The COVID-19 crisis forced millions of people to work from home. In addition to the rapid expansion of corporate VPNs, significant corporate work also occurred on unprotected home networks built with consumer electronics.
In response to the pandemic, businesses quickly expanded their VPN capacity, and many were forced to relax security standards. In addition, key employee information is available on company websites or LinkedIn, resulting in more exposure points. Further, many countries now have digital property records, which makes it relatively easy to find out where someone lives.
It's enough to give network security administrators nightmares. So, how can enterprises secure remote access for their employees and ensure a safe corporate network environment? Let's take a look at some key steps.
1. Reinforce network security standards
First and foremost, enterprises need to start adding the rigor back into their systems and processes.
An important step is to reestablish VPN standards. Enterprises must replace the temporary changes they made to increase capacity with permanent designs that fully support security standards. The standards themselves need to be reevaluated based on the company's new normal. This will include implementing or reimplementing basic protections, such as the following:
- strong passwords
- multifactor authentication
- role-based access
2. Bolster home network security
Home network systems use personal equipment or devices provided by a broadband provider. Network security teams must work with remote users to bolster security for home networks by using the following steps:
- catalog the broadband providers in use;
- catalog the equipment being used; and
- research and establish configuration guidelines.
3. Establish endpoint protection
To manage the network security environments, teams must reestablish endpoint protection, which requires the following steps:
- update malware and virus protection;
- enforce minimum software update standards; and
- establish access for security operations (SecOps) personnel.
This process can include asking for access to employees' home networking kits. The intent is to establish software levels and develop standard configurations for broadband providers and home networks being used by employees.
This sounds like a complex and difficult process, but most regions in the country will have more than 90% of users on just two providers. For example, in my region, well over 90% of our employees are on either Fios or Xfinity. While some employees might view this as an invasion of privacy -- as most employees are not network and security engineers -- they might welcome support for these systems.
If it's a step too far to get access to employees' home routers, teams can provide suggested configurations and request employee attestation.
Network managers are now expected to support a remote work infrastructure for work-from-home employees. Learn how network teams can implement certain measures to keep remote workers connected.
Teams can scan and review these networks either with SecOps or using suggested configurations. Some questions to consider include the following:
- Does the Wi-Fi service set identifier have sufficient security?
- Is there a guest account?
- Are all the systems registered with the router known to employees and their families?
The answers to these questions are important because guest accounts and weak passwords can lead to adjacent homes or apartments using the home network systems.
4. Consider new and innovative alternatives
Once upon a time, it was common for employers to provide work-from-home systems with traditional security, but this disappeared with the emergence of BYOD and widespread broadband. Enterprises might find it useful to revive this practice for key remote workers and company officers, based on the risk profile associated with the employees' access and capabilities.
Of course, newer technologies are always under development. At one end of the spectrum, ultra-secure systems are available, such as Attila Security, which provides hardware-based security options certified for U.S. Department of Defense use. Other choices include new software options that replace VPN technologies altogether, such as Elisity with its Cognitive Access Service, which provides nanosegmentation of endpoints.