Working from Home Securely

The COVID-19 pandemic forced a rapid shift to remote work in early 2020. While some workers have returned to offices, remote and hybrid arrangements persist for many. By some estimates, over 60% of jobs now have a remote component.

However, this rise in working from home creates new security challenges. Home networks tend to be less secure than corporate ones. Sensitive data is more dispersed and harder to control. It's even worse if workers use personal devices lacking security measures found on company equipment.

As security professionals, we must help our organisations and employees adapt. This article covers remote work’s primary information, cybersecurity risks, and pragmatic management steps. This article also offers some tips to make security easier for remote workers, recommended training, and common pitfalls to avoid.

Key Security Risks When Working from Home

When enterprise data and apps leave corporate offices, new dangers arise:

• Unsecured home Wi-Fi and networks: Most home internet routers use weak security, like old WEP or WPA standards. Default admin passwords often remain unchanged. This makes it easy for attackers nearby to access home networks and connected devices. Flawed router settings may also unintentionally expose devices to the open internet.
• ?Increased phishing and social engineering: Workers rely more on digital messages and web services from afar. This expands the attack surface for phishing emails or calls. Isolated workers may also be more vulnerable to social engineering that takes advantage of their lack of direct contact with IT/security teams.
• More data theft and loss scenarios: At home, sensitive hard copy documents can be misplaced, stolen by visitors, or discarded un-shredded. Unencrypted device loss or theft also becomes more likely. Tools, like securely deleting local data or wiping lost mobiles remotely, become essential.
• Security holes in personal apps and devices: When personnel must use their equipment, they lose control over device security. Personal gear likely lacks endpoint protections like hardened configs, VPNs, malware scanning, or prompt patching. Supply chain apps and cloud services may also need more encryption and access controls.
• Compliance and regulatory challenges: Regulated industries like healthcare and finance face strict legal data security and privacy requirements. For example, leaving medical records or accounts unsecured at home could violate laws like HIPAA or GLBA. Compliance with good security controls becomes much more challenging across distributed home setups.

?

?Improving the Security Posture of Remote Work

Despite these risks, secure remote work is achievable. As information security leaders, we bring experience from decades of technical risk management. Now, we adapt those skills to a new environment.

Recommended priority areas include:

• Secure home Wi-Fi and networks: Insist staff use WPA2 or WPA3-protected Wi-Fi only at home, with unique solid passwords in router admin consoles. Disable old unsafe protocols like WEP and WPS. Guide staff to check for and install router firmware and security updates.? You should help less tech-savvy personnel with proper router configuration. Consider providing mobile hotspots or upgraded home internet/Wi-Fi service as a security investment. Also, explore solutions that automatically apply firewall and threat protection.
• Install VPNs on corporate devices: Virtual Private Network (VPN) tools encrypt data in motion over any network. They prevent snooping on open Wi-Fi and enhance endpoint security. Mandate VPN usage for any work done at home via your corporate solution or safe alternatives like OpenVPN.
• Secure endpoints with MDM/ECM controls: Mobile Device Management (MDM) and Enterprise Client Management (ECM) platforms enforce security policies and deploy software on end-user devices. Utilise them to push settings like forced encryption, password/PIN locks, wiping stolen devices, limiting data sharing, and blocking untrusted apps.
• Provide secure equipment alternatives: Ideally, staff would only use company-managed laptops and phones for any sensitive business. If personal gear must be used, support ways to containerise work apps/data. Solutions like corporate VDI, app sandboxing, and as-needed cloud virtual desktops keep things secure while allowing personal device use.
• Expand security training and awareness: Update training programs on the latest remote work threats, defence tactics, and relevant security policies/compliance duties, and test comprehension through more frequent simulated phishing, social engineering, and online cyber-education initiatives. Tailor guidance to home environments versus offices.

Adapting these basic measures will significantly lower information security risks that otherwise rise with more remote work.

?

Additional Tips for Simplifying Secure Remote Work

While every industry and organisation faces unique threats, we can build on standard methods to make remote work security easier:

• Supply Secure Equipment: Ideally, provide corporate laptops, phones, authentication tokens/cards, and other gear to staff needing remote access rather than allowing personal devices whenever plausible. This avoids many endpoint risks.
• Subsidise Home Office Upgrades: Consider grants or stipends to help employees upgrade home internet speeds, Wi-Fi routers, desks and chairs, and related equipment to make their environments more work-appropriate.
• Embrace the Cloud: Migrating apps and data to well-secured cloud platforms simplifies access from anywhere while centralising data protection. Rely on cloud storage over local files when possible.
• Standardise Configurations: Create secure standard disk images, documented policies, and device management scripts to simplify configuring endpoints consistently. Automate associated security tasks like patching.
• ?Segment and Limit Access: Utilise zero-trust architecture ideals like micro-segmentation and minimum access to compartmentalise data and apps. Limit wider exposure from any one compromised home.?
• Encrypt Everything: Mandate storage encryption for devices, cloud services, apps, databases, communications, and more to render stolen data useless.
• Support Secure Collaboration: Provide conferencing and productivity tools allowing team chat, document co-editing, video meetings, project management and more with end-to-end encryption, access restrictions, data protection, and secure authentication included.
• Track & Audit Activity: Increase scrutiny by monitoring remote access attempts, endpoint telemetry, data access logs and usage for abnormal behaviours. Perform deeper incident investigation and response via enhanced network monitoring and forensics tools. These examples reduce demands on users through secure standardisation while protecting access, apps, and data more granularly. With solid policies and configurations defined, even less sophisticated home users stay protected.

?

Crucial Security Training for Remote Workforces

Expanding staff knowledge complements technical protections to combat emerging remote work threats:

• Secure Home Networking Essentials: Guide personnel on properly configuring home routers, Wi-Fi, firewalls, and VPN services critical to safe remote access.
• Secure Endpoint Usage Best Practices: Share how to safely operate managed or personal devices, avoid malware, and follow loss/theft response protocols.
• Safe Handling of Company Data: Train workers on securely accessing, editing, sharing, and storing sensitive files per applicable data policies, whether online or locally.
• ?Secure Messaging and Video Conferencing: Review policies and best practices for messaging apps, document sharing, virtual meetings, and webinars to prevent data leakage.
• Recognising Social Engineering Tactics: Teach personnel how to identify and report increasingly sophisticated phishing attempts, suspicious calls/emails, SMS scams and impersonation risks.?
• Proper Incident Reporting: Ensure staff knows how and when to report potential security incidents like lost mobiles or suspected cyber threats per defined response protocols.

Arming your remote teams with the knowledge they need to work safely and stay vigilant against evolving social engineering and cyber threats is essential. Route all personnel through updated educational campaigns most relevant to home-based work. Test knowledge over time and keep guidance current on the latest risks and response plans.

?

Top Mistakes to Avoid with Remote Work Security

As your organisation navigates the future of hybrid and remote work, sidestep these common pitfalls for tighter security:

• Tolerating outdated or risky legacy security tools and architectures rather than modernising.
• Failing to overhaul cyber-awareness training programs to address work-from-home threats.
• Allowing staff to access apps, VPNs or data via personal mobile devices lacking endpoint protections.
• Neglecting data loss prevention and encryption safeguards beyond the office perimeter.
• Not enhancing distributed teams’ network monitoring/logging and incident response readiness.
• Using consumer chat, file sharing and web apps that lack enterprise security measures sufficient for sensitive data.?
• Assuming home environments have adequate physical and wireless network protections without validation.
• Inconsistent remote work cyber-policies and compliance practices risk gaps between offices.
• Lack of visibility and controls over external services, cloud apps, and shadow IT introduced by remote personnel.

Prioritise securing home networks and devices, upgrading secure access tools like VPNs, implementing robust data protections like encryption, and expanding staff security knowledge via training against work-from-home risks. Continue to align expanded INFOSEC capabilities closely with remote work needs rather than tolerating gaps.

?

Embrace This Chance to Advance Security Posture

The overnight expansion of remote work mandates significant changes to longstanding security models. But it also gives us a unique opportunity to modernise access, data, apps, and staff protections.

Rather than reacting only to direct threats from distributed work, use this transition to shore up identity and access management architecture, harden data lifecycle defences, rationalise shadows IT and advance cloud security. The right strategies allow remote-friendly flexibility without sacrificing standards or compliance duties across the enterprise environment.

If higher education, healthcare networks and even intelligence agencies can innovate security to enable agile remote work, so too can commercial enterprises.

?

Stay Ahead via Continuous Improvement?

Cyber threats facing teleworking staff will continue advancing. Accept that change is constant. Evolve information security capabilities steadily through robust risk assessments, updated infrastructure, and renewed training. Avoid stagnation.

Ensure policy review processes adapt to address novel risks. Monitor network patterns to catch abnormal behaviours that could signal incidents. Pay attention to software supply chain vulnerabilities that may impact home machines.

Most importantly, solicit regular feedback from remote workers to uncover challenges security leaders miss. Use their experience to drive pragmatic enhancements aligned with real teleworking safety needs.?

?

The Work from Anywhere Era is Here

Prior public health, energy, and weather crises previewed mass shifts toward remote work that digital transformation now makes permanent. With no commute limiting job options, more workers will change where they physically reside. Enterprise security must accordingly be updated around protecting productivity and data wherever staff connect rather than relying on office perimeter defences.

As leaders, we must enable secure, compliant access and safe collaboration from any site. That includes home networks. Through training and partnerships, ensure staff take shared responsibility for security hygiene, too. By sustainably improving information security posture, distributed workforces can thrive while protecting data appropriately.

This article aims to help drive practical security advancements for remote organisation employees. Please share other proven risk reduction strategies and lessons learned safeguarding work-from-home programs in the comments below.

Overcoming Resistance to Remote Work Security Investment

Despite the risks outlined and solutions available, some leadership still resists adequately investing in secure remote work capabilities. This hesitation takes several forms:

• Financial Concerns: Upgrading home equipment, licensing more VPN connections, implementing MDM/ECM platforms, and expanding cloud resources do cost money. Leaders focused only on immediate budget impacts may need to pay more attention to the long-term value of more vital INFOSEC unlocks across potential work models.
• Lack of Technical Understanding: Well-meaning but less tech-savvy decision-makers need help to evaluate the intricacies of zero-trust architecture, multifactor authentication, micro-segmentation, or related measures. Without grasping how protections map to threats, reluctance follows.
• Compliance Uncertainty: Heavily regulated organisations aren’t always sure how enhanced enforcement of HIPAA, PCI DSS, GDPR or other expanded mandates may impact remote work. Ambiguity on what satisfies compliance for home setups causes reluctance to allow them.
• Productivity Perceptions: Some still cling to outdated notions that distributed teams collaborate less effectively and are more complicated to manage than in-office staff. Despite data showing remote workers can be just as or even more productive.
• Office Culture Resistance: Leaders invested in traditional centralised HQ office culture often perceive remote or hybrid arrangements as making oversight more difficult. This biases them against distributed security capabilities, too.

Overcoming each factor requires shifting the mindset around distributed teams via education and evidence. For financial concerns, stress reduces real estate costs, and remote work provides higher retention and recruiting leverage. Quantifying lower malware impacts and faster response times from modernised security can offset upgrade costs.

Has compliance teams mapped expanded controls like endpoint protection and encrypted collaboration tools directly to relevant regulation duties? Support better productivity measurement while highlighting management tools that ease visibility over hybrid teams. And showcase how culture evolves regardless, thanks to workforce generational shifts and tech advances that are already enabling more flexible work models.?

The pandemic proved many stale assumptions wrong by showing that even regulated industries can operate securely from anywhere. Reinforce that remote need not mean risky. Modern solutions allow distributed teams to collaborate safely thanks to internet scale. Sustained leadership engagement centred on understanding these themes remains instrumental to accepting requisite permanent security enhancements like those covered in this article.

Final Thoughts?

Remote and hybrid workers are here to stay across many industries thanks to potent technology enablers. This necessity born from a global crisis also gives security leaders a mandate to transform outdated legacy models into modern architectures resilient against rising threats.

Rather than reacting only to deal with the complications of working from home, harness this chance to build more innovative distributed systems poised to adapt long-term securely. Commit to sustained maturity advancement. I am migrating apps to the cloud, enhancing identity governance, automating device hardening, expanding staff training, and implementing data-first protections to create new stability and agility.

Distributed teams represent the new normal. Make security the enabler rather than a blocker to that flexible future state. Stay vigilant in protecting against novel risks outside the office perimeter while empowering workers through education and providing secure standard toolsets. Resist stagnation. Continual alignment of access governance, BYOD management, teleworker monitoring and training with remote work needs ensures these integral knowledge workers remain productive AND protected moving forward.

The solutions explored here offer a roadmap to securely embracing remote work’s rise across global organisations. I welcome your insights into overcoming associated cybersecurity challenges. Please share the most significant lessons you learned on this journey.

?