Attacks against employees (and by extension, against your company) can extend to their homes (see here on doxing and swatting executives).
One concern is home Wi-Fi systems – which can present an open threat vector when an employee links corporate assets to it. Some thoughts on ensuring that home networks do not become a major cyber threat:
1. Bring certain execs into the IT fold. For the most senior executives, the home should be seen an extension of the corporate IT infrastructure. IT may choose to maintain such networks and ensure compliance with home network safety.* At minimum, corporate users should treat home Wi-Fi as unsecured and should have access to networks from a virtual private network (VPN). (Not using one? Your company should…please see here). Another category of employee whose personal space may need to be treated as within the corporate IT infrastructure are any persons who have admin privileges and whose job requires their access from home.
2. Policies should ensure proper VPN use. Corporate policies should cover home network security (and storage) if they are used for corporate access. This includes:
- Maintaining an adequately secured home network environment.
- Using two-factor authentication and good password hygiene (one time use only and a complex set of numbers, letters and characters) for the VPN.
- Maintaining the physical security of computers.
- Ensure that their computers are up to date with security patches and anti-virus definitions.
- Ensuring that instances of the VPN are shut down properly before engaging in other tasks or leaving the computer unattended.
- Not sending corporate information outside the VPN or storing corporate information on personal machines; use of encrypted devices may obviate this concern.
3. Home network standards. The enterprise should set minimum standards for home networking that users wish to have touch corporate information or data. As said, a key vulnerability is Wi-Fi.
According to the FCC and others, users should:
- Turn Encryption On. WPA2 is an effective standard; WEP is not.
- Turn the Firewall On
- Change default passwords and admin names (“Admin” and “Password” are quite common).
- Change the default name of the network (SSID) as the name can provide an adversary with a lot of information about the hardware.
- Turn network name broadcasting off; there is no need for anyone to “see” your network.
- Use the MAC Address Filter to include only your devices.
- I would add to this list:
- Update hardware regularly; routers are not overly expensive and vulnerabilities are shared quickly. Unfortunately, this isn’t a great solution: routers are known to even be shipped with vulnerabilities. Indeed, The Wall Street Journal commissioned a security researcher to test 20 popular Internet routers purchased new in the second half of 2015. Ten arrived with known, documented security weaknesses.
- Updating router firmware and software regularly. This can be difficult to do: the same Wall Street Journal study that ten had difficult update functions, including manufacturer websites providing incorrect information.
- Changing passwords regularly and maintaining good password hygiene.
- Make sure settings regarding sharing are properly set.
- Ensure that all malware protection is fully up-to-date and in use.
- Understand what IoT connected devices are in use and how they are using the network. IoT devices can have very poor security profiles; see my piece on this here.
See also Kaperky’s Protecting Wireless Networks.
In all, it may be wiser just to provide those with a need to access corporate networks with an encrypted company laptop and a wireless broadband card — and requiring that these be the only way to access corporate networks or data.
4. Stay safe on the road. Employees must know how to use remote access; all public Wi-Fi use should be prohibited. For more, see here
5. Don’t have access chosen for you. Ensure that the decision to allow specific pools of data to be accessed remotely is a clear corporate choice – and is permitted in accordance with appropriate policy and procedure to allow it.
6. Back all of this with good policies and training. Knowing what is expected — and understanding the signs of attack and/or a social engineering effort will be core to protecting enterprise data even at an employee’s home.
*- Some may suggest there could be income tax issues. Depending on the extent of the intervention, it may be deemed a taxable fringe unless part of a bona fide security plan. Although typically applied to transportation, I will post on the taxation of a bona fide cybersecurity plan in the near future.