving us from ourselves as it is about keeping the bad guys out. Most people know backups can be a good idea but appropriate backups remains one the most neglected services in IT.
Backups exist in a few different varieties and they're not all appropriate for every use case. First and foremost, there is the good old fashioned file and folder backups. If all that's important to you is files and folders, you can set up a sync to your favorite cloud service like G Suite or Office 365, or even sign up for an actual cloud backup service like CrashPlan. A lot of people also like to have a local copy on an external drive because restore times from the cloud can be horrendous if you have a lot of file and folder data. Please don't rely on an external drive alone if your data is important. Do also be aware that file and folder level backups don't tend to work well with fast changing or locking files like databases or virtual disks.
If your files are important and you're syncing from, or backing up to, cloud storage, you may want to ensure your cloud storage is appropriately backed up as well. Not all cloud services are sold with appropriate levels of redundancy and/or versioning, though these features can typically be added for an additional cost. There are also 3rd party services that specialize in SaaS backup as some admins like to ensure their backups are on an entirely separate cloud.
Moving right along, Email! Backup your Email! Either the aforementioned SaaS backup service (if that service also provides your email server) or an Email archiving service can serve this purpose depending on your needs. Often times people mistakenly think that their email inbox has some sort of built-in backup or archive feature automatically running in the background and all they should have to do is right-click somewhere and presto, they're able to role back to before they accidentally deleted their inbox or had it done for them by a hijacker, only to learn that this had to have been set up in advance.
Workstation continuity. If you're using a desktop in a cloud service, you can probably connect to that from any computer in the event of a hardware failure on your end so you already have some continuity. If however you have lots of big applications with custom settings installed on your workstation, it may take a long time to recover from a disaster - days - more even. If this is your situation, I highly recommend adding a cloud PC backup and continuity service that can run an image-based backup of your workstation in a secure cloud so you can continue working from a different computer in the event of a hardware catastrophe.
One final tip about backups, pay special attention to the security of the accounts used to run and access your backups; ensure those secrets in particular, are unique and well protected.
Automation & Verification through RMM Tools
Trust but verify
If all of that sounds like a lot for an individual user who's trying to work from home to have to worry about, that's because it is. So, how can an organization be expected to manage and track all of those updates, backups and anti-malware services on all of their remote workstations, especially if they decide to allow their team to make use of their personal computers and devices that are not always connected to a domain? One option is Mobile Device Management (MDM). These can be combined with cloud based Identity Management to provide a measure of control over access to cloud services.
If that all sounds like an expensive pain-in-the-rear then we are in agreement. To solve many of these challenges without quite so much fuss and cost, you can deploy all the goodness of Remote Monitoring and Management (RMM) software to centrally ensure system policy settings, provide global automation and rescue operations even on remote computers. Some can even control patching for not only the OS, but also for web browsers and 3rd party applications like Java and Flash Player, as well as automatically deploy installations or updates to line-of-business applications. These tools allow for alerting and reporting capability to ensure all is well with system patch levels and can also be set to track of the real-time status of important security settings like the Windows firewall, the User Account Control (UAC), and anti-malware service. For those with compliance requirements, this kind of automated reporting can check a lot of boxes and save an incredible amount of time to prepare for IT audits.
Well, that's about all I've got time for now. There are obviously a lot of opportunities to add links and expand on any number of topics above and it is my intention to do so in future updates and separate posts, so please drop a commend to let me know if you're interested in having one topic or another fleshed out first. Until then - be safe!