Working from home (WFH) can pose certain challenges to data security due to a variety of factors that are rarely considered by those promoting the WFH model. While remote work offers flexibility and convenience, it introduces vulnerabilities that, if not properly addressed, may compromise data security. Some reasons why WFH can contribute to poor data security and their solutions are:
- Home Network Security:
Consideration: Home networks may not be as secure as corporate networks and business owners have nearly zero control over the employees’ home networking environment. People tend to engage in much higher risk computer activities in the privacy of their homes, than they could with a managed office environment. Employees may not have implemented strong security measures on their home routers, leaving them more susceptible to cyber threats.
Recommendations:
Employees should have a dedicated ‘work computer’ that is not used by them and their family for personal things like gaming, personal email, homework, and casual web browsing.
At-home computers should be considered as being outside the business network security bubble, and therefore not be used to store or cache any files or access credentials to business data or systems. This is accomplished by utilizing RDP/RDS technology which allows all of the data processing and storage to remain within the company protected network, while only sending the monitor images to the at-home user, and transmitting their keyboard and mouse clicks back to the secure system in an encrypted format.
- Unsecured Wi-Fi Networks:
Consideration: Wi-Fi networks are ubiquitous in nearly every home environment and these generally employ very poor and easy-to-break security. Additionally, employees may take portable laptops and connect to unsecured public Wi-Fi networks, such as at cafes or airports, which increases the risk of their devices either being highjacked, or the data sent through the Wi-Fi being intercepted.
Recommendation:
Protecting the at-home computer with a company-managed software that provides firewalling, anti-virus, and anti-malware helps address the poor security environments.
Utilizing an MFA-enabled VPN, both protects the data streaming to and from the remote computer, while also protecting the company network from unauthorized logon.
- Device Theft or Loss:
Consideration: Portable devices are more susceptible to being lost or stolen. If a device containing sensitive company information is lost, that in itself constitutes a data breach. A case published by HHS (a Federal regulatory body) cited a case where a stolen laptop containing copies of files from a small medical practice, resulted in $276,000 in regulatory fines, and reported amounts in legal fees, and identity theft remediation.
Recommendations:
As mentioned above, portable or at-home devices ought to be configured in a way where they do not actually store data files, or employee work product. (see second recommendation in #1 above).
At-home devices should have strong logon passwords, and preferably a form of logon MFA to prevent persons with direct keyboard access to the device, from being able to log into it.
Portable devices should have a hardware TPM module and have configured encryption, which prevents the hard drive within that device from being removed and accessed directly.
- Increased Phishing and Social Engineering Attacks:
Consideration: Cybercriminals often exploit the remote work situation through phishing emails or social engineering attacks, taking advantage of the more relaxed security environment at home.
Recommendations:
Additional and regular user training is highly recommended to ensure best practices and enforce WFH procedures.