For years, work-from-home security took a backseat to office security. Then suddenly, everything changed. Work-from-home security became just as important (and sometimes more important) than office security. As companies grapple with how to make the dream of work-from-home security a reality, there are a handful of totally avoidable work-from-home security failures that have come to the forefront. Here are some of the biggest ones.
In a work-from-home context, a very large number of companies shifted their BYOD (Bring Your Own Device) policies. The flexibility to do some work from a personal laptop or phone became the norm. We think that's reasonable for most companies: to be blunt, there were many companies that didn't even have enough well-provisioned hardware to get each employee precisely the equipment they needed at home when the COVID-19 pandemic arrived.
The totally avoidable fail: allowing BYOD may be necessary or desirable, but organizations should provide some endpoint security for all such devices. After all, it's beneficial to both the employee and the company to have those endpoints safe from commonplace threats like malware. If your company allows BYOD, we'd urge you to supply employees with some endpoint security for those devices. [Advanced Reading: What does WFH minus DNS Filtering equal?]
Shadow IT has a habit of growing rapidly when an organization becomes more decentralized. And, what could be more decentralized than having almost all employees working from home? So, what happens when an employee unexpectedly leaves the company -- or is terminated by the company? There tends to be quite a bit of friction in figuring out what 3rd party webapps an employee used, and what credentials they used to access those systems. Sometimes that transition becomes suddenly urgent, depending on the circumstances of the separation. Having a gameplan that includes company-supplied enterprise-grade password managers can be a huge boost towards a smooth transition as the departing employee signs out for the last time.
The totally avoidable fail: trying to figure out what credentials the former employee held, is a bit of a forensic exercise. It's frustrating. It's a symptom of a work-from-home security fail. And it's a total waste of time, relative to the low-cost simple effort of proactively rolling out an enterprise-grade password manager to all employees during their onboarding. That's easy to do, and saves the frustrating forensic investigation of trying to piece together the puzzle of what accounts a former employee held in various Shadow IT (and approved IT) systems. [Advanced reading: 9 Foolish Ways to Erode Your Password Security]
One of the first realizations that most companies had about work-from-home security was the high variability in home router hardware and configuration across the employee base. Many had whatever router Comcast plugged in. Others had varied internet providers each with their own router models and configurations. Others had purchased networking hardware on Amazon and self-installed it. Still others didn't control their home network configuration at all: they lived in a shared apartment or condominium where a roommate handled the technology setup. None of this is comforting to an IT security professional, and that's when VPN providers experienced a sudden uptick in new customer inquiries. Virtual Private Networks, when used correctly, help to establish a safely encrypted connection between the remote worker's laptop and the corporate infrastructure. It's a welcome (and often essential) element of setting up remote workers safely.
The totally avoidable fail: we genuinly cannot explain why companies would choose to roll the dice in allowing employees to work from home with unknown network configurations and no VPN. Work-from-home security is directly compromised by this set of decisions. Setting up a VPN is simple, cost-effective, and provides a high degree of comfort to combat the fears associated with employees using all manner of home networking technologies.
Remote work has helped many companies become more resilient to pandemics, natural disasters, and more. That's a wonderful improvement for companies that previously had no gameplan for operating in any environment other than their physical office footprint. However, totally avoidable work-from-home security failures are lurking -- and we hope the simple explanations above help you stay away from some of the biggest ones. Want to talk more deeply? We're standing by.