“In many cases, when employees are using their own systems you might not know about it until after credentials have been compromised [and] information has been breached,” notes Kevin Beaver, founder and principal consultant of Principle Logic, a security consultancy based in Acworth, Ga.
To address issues like those, channel pros must embrace a combination of tools and techniques built around four fundamental objectives.
1. Protect the Data
Ultimately, everything in your work-from-home security stack is about protecting data, because data is the most valuable and coveted asset your customers have. Keeping data safe begins with encrypting it, according to Nancy Sabino, CEO of SabinoCompTech, a security and support services provider in Katy, Texas.
“Whether it’s a laptop or a desktop, if it’s going home with a user then it needs to be encrypted, because someone could break into their house and steal that device,” she says. Encrypting data also allows companies to avoid the financial fallout and reputation damage that inevitably follow publicly disclosing a breach, something most data privacy regulations require businesses to do.
BitLocker, a drive encryption feature provided free with Windows 10 Pro and Windows 10 Enterprise licenses, is an obvious place to start, but protects only data “at rest” on an individual device. A wide variety of business-oriented encryption solutions keep data free from snooping “in transit” between devices as well.
2. Protect the Endpoint
It probably goes without saying that every desktop, laptop, or other device used for work at home should have an enterprise-caliber endpoint security system on it and at least a local firewall enabled. Cruciana recommends making DNS filtering software mandatory too, and further advises choosing a product that users can’t easily shut off or bypass. “It’s not that we want to be the internet police, but we want to make sure that we’re not introducing additional risk,” he says.
Software for managing endpoints, like an RMM solution, is critical as well, Cruciana adds. “At a minimum, we’re doing daily software and configuration audits of the device, [and] limiting and restricting the use of administrative access on those endpoints so that users aren’t able to go and install software and make changes.”
Sabino, for her part, leans on mobile device management software to ensure that she can lock or wipe work-from-home hardware if it’s lost or stolen, or if its owner changes jobs. Though Sabino uses Intune, Microsoft’s single-tenant MDM offering, alternatives with the multitenant management capabilities MSPs require are available from vendors like VMware and SolarWinds MSP.
Cruciana, meanwhile, employed an increasingly popular shortcut last year to secure devices for some of his clients with especially strict regulatory requirements: a virtual desktop solution. Products like Windows Virtual Desktop centralize potentially vulnerable resources in a heavily fortified Microsoft data center. “In the right client set, that obviated the need for a lot of the stuff on the endpoint,” Cruciana notes.