The title is a double entendre when thinking of that aspect of security – online security that is. The global pandemic has forced on us the need to safeguard our well-being while still maximizing our productivity and throughput in our careers and/or day jobs. “Work from home” took an all-new meaning from what it was ten years ago when such moniker could probably best describe the role that our moms fulfilled for us and the family, elevating that noble domestic profession from what most would consider daily chores. To some, “Remote work” would probably best describe that search for the ever-elusive work-life balance.
The advent of the work-from-home concept has elevated the art and science of online security to our consciousness. On the other hand, there is the belief that the biggest threat to the ever-thinning layer of security could not be that far and disengaged from us.
There is no doubt that we do take our security and that of our family seriously, especially in our homes. Deadbolts and double locks for some, intrusion detection and alarm systems for others and, in a growing number of cases, the free exercise of our second amendment rights. Securing our home comes easy when there are physical barriers or walls that enclave us within our abode. However, in the virtual world, those walls are non-existent; and the dangers that lurk in the vastness of cyberspace could be greater than the sum of all our fears. Lest our hopes are dashed, I believe we need to start by accepting the fact that in this day and age, the comfort of our very homes poses a clear and present danger to the workplace.
For IT practitioners, the work-from-home arrangement is not a new concept; it was a need thrust into the industry with the ever-increasing demand for technology to make lives easier. I’ve personally seen this trend when companies started outsourcing their technology support needs in the early to mid-’90s, fueled in part by the largely ungrounded fears that the millennium bug would bite and forever haunt us. Working for Citibank in the ’90s, I was part of that contingent that kept mainframe systems refreshed and running day-in and day-out. It was queer that as a mainframe programmer, it took me 3 full years before I even saw one up close; those expensive machines were typically located thousands of miles away in another part of the globe. We were thus working remotely since programmer and machine were miles apart even though connected in near real-time. Computer Security was not that big of an issue at that time since we were working with what the industry then called “dumb” terminals – those green-screened abominations of later technology with very little and limited processing power – nothing much existed outside the realm of those terminals. A hacker would then need to willingly trespass into a guarded physical office to get access to those “dumb” terminals in order to do something sinister. The cloak of anonymity was just never readily available then.
The globalization trend did not spare the IT industry, and currently, there is probably nothing that the ubiquitous IBM PC and its descendants could not do anytime, anywhere. Adding mega and giga prefixes to our online throughput per second have all but torn the walls of online defense bit-by-bit (pun intended) faster than the time it took democracy to topple the Berlin Wall. But is there really a need to secure our work environment from the threat of our homes? Where do we even start?
Devices
A great first step is to consider the endpoint from which we will be working. Is it a laptop that belongs to your employer? If so, does your employer possess an ISO 27001 certification? If so, great! It should already be subject to your organization’s stringent cyber protections, including security software and policies regarding local admin access, web filtering, and application control. Better think twice before using a personally-owned computer or laptop that has not been hardened (unless of course, all you use it for is to log in to a thin-client from where you do all your work); doing so exposes you to liability when sensitive information is ever leaked to third parties with you as the unwitting man in the middle. Endpoint security focuses on four key security aspects: 1) malware prevention that stops computer viruses and malware threats in its tracks; 2) Disk Encryption to protect sensitive data in case of lost or stolen devices; 3) endpoint detection and response (EDR) to monitor for cyber-attacks on the endpoint device; 4) Multifactor authentication solidifies user identification from a plain and highly insecure username and password combo that anyone who captures it can readily supply, into something more rigid by presenting more pieces of evidence effectively within the user’s knowledge (something only the user knows, e.g. PIN), possession (something only the user has, e.g., a USB stick or token that produces a randomized one-time passcode); and inherence (something only the user is, e.g., biometrics – fingerprint or iris). Again, be aware that working from home using personal computers can introduce security risk factors that are out of your control—by allowing personal device use for company work, you are accepting that risk.
Access
How access is provided will dictate what sort of protections are needed to be put in place. Ideally, the same protections should be in place for remote workers as for in-office workers. This could mean implementing secure Remote Desktop protocols (RDP) for users to work from and requiring users to utilize a corporate Virtual Private Network (VPN) to secure the connection when working from public or home wireless networks.
Connectivity
WI-FI has become such a standard and necessity that whenever visitors come a-knocking into our homes, the next phrase that usually comes after “Hello, how are you?” is “What’s the wi-fi password?” A good mantra is “trust no one”; and that includes anyone who attempts to connect to your WI-FI. Check that your router is set to use the WPA2/AES protocol that should take care of encrypting your home network connection and securing it from snoops, and that includes your neighbor that may be piggy-backing off of your wireless network to skip the bill. And yes, do create on-demand time-limited guest accounts for use of those welcome visitors but otherwise pesky bandwidth huggers.
Cloud
While technically it is in the realm of science, this has nothing to do with meteorology. Cloud computing has been synonymous and a great catalyst of remote computing/virtualization especially when dealing with file storage and having data distributed over multiple locations from central servers. Storing files in the cloud is helpful not only when it comes to backup but also for the ability to access up-to-date files from anywhere and any device, as well as for collaboration when needed to share files with others or track changes to a common document file. While enterprise clouds are relatively secure owing to redundant and hardening policies in place in most industries, using cloud storage outside the boundaries of the workplace can expose your data to just about anyone. A reputable cloud storage service or provider would normally protect files behind layers of encryption and isolate them using two-factor authentication; however, it may come at a price. Be wary of “free” cloud storage or service that is being advertised as an innovative product—in the IT world there’s no such thing as a free ride: if you are not paying, then you are the product. Think of the brisk business of selling private, personally identifiable information to the highest bidder, then repackaging the same to be archived into the wily and often dangerous dark web. Trust me, you do not want your information out there to serve as a prelude to someone taking over your identity.
Layers of Security
At the minimum, online security needs four layers as there are four walls to our home; these are the facets by which undeniable encryption must be established, maintained and strictly guarded to ensure the confidentially, integrity and availability of our data and workplace information at all times:
- Device Endpoint security – malware prevention and disk-based encryption to secure local data at rest.
- Access security – VPN connectivity to encrypt data in transit.
- Signal Encryption – WPA2-AES protocol to encrypt your home network.
- Cloud Encryption – File-based encryption to secure shared or virtual data at rest.
One More Thing
To top it off, a greater percentage of the office-bound workforce is still not used to working remotely so the number of calls to the support desk will increase dramatically. Make sure that you do not fall to tech support spoofing or scams especially when providing support staff remote access to your computer to do troubleshooting. Be mindful that you are dialing the correct tech support hotline and never ever provide your password or PIN to anyone — not even on orders of the president of your company!
