Save Your Company Thousands with Proper WFH Network Security
There is a topic in security that I think about often. I truly don't think that decent network security needs to be insanely expensive. Good network security for a small office or a WFH (Work From Home) scenario is acheivable by most layman.
I want to tell you that with some minor tweaks to infrastructure and policies you can dramatically reduce the risk that your distributed work force poses to your organization.
Accept that "Prevention Eventually Fails." This is a mantra of network security monitoring. A threat actor who wants into your network can wait years for an opportunity to attack. When the opportunity arises they take advantage of it. In order to properly protect your organization you need to understand that everything is at risk.
The only scenario where risk is null for a network is where there is no network at all. Without a network we have no connectivity. This means that in order to have any connectivity we have to accept the apparent margin of risk, no matter how minuscule that risk may be.
Accepting that all assets are at risk can be stressful, however we are able to mitigate risk to a degree.
Risk = Probability X Cost
Depending on the assset, cost in this formula doesn't really change. However we as security professionals have a direct impact on probability. We may not be able to make the probability 0. If we can reduce the probability we can take a High Risk scenario and turn it into a Medium Risk or even a Low Risk.
Now that we understand that all assets have some level of risk let's dive into what the problem is, specifically working from home.
For future generations reading this article in 2021 our planet had a pandemic. One outcome of this pandemic was that businesses realized that they could carry on with running their businesses with a distributed workforce. It became abundantly obvious that we didn't need to be sitting in our cubicles.
Primary assets still lived on site, servers etc etc. However employees were able to connect to the office via VPN.
This is where the problem arises. VPN in itself is a fine solution, however it was heavily exploited by bad actors. It doesn't matter how secure the tunnel is if you are letting infected machines to travel through the tunnel straight into your "secured" network.
Saving Money through reducing Risk
There are two things that businesses with WFH employees can do to reduce risk which ultimately will save them money.
1) Craft Policies that direct/mandate WFH employees to have segmented home networks.
2) Teach WFH employees about guest networks at their home.
ONE: Craft Appropriate WFH Policies
Policies are meant to direct and give assets boundaries by which to exist. When an asset goes beyond where they are supposed to, this (polices) allows the organization to trigger and react in some predefined manner.
The organization cannot force employees to modify their home networks with perfect efficacy. If some do however, you will mitigate risk to a degree.
I think of speed limits for the road. You're driving down the road and it says 50. It's 10pm and no one is around. You can drive 60,70,80 + and potentially not be caught. If you stay at 50, even though no one is forcing you there is a better probability that you will have mitigated some risk that is associated with high speeds.
Do people speed? Yes, can we stop all of them, No. When people follow guidelines there is a positive result.
The same thing applies for policies.
TWO: Teach about the benefits of Guest Networks
This one is tough, because there is a wide variety of skills amongst employees.
Additional challenge would be that each of your employees can have vastly different hardware at their houses.
This challenge of skill level and hardware is not easy to overcome. Truthfully, there would be a percentage of employees that will reach a barrier of difficulty and just throw their hands up in defeat
However, most home routers have the capability of creating a guest network. If employees are connecting through their "admin" network at home you are mitigating some of the risk of random people at their homes contracting malware and having it spreading to your work network.
There is still the risk that actual employees will contract malware and have it spread, but the point here is that you are reducing the risk by not having work assets living at employees home getting infected by other machines.
Further more, FireWall rules between segments are not overly complicated. All home routers have the ability to manually manipulate FW rules between segments.
Below is a video I made that explains network segmentation and shows basic FW rules between these segments. Something simple like this video when done by WFH employees can dramatically mitigate threats to your organization.