How to secure the home office: 8 priorities

Many knowledge workers now effectively serve as the chief information security officer (CISO) for their own homes. Emphasize these eight areas to help remote employees protect data, machines, and home networks
300 readers like this.

In most ways, the business world is more prepared now than at any point in history to move employees to a work-from-home (WFH) model. Tools like videoconferencing software, cloud collaboration suites, mobile devices, and nearly ubiquitous home WiFi have helped many companies to seamlessly make the switch, nearly overnight.

But at the same time, technology is moving faster than ever, and hackers grow increasingly sophisticated every day. Working at home, employees are not protected by enterprise cybersecurity solutions like firewalls. In effect, many knowledge workers are currently serving as the chief information security officer (CISO) for their own homes.

Attackers know that unprecedented numbers of people are working from home these days, and they’re poised to take advantage of the situation. We’ve already seen an increase in things like fake invoices designed to trick employees into opening malicious attachments, and hackers are even trying to spread malware by setting up dummy websites with the word “COVID” in the URL.

[ For more on this topic, read Remote work security: 5 best practices.]

Home office security: 8 areas to focus on

Here are eight things IT leaders should be emphasizing to help WFH employees protect their data, machines, and home networks.

1. Segmentation

Most non-IT workers don’t know anything about network segmentation – why would they? But now that they’re working remotely, employees should take steps to segment their home IT environments as much as possible (or as is practical).

Work machines, for instance, shouldn’t be used for personal activities like social media, entertainment, or general web browsing. And they certainly shouldn’t be used by other family members, including children, who may unwittingly download malicious code.

For IT professionals, all this may seem obvious. But remember, many employees are working at home for the first time, and some are helping their kids, who may not have their own devices, engage in remote learning activities. A little guidance from corporate IT leaders can go a long way.

2. Patching

Even within enterprise networks, the failure to patch systems is a huge source of compromise and breach. To the extent possible, organizations should try to remotely patch employee devices as soon as patches become available. (Often, IT shops take three to six months to push out patches, giving attackers ample time to exploit vulnerabilities.) IT leaders should also guide employees on how to patch their home Wi-Fi routers – and teach them to steer clear of fake patches by checking patch certificates.

3. Phishing

Social engineering attacks like phishing emails remain an extremely dangerous and effective attack vector, with up to two-thirds of malware being spread by email. One in ten phishing emails succeeds, and with any sizable company’s employee base receiving multiple attempts per day, people will inevitably click on malicious links or download infected attachments if they don’t know what to watch out for.

In addition to providing employees with appropriate email filtering tools, IT leaders should train remote workers to watch out for suspicious messages by closely inspecting email addresses and calling to verify legitimacy when in doubt.

4. Router lockdown

Many people install their home router and then never give it a second thought.

Many people install their home router and then never give it a second thought. IT leaders should make sure that employees know the IP address of their routers so they can log into the device, change the default password, and use the MAC address lockdown feature to allow only specific devices onto their home networks.

5. Backups

Warn workers about deleting files from devices that are synced via applications like Google Drive or iCloud.

If employees are storing data locally on their laptops or mobile devices, they must be taught how to regularly back up their essential data. Also, IT leaders should be sure to warn workers about deleting files from devices that are synced via applications like Google Drive or iCloud, since this will also delete the data from all synced devices.

6. Password hygiene

Even if your employees have moved past weak, easy-to-guess passwords like “12345,” “iloveyou,” or “p@ssword,” many of them are likely storing their passwords on an unencrypted document on their laptop. If hackers get their hands on that document, all of the user’s accounts will be in danger. When possible, organizations should equip remote workers with password managers and multi-factor authentication solutions.

7. VPN

A virtual private network (VPN) ensures that every message sent by employees will be encrypted, providing a secure connection to corporate servers. IT leaders should not only provide remote workers with access to a VPN, but they should also take steps to ensure that employees are using the feature when appropriate.

Avoiding attacks isn’t only about being smart; we see highly educated, successful professionals fall for phishing attacks all the time.

8. Training

Avoiding attacks isn’t only about being smart; we see highly educated, successful professionals fall for phishing attacks all the time. The real key to staying safe is training. And if only IT leaders are up on the latest threats and how to avoid them, attacks will inevitably succeed – especially with so many people working outside the walls of the enterprise. Constant internal and external training throughout the organization is necessary to maintain an aggressive cybersecurity posture. The better people understand possible attacks, the better equipped they’ll be to defend themselves.

During the past couple of months, we’ve seen that employees can largely be just as productive at home as they are in the office. With the right mix of tools and training, they can be just as safe, too.

[ Culture change is the hardest part of digital transformation. Get the digital transformation eBook: Teaching an elephant to dance. ]

Dr. Abel Sanchez holds a Ph.D. from the Massachusetts Institute of Technology (MIT). His areas of expertise include the Internet of Things (IOT), radio-frequency identification (RFID), simulation, engineering complex software systems, and cyber-physical security. He teaches graduate courses in Information engineering, cybersecurity, and software architecture.
John R. Williams is a Professor of Information Engineering and Civil and Environmental Engineering at MIT. Professor Williams holds a BA in physics from Oxford University, an M.Sc. in physics from UCLA, and a Ph.D. from Swansea University. His area of specialty is large scale computer analysis applied to both physical systems and to information.