Organizations have been wrestling with WFH cybersecurity issues for more than two years, but cyberattackers are still compromising at-home systems.
Kazi Awal/Insider
As the CDC loosens restrictions on COVID-19 measures, businesses have started recalling work-from-home employees back to the office.
But the move to in-person work is encountering a wave of resistance. For example, when Goldman Sachs CEO David Solomon insisted his staff return to the office earlier this month, only about half of the New York office's 10,000 employees showed up.
The hybrid work environment does not appear to be changing anytime soon, if at all. Therefore protecting WFH employees and their networks from cybercriminals continues to be a corporate imperative.
Organizations of all sizes have been wrestling with WFH cybersecurity issues for more than two years, but cyberattackers are finding new ways to create phishing and watering hole attacks — where attackers invite victims to visit compromised websites, such as fake COVID-19 sites or "charitable" sites raising money for a range of causes.
Phishing continues to be the No. 1 type of attack, as major, life-changing topics such as the pandemic or war can be an emotional draw for some online users. Educating employees to be wary of these fake emails is crucial, experts said.
"Security-awareness training for workers is an important component of ensuring home network security," Leanna Serras, chief customer officer of FragranceX.com, a fragrance e-commerce site, said. "The training should aim to provide better awareness of security risks and to teach simple and effective measures to mitigate risks."
Mike Pedrick, vice president of cybersecurity consulting at Nuspire, a managed security services provider, supports a similar mindset. "User-awareness training initiatives that provide employees with information they can see value in for their personal lives still goes a long way here."
But training is only part of the answer. While some organizations offer year-round training exercises that employees can access from home, fitting in optional security training is often low on priority lists. To that end, scheduled training, as Serras suggested, could be more effective.
One challenge corporate IT security teams face is that personal routers, cable modems, and other network hardware in employees' homes lack the latest software updates and patches.
While some service providers, such as Comcast, automatically update provider-owned devices in customers' homes, these changes are not always reflected in customer-owned equipment. Due to a lack of security modifications, WFH employees are more vulnerable to malware.
Organizations could opt to install employer-owned firewalls and similar network security devices in employees' homes, but that would be a monumental effort to dispatch technicians to install and configure the devices and maintain them remotely.
Accessing employees' home networks "represents a bit of a slippery slope," Pedrick said. "Not only does it potentially cross ethical and privacy lines, but it would be prohibitively expensive — especially so for SMBs whose budgets are already lean," he said, referring to small and mid-size businesses.
However, companies can opt for the Anytime, Anywhere, Any Device model that is popular with companies that have successfully moved to the public cloud.
"Meeting security and privacy objectives," Pedrick added, "becomes a strategy of ensuring that access controls are comprehensive — and users are well-trained to protect their credentials — and that sensitive data can only be interacted with on devices, networks, and in locations that the business can accept risk for."
For example, an employee who uses a corporate device from their known home in New York City would get access to the corporate network, but that same employee trying to access the network on a personal device from Paris would be denied. This approach is part of a zero-trust network that authenticates not only the person but the device and software as well.
Remote users, Serras said, should be trained to secure their home networks through simple measures such as changing the default passwords, the default IP address, disabling remote access to the home network, and regularly updating their router's software.
Some employees are concerned about making changes to their network devices for fear of disabling or damaging their systems. While the company can talk a user through the process, those with little to no technology experience might be intimidated by the change.
"It is often overlooked that as much as an employee-owned device or a company device connecting from an uncontrolled network is a threat to the company, a company device can pose a threat to an employee's environment," Pedrick said. "Many businesses, especially in the SMB space, are slow to realize when persistent threats are traversing their networks."
"Anyone connected to the internet would be prepared and savvy enough to diligently employ industry best practices and state-of-the-art hardware for defense, but not all employees are willing to make such commitments — especially if they're paying for it themselves," he said.
