Create Policies and Procedures
Given all these new challenges, it will be incumbent upon businesses to create a security model with policies and procedures for WFH employees.
Ideally, businesses would have had these in place before sending employees home, but given the unexpected rush due to the pandemic, many don’t. O’Hara recommends downloading policy templates from groups such as the SANS Institute to get started.
You may need special terms and conditions to protect privacy, Thornton-Trump adds. “This is a real problem because when I put those home networks online, I’ve got access to baby monitors. I’ve got access to a DVR, so I can see potentially all of the shows that you've recorded. I will have access to your security systems. So we need to, as a company, say there are red lines [about] data that we will not consume, use, or abuse. This is [an] issue that we've never had to face before.”
Once policies are in place, O’Hara suggests organizations do a baseline scan of home networks. “We have to at least see where you're strong and where you're weak, so that we can advise you on how to meet the milestones of security so that we can be comfortable allowing you in.”
If a scan detects an Internet of Things device that has been compromised, for instance, the organization needs to be able to convey that to the home user and get it addressed so it doesn’t “bleed over into your corporate VPN connection,” Thornton-Trump says. A business or its MSP can start by extending endpoint detection and response or anti-virus solutions to all the endpoints in a home network for free, and then keeping them up to date, he suggests.
A Need to Shift the Focus
The shift to WFH also requires a shift in focus from securing the organization to securing the individual as well, both Thornton-Trump and O’Hara stress. This requires creating an identity- and access-control-focused organization. They recommend implementing the following:
- Multifactor/two-factor authentication
- Single signon
- Password management
- Intrusion detection and response tools
- User education
Build the desired requirements into security policies and procedures, O’Hara says. “Insist in your policy … you have to have two-factor authentication in order to work from home. You have to have anti-virus at this minimum level. You have to make sure that these ports are disabled on your home router. And those are just three really high-level things you can look at just to start off.”
With WFH, user education is more critical than ever, he adds. “You're going to have to educate your end users as to what those threats really are out there and how they can start recognizing them. And it's got to go beyond that obligatory once every six months or once every quarter ‘infomercial’ video that gets sent to your email.”