Back in March, when I first wrote about the need to secure working from home, most of us thought we’d be back in our offices within a few months. No such luck. DealAid has found that “79.4% of full-time employees have shifted to working remotely as a result of COVID-19.”
And, of those most won’t be going back to corporate headquarters this year or perhaps even next. For every company CEO, such as Netflix’s Reed Hasting who thinks working from home is a “pure negative,” there are numerous others, like Apple CEO Tim Cook who’ve found “some things … actually work really well virtually.” Many Fortune 500 companies, including Google, Facebook, and Microsoft plan on most of their staff working from home until well into 2021.
Global Workplace Analytics president Kate Lister estimates that 25-30% of the workforce will be working-from-home multiple days a week by the end of 2021. Note, Lister didn’t say the end of 2020, she said the end of 2021. Indeed, some Silicon Valley darlings, like Twitter, have taken the final step. Twitter employees can keep working from home “forever.”
The writing is on the wall. For the foreseeable future, many, perhaps most, office workers will be doing their jobs from home. That means we must make sure their work and equipment are secure as well. Here’s how we can make that happen.
The basics of making sure your software is up to date with the latest security patches, using password managers and two-factor authentication (2FA), and other issues I covered in Don’t let the coronavirus make you a home office security risk should go without saying. Yeah. Right.
When was the last time you backed up? And, please, please tell me you’re not using “123456” for your password. Away from the office, it’s up to you now not to make foolish security mistakes. No one’s going to be looking over your shoulder to make sure you don’t screw up. Learn and practice at least the bare minimum of security practices.
That said, no one can expect you to know the best security practices if your job is accounting or customer service. Your company’s IT staff needs to decide what you need to know and then tell you what they expect you to do, which leads to my next point.
1) Formalize working from home security policies
IT can’t wing it anymore. Sure, when you thought it was just going to be a month or two and you were in a rush to get everyone out the door, it was understandable that getting people up and running was more important than locking down their accounts. That’s unacceptable now.
You must give your users a crash course in security 101. You know the drill: Use the remote corporate backup service, here’s how to use the company Virtual Private Network (VPN), here’s how to recognize a phishing e-mail, and on and on. Hey, no one ever said security was going to be easy!
It’s also time to take your existing security policy and update it for a world where your workers are scattered all over your city. Insider Pro recently put together an ebook, How to create an effective security policy. Besides general guidance, it also includes four templates to help get you started.
So, you may be asking yourself about now: “What do I need to do differently?” For an excellent introduction to that see the National Institute of Standards and Technology (NIST)‘s Information Technology Laboratory (ITL), bulletin, Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions.
I can sum it up neatly as “It’s a hostile world out there, plan accordingly.” That means restricting users to the bare minimum of corporate resources they’ll need to do their jobs. It also means you should encrypt everything including memory with confidential computing and not just the network and storage.
Finally, you need to upgrade your in-house security systems. Maybe you can’t stop little Johnny from getting malware on mom’s work laptop, but you can do your darndest to make sure it doesn’t escape from there to your servers. Capisce?
2) Companies need to buy their workers hardware
When this all started, many businesses let their newly minted home workers use their personal equipment. You can forget about that noise. Shadow IT is Not the way to go.
As Michael Hamilton, founder and CISO of digital security firm CI Security, pointed out recently that employees shouldn’t use the same computer for remote work they use for home. It’s just asking for trouble.
A home PC may have malware on it, obsolete and questionable programs, and little Suzie’s homework. It is not–I repeat not–where you want your corporate secrets living. That means you must buy your employers dedicated work computers.
You shouldn’t cheap this out either. These machines are literally out of the corporate’s hands twenty-four hours a day. That means getting business-class PCs such as Dell Latitude, HP Elite Books, or Lenovo’s ThinkPads.
3) Lockdown your staffer’s PCs
You want that class of hardware because you want their business security products such as HP Sure Start, Sure Recovery, and Sure ID; Dell’s SureBoot; or Lenovo ThinkShield. These programs include a variety of endpoint security measures such as methods to secure your users’ BIOS and firmware.
While you’re at it, it’s also time to bid passwords adieu and move to a hardware-based Fast IDentity Online (FIDO) authentication security system. According to the 2020 Verizon Data Breach Investigations Report (DBIR), 80% of hacking-related breaches are because of bad or misused passwords.
We have the solution. It’s the FIDO Alliance‘s FIDO2 Universal 2nd Factor (U2F) standard. U2F was created by Google, NXP Semiconductors, and Yubico. In this authentication system the second factor is kept in a secure hardware key, which authenticates your users with their business computer via USB, NFC, or Bluetooth.
U2F devices cost from $20 to $60, but they’re the best line of defense today in authentication security. Some devices to consider are the Google Titan Key, Kensington VeriMark Fingerprint Key, Thetis Fido UCF Security key, Yubikey 5 NFC, and YubiKey 5C.
Once that hardware is in place you also have to monitor it. Sorry to go all Big Brother on you, but you have no choice. Remember how in every crime show, the bad guys want the computer so they vacuum the precious secrets out with a USB stick? Guess what? It’s easier than ever now.
That doesn’t mean you have to go all keylogger on your staffers. I, for one, wouldn’t put up with a company that wants to watch my every keystroke. Instead, use higher-end threat-monitoring programs such as Dell’s Endpoint Security Suite, HP’s Sure Sense, Check Point Software SandBlast, or SentinelOne.
These Endpoint Threat Detection and Response (ETDR) programs use automated analytic tools to look for suspicious patterns of activities. For instance, some programs can catch a ransomware attack in the act by detecting that multiple files are being changed at once.
4) Strengthen your users’ network
It doesn’t matter a lot if your PC is sealed up when someone’s watching you every move on the network. This means more than just using a VPN. You must also secure your local in-house network.
That means, for starters, you’ll need to buy your staffers new business class Wi-Fi routers. Older Wi-Fi devices have a lousy history of being hacked regularly. Worse still, their vendors seldom update their firmware. And, even when they do, they rarely let their consumer customers know that they have to patch their gear.
For example, if your Wi-Fi routers are still using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) for security, chances are you’ve always been hacked. Neither has offered any real security in more than a decade. WPA-2 has also been cracked. Today, your only good choice for Wi-Fi encryption is WPA-3
Another problem is that popular consumer Wi-Fi routers tend to have overall lousy security. A recent study of 127 new home routers found a third of them shipped with the hopelessly obsolete, decade-old Linux 2.6.36 kernel, which has 233 known security vulnerabilities.
The bad news doesn’t stop there. Many of these routers haven’t had any security fixes within the last year. Adding insult to injury “when the routers got recent updates, many of these known vulnerabilities were not fixed.” Finally, some routers have easy crackable or even well-known passwords that cannot be changed by the user.” This is completely unacceptable. It’s no wonder so many botnets are made up of home routers.
What can you do? Well, you must make certain that you get routers that take security seriously. While at you’re it, lockdown, as much as you can, your routers by changing their default admin interfaces, IP addresses, and passwords.
Even once you’ve deployed routers and have done all the right things to make sure they’re relatively secure, you must also keep an eye out for new vulnerabilities. For example, an unpatched vulnerability was identified in essentially all Netgear routers earlier this year.
Finally, you should also insist your people use Ethernet to connect to their router rather than any kind of Wi-Fi. There are just too many ways Wi-Fi can be compromised for it to be a truly safe business choice.
Yes, I know, people are still going to use Wi-Fi. It’s just so darn handy. But, keep in mind, it’s also so darn vulnerable. Secure it as much as possible and pray someone really doesn’t want to look over your wireless shoulder at your work.
5) Stick with corporate e-mail, messaging, and file-sharing services
Chances are you’re already using G Suite or Microsoft Office 365 for your office suite and e-mail. And, in these days when we’re almost never in the same place at the same time, you’re also using corporate instant messenger services such as Slack or IBM Sametime and video-conferencing services such as Google Meet, Microsoft Teams, or Zoom. That’s all well and good.
But, are your people also using, say their personal cloud services, say Dropbox or their personal Google Drive for their work product? Don’t let them do it. You can control–or try to control anyway–what happens on your business services, but you’ve got no say over what happens on their individual services.
For example, you can be pretty sure that when Jan in accounting sends Joe in legal documents over Exchange Email, that everyone’s who they say they are. At the very least you can track who said what to whom when. But, once you’re outside your business services intranet things get much dicier. Is the Jan at outlook.com the same CPA who works in your company? Maybe yes, maybe no.
You should also not be tempted to use free cloud services to save money. You get what you pay for.
Now, I trust Google, for example, to not misplace my Google Drive documents, but my Type C corporation has a total of one (1) employee. Yours is almost certainly a wee bit bigger. Can you really trust that link from a co-worker to what purports to be your accounts payable file or is it going to take you on a trip to ransomware? Use business services, you’ll be glad you did.
Working from home is working from the office
There’s a common theme here. Yes, we’re working from home now more than ever, but home isn’t what it used to be. Going forward, home is the office.
For IT that means treating home office users not as second-class citizens or exceptions to the rule, but as the new normal.
That’s because, like it or not, working from home is the new normal. We, both those who will be calling their kitchen table their office desk, and those of us still running the servers and data centers, must make this shift. It won’t be easy, but it is necessary.
Good luck with this new IT journey. We’re going to need it.
![S3 Ep11: DIY phishes, sandwich scams and vaccine hacking [Podcast]](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2020/10/nean-with-mic-wt-purply-1200.png?w=775)
