IT Focus Area: security
April 1, 2020
How to Secure Your Home-Based Workforce
As almost every business sends employees home to work remotely due to the COVID-19 pandemic, security challenges are starting to manifest.
Employees’ home environments are inherently insecure, with little to no controls around browsing, internet access, installation of applications, and Internet-of-Things (IoT) devices. People are either bringing their work computer into a potentially malicious environment or using their own system to access corporate resources.
Malicious cyberattacks are increasing as criminals seek to capitalize on the urgency and confusion surrounding the pandemic.
Whether you’re quickly adopting work-from-home policies or fine-tuning your current strategy, there are protective and essential steps you can take to secure a home-based workforce.
Securing the home network for remote workers
Even in homes that are knowledgeable about security, a child’s system could be compromised just by downloading a game mod onto their computer, which then infects the home network.
There is no way to get all home-based employees to make their home networking environment as secure as their workplace—and employers should not expect that of them.
To secure a home-based workforce, organizations must:
- Secure the corporate “receiving” end of the transmissions.
- Secure the transmissions to and from the home and the corporate office.
- Provide basic guidance to employees for safe computing at home.
The most secure solution is to provide home-based employees with a secure laptop that is maintained by the company’s IT operations team. However, not all companies can readily afford such a program.
If your company can provide a secure corporate-managed laptop, there are other precautions that should be taken. Using a managed system firewall will protect the laptop at home from every other device that may access the home network. These system firewalls can be managed through system policy or through the AV/EDR solutions, many of which offer this feature.
Securely using employee-owned or unmanaged systems
If your company has already embraced a bring-your-own-device (BYOD) philosophy for workstations, you are ahead of the curve. Many companies are now being forced into BYOD due to the global pandemic.
Controlling and managing data is a top security concern associated with a full BYOD approach.
Even with fully cloud-based systems, most people still download files locally. These files get mixed with personal files on the device and can be forgotten over time. This creates a risk of data loss even with policies about how to manage the organization’s data and training to educate employees on behaviors and actions to avoid. Mobile device management (MDM) solutions can help organizations with these BYOD challenges.
Manage BYOD compliance with MDM solutions
MDM solutions protect phones, tablets and computers. A secure area is created on an employee’s personal device that can be used to store, manage and fully control the organization’s data. These secure areas are encrypted and protected from the rest of the operating system. They can also provide a simplified workspace for users where their corporate resources are available and organized.
Even with the use of an MDM solution, it is still necessary to enforce critical security controls on home systems before allowing access to corporate resources. Home systems should be updated with the latest patches, have a current operating system, and have an updated anti-virus (AV) or endpoint detection and response (EDR) tool installed. Most virtual private networks (VPN) and MDM solutions can detect out-of-compliance systems and deny access as needed.
Work with your AV/EDR provider to see if you can extend licenses to home systems. Providing employees with enterprise-class security systems is a benefit to them, and a way to ensure organizations have a safe system for employees to work on.
Secure home-to-corporate transmissions with VPN, SSO and MFA
Deploying a VPN client to all computers used by employees at home is a primary method for protecting the transmission of critical data to and from the home.
Using a VPN allows employees to access resources on corporate networks from home, secures all traffic in and out of the system, and enforces corporate network security controls and system monitoring.
One issue to consider is that some employees may disable their VPN to bypass security controls if they get blocked from areas they want to access. A forced VPN is often recommended as the cure because systems are forced to be on the network and always managed and secured. Forcing a VPN connection means that when a system connects to the network it will automatically start up the VPN to ensure appropriate protection.
There can be some challenges with this approach in remote areas with spotty network coverage. Additionally, certain networks require authentication or acceptance of terms in a captive portal, but VPN clients are getting better at dealing with those situations.
If you don’t want to force VPN connections but still want to enforce content filtering and monitoring of internet access for systems, many firewalls or proxy systems include features that protect remote systems. These features are based on agents installed on systems to force the use of a firewall or proxy to analyze and protect internet traffic. While this can be done through policy and VPN settings, agents are much more effective. There are also fully cloud-native content filtering solutions that are client-based.
Implementing single sign-on (SSO) is another way to provide secure access to resources. With an SSO gateway, employees can access internal and external resources through a portal, which simplifies authentication by allowing users to use one username and password to access apps, data and resources. Landing pages can also be customized for different user groups to limit what is available based on role or function.
For any resource you are providing to remote systems, whether it is a VPN, SSO gateway or Office 365, enforcing multi-factor authentication (MFA) for access to that system is also essential. Strong authentication models on all systems is a must in today’s environment.
Securing the corporate network on the receiving end
Protecting the corporate network from potentially compromised remote systems is a major consideration.
Separating and allowing access through an SSO gateway is an excellent method, but not all applications can utilize a web-based portal. All incoming traffic accessed through VPN should be inspected by an intrusion detection system or a network detection and response system. Analyzing traffic from home workers will help identify risks and provide valuable insight into infrastructure issues that could arise from overloaded network infrastructure.
Analysis of logs from remote systems, VPNs, SSO systems and identity solutions should also be monitored with extra vigilance because attackers are ramping-up phishing attacks specifically due to the global pandemic. Managed services can help manage that workload and help organizations maintain and monitor their security posture as staff resources are reduced or diverted to work in different areas.
Prepare for a remote workforce with a technology partner
Whether you’re being forced to implement work-from-home strategies now or you’re fine-tuning policies already in place, a security technology integrator who is equipped to maintain an effective level of support and involvement can be an essential partner.
Your technology partner should take a collaborative approach to determine the best strategy for securing your remote workforce. They may also be able to identify solutions you already have that can be further utilized to help provide secure access for your home-based employees.
A security technology integrator can also use their relationships with world-class technology providers to help you develop the best strategies to meet your unique needs and take advantage of any extended temporary or emergency license offers that are available from leading technology vendors.