Adaptive Segmentationmicro-segmentation November 2, 2020

5 ways security pros can lock down stay-at-home workers

PJ Kirner, CTO and Founder

This article originally appeared in SC Magazine during National Cybersecurity Awareness Month. As employees continue to work from home, PJ Kirner shares important measures to keep in mind to protect organizations and the employees that operate them.

Remote work has become the norm today and bad actors are having a field day. Not only are millions of professionals, government officials, and business executives now using the same home network to run their organizations that their 15-year-olds use to play video games, they’re also operating on less secure wireless networks, with almost no visibility, and relying on weaker security controls to keep their assets secure.

Many people simply aren’t aware of the added security risks that come with working from home. And in today’s world, where every work device has become interconnected, one intercepted device or network can cost an organization millions. In this environment, companies can’t risk poor cybersecurity hygiene among their staffs.

Here’s the good news: there are many steps security teams can take to bolster the cyber resiliency of the company’s networks, devices, and assets, even while the IT team and most of the staff works remotely over home networks. The following are five important steps security pros can take to lock down home offices:

  • Disable the non-essential internet peer-to-peer (P2P) apps running on employee systems.

We know that employees will often use work devices for personal uses such as Zoom happy hours with friends, gaming, or streaming Netflix. Often, the P2P apps that employees download onto their work laptops can talk to their home routers using the Universal Plug and Play protocol. So, with lax security measures, a bad actor could essentially gain access to a home network through a work device –and vice versa. Mitigate this by simply disabling apps, widgets and protocols that aren’t for your organization’s users, such as SMB or Gnutella.

  • Block connections to malicious websites with free DNS-layer protections.

Installing a free DNS-layer protection can help create an additional layer of security between employees and the internet because it can block dangerous websites and filter out unwanted content. By using secure DNS servers (both at home, and in the office when we get back there), security pros can better avoid unnecessary risk and mitigate the potential for malicious attacks.

  • Enforce least privilege access.

All devices today are hyperconnected, so just give employees access to the apps they need to do their jobs. Bad actors gain access to mission-critical assets through lateral movement. With so many people working from home, they can breach a worker’s laptop at home and move on to the corporate network or data center undetected. By practicing the concept of least privilege, security pros can stop bad actors in their tracks and keep devices secure – because the bad actors won’t have access to as many pathways to the corporate environment in the first place.

  • Weigh the pros and cons of VPNs.

VPNs are a double-edged sword. Without VPNs, security teams can’t see risky behavior as it happens. This limits their ability to develop an appropriate security response before an employee connects to the VPN, potentially exposing the entire company to a threat. But exposing more systems than the security team has ever done before via remote corporate VPNs also presents its own set of challenges. For example, a critical server that was once only reachable from the office that’s now exposed through a remote access VPN has a greater risk of being compromised. So, security pros must understand how to supplement and bolster company networks and infrastructure with additional cybersecurity layers, such as endpoint protection, or additional network segmentation to compensate for the increased risk of increased VPN usage.

  • Deploy endpoint protection software.

Finally, it’s important to remember that networks are only as secure as their endpoints. Once an attacker compromises one endpoint, it’s often easy for them to spread throughout a network via P2P communication between laptops and exploit mission-critical data. Implementing Zero Trust on endpoints can help. But how? Security teams can limit unnecessary traffic by using “allow lists” to determine which types of P2P communication employee laptops need to accept and denying the rest by default. With this strategy, even if one laptop gets breached, security pros can contain the threat and it won’t spread throughout the entire organization. 

Moving forward, everyone must take part in security, not just the IT and security teams. This means the employees. The managers. The top executives. As cliché as it may sound, in this time of unprecedented remote work during the pandemic, everyone in the organization must take responsibility for effective cybersecurity hygiene. It’s on all of us to keep our networks and organizations secure.

Adaptive Segmentationmicro-segmentation
Share this post:

Try Illumio Edge