Global Knowledge Brief from The IIA and Fastpath
In this knowledge brief, Frank Vukovits, CIA, CISA, director of strategic partnerships at Fastpath Solutions LLC; and Alex Meyer, director of dynamics AX/365FO development at Fastpath, discuss solutions and suggest free resources to help organizations manage the new security challenges a work-from-home environment creates.
Organizations’ IT departments already were facing constant challenges dealing with an ever-evolving threat landscape when the onset of the COVID-19 pandemic forced organizations, literally overnight, to transition to a work-from-home environment. Organizations had to restructure themselves on the fly as their employees, many of whom were not tech savvy, suddenly found themselves working from their living rooms and kitchens.
The biggest threat to IT security involves devices such as printers and laptops that employees are using on their home networks. Even if they are company-issued, the devices’ security is dependent on the home network’s security controls. In addition, home networks often are shared with other members of the family, such as school-age children or other members of the household working from home. If the company has a bring-your-own-device policy, the employee may be accessing company assets on a home computer, perhaps one shared with other family members.
Home modems, routers, and printers — often still using their default passwords — also are vulnerable. In addition, many employees download software without their IT departments’ knowledge or consent — “shadow IT” — such as Zoom or other web conferencing platforms, or apps needed to do their jobs. This exposes their companies to potential security issues.
In response, organizations need to think holistically to build a culture of security. In addition, employees need to understand that they are the first line of defense, and family members are part of the security environment.
Among the steps employees can take:
- Do not share passwords or write them down, and use a password manager.
- Use complex passwords or passphrases.
- Use multi-factor authentication (MFA) for both personal use and with company devices.
- Lock the computer whenever you step away from it.
- Watch out for social engineering scams.
- Secure home wireless networks by changing the default name and password, changing the setting to make it non-broadcasting, and by encrypting.
- Consider purchasing a modem and Wi-Fi hardware instead of using the equipment issued by the home service provider.
For their part, employers should have employees use VPNs, determine what devices and apps employees and perhaps family members have downloaded, whether employees have been provided the encryption tools they need and whether they are getting needed support and training. Employers also should ensure privacy and security protocols have been updated to reflect the WFH environment.
Microsoft provides multiple sources of information dealing with security as well as tips for working from home. Organizations such as the Federal Trade Commission and the Center for Internet Security also offer tips and information.