I’d like us all to take a deep breath.
By and large, we have made it through close to two months of sheltering-in-place – and setting up all employees to work from home.
We’ve also done our best to thread the needle on productivity and security to keep employees working while not turning our backs entirely on best-in-class security.
Suffice it to say, a few months ago, worrying about home networks wasn’t much of a focus. But since the corporate network now extends to every home network, it is suddenly a front-burner concern.
With that said, I’d like to share a few pieces of advice from Illumio’s security team (Trupti Shiralkar, Ben Carter, Sajeeve Keyeparambil, and myself) to other security practitioners to reduce risk for employees working from home, since that is now a key part of the extended enterprise we must protect.
Our advice is meant for all organizations, large and small, and is not predicated on having a Fortune 100 security budget.
Perhaps you have addressed all of these over the past two months or maybe just a few - either way I hope you find this round-up useful.
- This has already gotten lots of attention, but given how much we use Zoom or Webex to run business, we’d be remiss not to start with it. Use passwords to protect your video conferencing sessions. This will help keep uninvited guests from joining your private meetings.
- Given that professional and personal are now on the same home network, have employees use multi-factor authentication wherever technically possible, including heavily encouraging use with personal accounts. This will help to protect against account takeovers and unauthorized access.
- Back your data up regularly to a separate device or to a trusted cloud service. It doesn’t matter how secure your computer is if you don’t have your data to go with it.
- We talk a lot about patching at work, but what about at home? Keep all your computers and mobile devices (both personally and professional) up to date with security patches. Out-of-date software can make for an easy target for ransomware or other cybercrime.
- Make sure to keep your home Wi-Fi router software and firmware updated, as well, because those types of devices are commonly targeted by attackers for takeover.
- Encourage employees to change their Wi-Fi router default admin password from the one it came with. Attackers can use your browser to take over your router and use it to steal banking and other sensitive information.
- Turn on WPA2 Wi-Fi security, and choose a strong password for the network, as weak passwords are easy to guess. This adds a basic layer of protection to your network.
- Ask employees to use a separate device for non-work computing. Mixing the two can make it easier for company-confidential information to be exposed. We know we can’t always enforce this, but it is worth requesting.
- Remove always-on voice assistants (Amazon Echo, Google Home, etc.) from the room you work in, and ensure Smart TV assistants are not configured to listen. Some of these devices send audio back to the vendor for processing and may leak sensitive information.
- Continue to lock your computer when you step away, otherwise your cat will take that opportunity to send your boss a compromising email!
It goes without saying that this is a learning process for everyone, so be patient, but diligent in your approach to security while WFH continues. And remember, we’re all in this together.