IT and Business Insights for SMB Solution Providers

Work from Home: The Art and Science of Post-Perimeter Security: Page 2 of 3

New procedures and policies are required that emphasize identity and access control, while issues around privacy and financial responsibility remain to be addressed. By Colleen Frye
Reader ROI: 
WORK-FROM-HOME users on personal PCs and residential-grade networks have put new stressors on post-perimeter security.
BUSINESSES NEED TO DEVELOP WFH policies and procedures that address secure access, network responsibility, and privacy issues.
INITIAL STEPS include home network scans, installing EDR and anti-virus, and enforcing multifactor authentication.

Create Policies and Procedures

Given all these new challenges, it will be incumbent upon businesses to create a security model with policies and procedures for WFH employees.

Ideally, businesses would have had these in place before sending employees home, but given the unexpected rush due to the pandemic, many don’t. O’Hara recommends downloading policy templates from groups such as the SANS Institute to get started.

Michael O’Hara

You may need special terms and conditions to protect privacy, Thornton-Trump adds. “This is a real problem because when I put those home networks online, I’ve got access to baby monitors. I’ve got access to a DVR, so I can see potentially all of the shows that you've recorded. I will have access to your security systems. So we need to, as a company, say there are red lines [about] data that we will not consume, use, or abuse. This is [an] issue that we've never had to face before.”

Once policies are in place, O’Hara suggests organizations do a baseline scan of home networks. “We have to at least see where you're strong and where you're weak, so that we can advise you on how to meet the milestones of security so that we can be comfortable allowing you in.”  

If a scan detects an Internet of Things device that has been compromised, for instance, the organization needs to be able to convey that to the home user and get it addressed so it doesn’t “bleed over into your corporate VPN connection,” Thornton-Trump says. A business or its MSP can start by extending endpoint detection and response or anti-virus solutions to all the endpoints in a home network for free, and then keeping them up to date, he suggests.

A Need to Shift the Focus

The shift to WFH also requires a shift in focus from securing the organization to securing the individual as well, both Thornton-Trump and O’Hara stress. This requires creating an identity- and access-control-focused organization. They recommend implementing the following:

  • Multifactor/two-factor authentication
  • Single signon
  • Password management
  • Intrusion detection and response tools
  • User education

Build the desired requirements into security policies and procedures, O’Hara says. “Insist in your policy … you have to have two-factor authentication in order to work from home. You have to have anti-virus at this minimum level. You have to make sure that these ports are disabled on your home router. And those are just three really high-level things you can look at just to start off.”

With WFH, user education is more critical than ever, he adds. “You're going to have to educate your end users as to what those threats really are out there and how they can start recognizing them. And it's got to go beyond that obligatory once every six months or once every quarter ‘infomercial’ video that gets sent to your email.”

About the Author

Colleen Frye's picture

Colleen Frye is ChannelPro's managing editor.

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.