We talk and hear about the security of the physical enterprise (servers/network/desktops etc) as if that is the absolute most important aspect of securing our corporate and customer data. However, with the proliferation of BYOD and remote/home-based employees, where is the focus on securing their home networks?
When operating from home, more likely than not, employees’ devices operate as trusted entities on their network, along with everything else from their thermostat to their kids’ cellphones, and they tend to relax and operate with a much lower sense of security awareness.
We should be doing more as Information Security leaders (via corporate practices/policies and leading by example) to help employees secure their home networks and better educate them on the dangers. In my experience (not to say they don’t exist) I’ve yet to see a company that provides for reimbursement of home network firewalls and related equipment or that even has a self-assessment checklist.
Think about it. We undergo quarterly or annual audits on the enterprise but almost never is the assessed boundary extended to the endpoint when it resides outside the company physical space. It’s not practical (or necessarily warranted) to physically inspect each person’s home, but why not implement some basic best practices like:
1. Develop and implement a best practices work-at-home checklist where the employee conducts a self assessment every six months that includes: wifi security, physical security, IoT/guest network security, secure password generation and storage, etc.
2. Provide a budget up to $200 for purchase of a home network security device like a Fingbox or similar to watch the home network and block intruders.
Implementing just a couple simple controls like the above would enhance the overall security of our most important data either inexpensively or even free in a time when more and more of our employees are working from home.