WFH Cybersecurity: Fact vs Fiction

WFH cybersecurity is perhaps the fastest growing discussion in the security community this year, given the impact of COVID-19.  A Gartner survey of HR leaders found that 91% had implemented work-from-home in their organizations as part of their COVID response. Along with WFH came new cybersecurity exposures -- at Havoc Shield we started fielding calls and emails along these lines...

• I used to work at home sometimes anyway, so what's the cybersecurity difference now that I work from home all of the time?
• This all happened so quickly, we didn't really have time to think about how to manage cybersecurity for remote workers -- what are the first few things we should take care of right away?
• What questions should I ask my employees about their home network setup?  Anything I can do to help them stay secure in a way that is good for them personally and good for our company?

These questions, amongst others, inspired us to write this article to separate the fact from the fiction when it comes to WFH cybersecurity.  Here are some of the facts you need to be aware of, and some of the fiction to disregard.

Fiction: My Risk Profile Really Hasn't Changed

Imagine some risky activity -- perhaps, riding a motorcycle without a helmet instead of a more durable/strong motorcycle helmet.  Say that you were doing that activity once a week.  Risky, right?

Now, what if you started doing that five times a week?  Whoa!  Stop that!  What was once a big risk, just became an even more extreme risk.

Also, now the picture in the header of the blog post probably makes more sense.

Fact: Wi-Fi Routers Need Security Updates

At the office, many of us are accustomed to the idea that the "IT person" takes care of whatever is in that scary-looking telecom closet, and whatever hardware or software updates need to happen in there.

When you work from home, you are the IT person, and (bad news) consumer-grade routers are much more wily when it comes to security patch installation procedure.  And, when the router happens to be one where manual action is required to install patches, you can guess how often that happens.

Approximately 40% of home routers have not received a security patch in the past year.  That's bad.

Fiction: I use VPN, so I'm Safe

It's good that you use VPN when you are accessing company resources from home.  That's smart.  What's not smart, though, is assuming that VPN is the only mitigating step needed to make a home mixed-use network safe on the WFH cybersecurity front.

Employees working from home tend to share their laptops more -- as familes scramble to sort out the daily grind of eLearning, working, and everything else.  That means that sometimes personal laptops end up getting used for work, and sometimes work laptops end up getting used for personal.  And, let's be honest: for a lot of people, the line between work and home blends so completely that it's hard to even distinguish whether a particular laptop is a "work" vs a "home" one.  Especially for companies in a BYOD mode.

Some endpoint security goes a long way... corporate-grade antivirus with malicious traffic filtering is a good start.  Don't worry, it won't get in the way of your family's Fortnight habits -- it just sits in the background helping you stay safe.

Fact: Hybrid Networks Add Risk

What if you saw me in a coffee shop, on an unsecured wi-fi network, making an important retirement account funds transfer.  Good move?  No.

Although there is a good chance that everything goes fine, it's not wise at all to be on an unencrypted mixed-use coffee shop network with other unknown individuals, initiating financial transactions.

Defense-in-depth is our friend here: hopefully the coffee shop doesn't have an unsecured wi-fi network.  Hopefully all of the websites I'm touching have SSL.  Hopefully I don't have any ports open on my laptop.  Etc.

On the WFH cybersecurity front, the threat vector is a little more nuanced.  Instead of worrying about other patrons at the coffee shop, the concern worth exploring is around the various IoT devices proliferating in our homes, attached to our home networks.  I'm not so sure that I want that handy small-run specialty (really cool!) smart speaker connected to my network.  Because whatever software is running on it, and whatever/whoever controls it's software update mechanism, is "inside of my castle" from a security perspective.

WFH Cybersecurity: A Nuanced Challenge

WFH cybersecurity is achievable, and with the right steps a pretty hassle-free experience.  The biggest mistake would be to assume that the prior world (where some of us worked from home some of the time) translates to the current world (where many of us work from home all of the time) without any further cybersecurity precautions needed.

Want a hand sorting out WFH cybersecurity?  We're standing by to help.