The pandemic has forced many of us to implement work from home procedures. But what are the risks associated with permitting network access from outside of the secure perimeter of your company's internal network? To keep your business safe, make sure you have at least the minimum security measures in place.
Office vs. Home Office Network
A secure business network is normally strictly controlled with strong firewall rules, web access controls, system logging, security event detection, antimalware, wireless restrictions, and policies to prevent unmanaged devices on the network. Your managed service provider or IT support company can verify the security of your network with a IT Assessment.
A home internet connection is generally set up with minimal security controls and could be providing a shared network for phones, home computers, gaming stations, doorbells, thermostats, security systems, garage door openers, refrigerators, smart speakers, televisions, light bulbs and dozens of other possible “smart” devices, all which could potentially provide a route for infection.
Minimum Requirements of a Secure Home Office
The most important aspect of working from home is making sure that the home workstation is safe, secure and pre-configured to work in the event of an emergency. At a minimum, workstations used for remote access should:
- Be restricted in use for business purposes;
- Have current antivirus or antimalware software;
- Be fully patched with the latest security patches;
- Be running a current, supported operating system;
- Be running on hardware with at least minimum resource requirements for the version and function;
- Have all of the necessary applications and tools required for the individual’s job or be configured for remote access to those tools.
Next, take necessary steps to isolate that workstation from all of the other devices on the home network.
Risk Levels of Remote Access Methods
This table illustrates the risks associated with different remote access methods and levels of control on the remote workstation.
|HIGHEST||Home PC with unrestricted VPN to office network.||No controls or visibility of home PC. No way to verify level of current security in place. Potential for transfer of malware, data leakage. Potential loss of data not stored on company systems or backup.|
|MEDIUM||Home PC with VPN connection for Remote Desktop (RDP) to internal workstation/server.||Still no way to verify level of current security in place, but greater control over transfer of data/risk between devices.|
|LOWER||Company owned PC or Home PC with management agents and network access controls.||Full visibility and alerting on home PC. Able to verify AV, patching. Able to restrict local admin control, and application installation. Manage access with domain policies.|
|LOWEST||Company owned PC or Home PC with management agents and locked down to only permit VPN Internet connection.||Full visibility and alerting on home PC. Able to verify AV, patching. Able to restrict local admin control, and application installation. Manage access with domain policies. No ability to access non-company internet.|
In addition to the minimum requirements, we always recommend security awareness training to keep home workers alert and aware of the dangers. It’s a great idea to include awareness training for everyone in the home as well.
Finally, have a written work from home policy and require that your home users sign and acknowledge that policy.
We live in a world where technology makes working from home not only possible, but efficient and easy for many workers. It can continue to be a great option for small businesses, not only in an emergency, but every day if all of the risks are identified and controlled. Contact RESULTS for more information.
During October 2020, which is National Cybersecurity Awareness Month, RESULTS is offering Remote Work Cybersecurity Consultations at no charge. Find out more information here: https://www.resultstechnology.com/remote-work-cybersecurity-consultation/