#WFH Cybersecurity – Conclusion
In a previous post on #WFH cybersecurity, I ended with these words, “So, what do you need to do? What security do you need? What do your users need to do?” The blog post was about #WFH and the question now (as it was then) is, what do you need to do to stay protected. A lot has already been said on this so I shall be succinct and reference business owners in this post.
Business owners, not users
I’m fairly certain you’ll concur, it’s not users who need to do “something”. So, dear business owner:-
(a) you need to NOT allow #WFH users to use their own personal computer. You aren’t a large corporation; you don’t have enough lawyers to impose certain rules on your users for BYOD. Stay away from it altogether. A laptop to set up a VPN for an RDP session will cost you $500. Spend the $500, it’s money well
(b) having done (a), you must now ensure your #WFH users understand that this device is NOT to be shared with anyone. No children, no spouses, no one. And it is not to be used for _anything_ but work. No games, no leisure browsing, no adult content, none of that (re the latter – such sites are typically at highest risk for malware). And while we’re at it, no BitTorrent either, please. No peer to peer of any kind. No opening up the computer to external sources.
(c) remember to install a good end point protection on it.
We like White Cloud.
It takes a new approach to the concept of whitelisting, and seems to work well. But, honestly, any is better than nothing. Don’t be stingy either. You need full end point protection – firewall, policy, AV, so on. And if that adds $50/year per device, so be it since, ultimately, the existence of your company is at stake here.
(d) instruct #WFH users to always use a VPN (note that VPNs are free so don’t pay for those services that make you pay by the user). Case in point, our clients never ever pay extra for their VPN connections. If you aren’t lucky enough to be our client already (*wink*), find a service that offers a similar, free, licensing.
VPN _must_ offer 2FA.
(e) do not connect anywhere anymore without 2FA. It is easy, it is (again) free, and makes hackers’ lives miserable. And that is what you want. Let them go hack someone else when they get tired of trying to get through your 2FA.
(f) do NOT use split tunnels. All traffic from that device should go through your network, where you hopefully have a proxy with HTTPS decoding turned on.
(g) do not allow any connections to your network/servers without VPN. Period, end of discussion.
This is non negotiable.
Your #WFH users should ideally use a WiFi that isn’t the same everyone else in their household uses. Yes, I know, this is going to be tricky hence the end point protection and the VPN. But, at the very least, ensure that this WiFi is well protected using WAP2-AES and a very strong password (to give you an idea, my own WiFi has a 32 character password, I kid you not). If their router doesn’t support WAP2-AES, ‘demand’ that they acquire a new router. It’s for their own benefit as well.
If the users roam, VPN is really the only solution. There’s software out there that’ll block the computer unless it’s connected to the VPN. That being said, however, the best protection here is education – users need to be well aware of the risks of not using a VPN, especially on a public WiFi.
I’ve seen the emergence of new technologies that claim to afford protection and encryption without being a VPN. Truth be told, I’ve personally not tested those yet, and frankly, I don’t know how far they’ll go. It’s new, and, when it comes to security, I prefer to stick to the tried and tested.
Now let’s talk about SPF and by that, I don’t mean to prevent sunburns.
I’m witnessing several instances wherein the company has an SPF record (more on what that is here and here) but their roaming users don’t respect it, and their emails get rejected. Anti-spoofing is critical and recognizing your own spoofed emails is extremely vital, to avoid phishing and scamming attempts. SPF helps with that. But it also helps to ensure third parties can identify your emails as yours, and you don’t lose business because you were accidentally blocked by an antispam filter. Working from home, many users aren’t sending emails properly, using their own company server (cloud-based or otherwise is irrelevant here). The main thing is this – instruct users to send emails properly, using your servers, wherever they might be. That’s what’s key. Only your authorized servers should be sending out your emails.
As a segue to this, invest in training and educating your #WFH users so they’re able to recognize dangers and stop clicking. While it was urgent then, it’s paramount now, when you can neither check what they’re doing half the time nor be physically present to fix every single one of their mistakes. User education is critical. Now more than ever before.
This document could likely go on much longer but as it is, I’m not here to write a compendium on #wfh security (thanks #covid), but rather, share a checklist of sorts, of the pivotal things.
I hope this helps.