Not too long ago Heidi Shey of Forrester Research released her thoughts on how enterprises can best protect the work-from-home workforce. The report, appropriately titled, “Protect Your Work-From-Home Workforce,” outlines well the challenges security and compliance professionals face in the “new normal.” Home “offices” might be a living room or dining room table with work computers sometimes doubling as entertainment devices for games and movies. Nobody is “badging-in” to employee homes, so physical access to devices is much less secure. Other devices on the network, including a host of IoT devices, can serve as an attack vector. Finally, the home network itself is often poorly secured (when was the last time you checked your router’s firmware for updates?).
Forrester’s recommendations are practical and include a mix of technology and education. The technology recommendations follow a Zero Trust approach, including:
- Identify Sensitive Data—The first step in securing data is to know where it resides and how it is used. Reminding employees that this includes their own personal data can help them understand how important this is.Forrester emphasizes that organizations need to remember that sensitive data doesn’t just reside in their data stores. It can be exposed in email, through text and attachments in chat applications like Slack, in voice calls, and videoconferencing. Identifying and classifying targeted data across all applications is necessary.
- Secure Employee Devices—Often, there is little that an organization can do about an employee’s personal devices or those of family members. They can, however, modernize those they own. Forrester recommends investigating software-as-a service endpoint security suites, as these adapt well to a Work-from-Anywhere environment. Full disk encryption is also a no-brainer.
- Automate Activity Monitoring—Organizations need an understanding of which applications and data employees need and use. Annual reviews of activity can provide this and allow security and compliance to review and apply “least privilege” principles. While not mentioned by Forrester, activity monitoring also provides teams with baseline activity for users and roles, making it possible to identify anomalous activity and malicious Indicators of Intent.
Forrester’s other recommendation fall more into a category of employee education (“Empower your workforce to level up their personal security and privacy”). They recognize that employees must be convinced to do this and adding “personal security and privacy” to the reason provides incentives. It’s not just about protecting organizational data. Their recommendations include:
- Identity Theft—Identity theft is personal. Helping employees protect themselves is viewed as a benefit. It also helps educate users about risk, protect their corporate credentials, and build a culture of better security. In addition to obvious attack vectors like phishing, education on this can include how attackers conduct reconnaissance through social media accounts, discarded bills, and other forms.
- Secure Devices—Organizations can (and should) have clear policies on the use of corporate devices, including the personal use of that hardware. Employees should also understand that security solutions are available for their BYODs, and organizations can help by publishing best practices, including separate profiles for work activity, using encryption, and having secure disposal procedures.
- Harden the Home Network—Home networks can easily present a “weak link” to an attacker. Helping employees understand that improving the security of their home network doesn’t need to be complicated can reduce risk for the employee and the employer. This can include not using family names in SSID and changing default passwords, updating firmware, and setting up guest networks.
A People-First Approach
Forrester concludes with a very good point. Work-from-Home employees are missing a lot of the camaraderie and interpersonal interactions with their co-workers. Isolation affects different people in different ways. Behavioral research shows that remote workers can have greater perceptions of anonymity and less perception of monitoring, leading to a greater risk of insider threats.
Organizations can help by encouraging a “no judgement” culture and encouraging people to ask questions. We would go further, using these questions (anonymously) as teaching moments for the work community at large. Amplifying security questions and concerns reinforces the “no judgement” ethos and helps improve everyone’s security game.
We encourage you to download a complimentary copy of the Forrester Research note and discuss with your team and executives.