Securing home networks matters more now than ever before. We are a very connected society. That creates great opportunities and new challenges every day. Especially, for those tasked with securing all that connectivity. One opportunity that gets a lot of people talking is teleworking, telecommuting, working remotely, or working from home (WFH) – all seem to mean the same thing to most people. Our whole company is built on the ability of our systems to be secured and also be able to connect and work from anywhere in the world. Many groups forget to worry about those home networks that are connecting to your office network and even using your office applications, and data on a regular basis.
Working from home can be awesome! The days of video conferencing has made it less likely that you will work in your PJs all day long but you never know. For the most part, working from home has been a very positive change for employees. Employers can’t decide in many cases how they feel about them.
It was big news when Marissa Mayer took over at Yahoo and announced that she was banning working from home. As it turned out, telecommuting still happened at Yahoo and some employees didn’t even have a desk at the office. In fact, a study was done at Stanford “shows the astonishing productivity boost of working from home”. In the two-year study, they found the work from home crowd had a productivity boost of what amounted to 2 full day’s work vs the group in the office. There were several other positive findings that enabling even a few days of the week for working from home makes employees happier with their jobs and more productive.
All of that is great. However, nothing in that study looked at security requirements that should be in place and questioned if those employees were blazing through work in a much less secure environment. Securing home networks has to be part of the conversation.
Real world example of the problems that can occur is illustrated very well in this article: The security dangers of home networks. A small company employee took their work laptop home to catch up on work. We have all done it, right. Well, everyone has at least wished they could do it at some point. However, things didn’t go so well in this case. The employee let their kid access their emails on the work laptop. Dum, dah, dum, dum…..
As you guessed, the kid welcomed in a nasty computer worm that infected the laptop big time. The next day the laptop gets plugged back in at the employee’s desk and boom, the whole network was under attack by this spreading worm.
The flip side can happen when employees bring in their devices from home that are already infected and plug them into the office network. More on that problem in another podcast.
What do you do to protect your business from bad security on a home network? Don’t let them work from home is an option but it is just a matter of time before someone will need to do it. This may not be the best plan.
A better plan is to educate the employee on securing home networks and be prepared for something to go wrong anyway. That means you need to get employees to go through special training explaining the security issues when working remotely. They also have to take a quiz and sign a form that they understand if it can be shown that their home security failures created a problem.
Also, don’t forget that the remote work option is also used by many vendors. They may need to be vetted this way also. It isn’t a bad idea to ask if they make sure employees that work from home are trained in securing home networks.
You still need to answer your internal questions about managing these folks and their connections. Your internal policies and procedures need to address how you will handle remote working. The methods for securing their access and allowing their access to the office network.
- List any security connection software required for use when connecting to the company network remotely (ie VPN client software).
- Who is responsible for installing (or ensuring the proper installation of) security software and secure connection software on remote worker devices?
- Who is responsible for approving workforce members allowed to remotely access company networks and resources?
- Who is responsible for making sure workforce members are complying with this remote access policy?
- What process is followed to confirm workforce members are complying with the remote access policy? (ie periodic walkthroughs, video monitoring, business tool reports, internal and external audits, equipment inspection, etc)
Here are the questions we like to ask about what is getting done on a home network. You should at least ask about these kinds of things:
- Are you doing firmware updates on modems/routers/etc?
- Did you change the admin password on routers?
- Is the AV & Malware software being used on the system approved?
- Are IoT devices connected to the same network or on a different network like guest networks?
- Who has access to, or an account on, the computer used for work?
- Is encryption available on the drive?
- Do you share logins with family/friends?
- Do workstations used remotely also abide by company workstation use policies?
- Who is responsible for confirming remote worker setup and following policies for remote work?
- How does the remote worker destroy files containing ePHI on the home computers?
- Company mobile device policies should be followed for remote workers.
- If paper files are stored at home are they in a locked cabinet or other secure storage?
- How will all of this be audited, how often, and by whom?
- Are remote workers individually authorized by the company or can anyone work remotely?
- If the remote workers are considered a subcontractor, how do you confirmed they either fall under the common law of agency or they have BAA?
Some resources out there to help you understand threats and secure your home network include:
We all have home networks now. It isn’t something that you just turn on and forget about even though many people seem to think that is the case. Securing home networks is something everyone needs to learn about or make sure that someone who fully understands these concepts is handling it. If you aren’t sure, then have them listen to this episode and see if they can take this information and run with it.