There are many aspects of IT security that we must consider in our new world where working remotely has become the norm. For the most part, the ability to work remotely requires the ability for employees to be able to connect to their firms’ network. Examining the entire remote security process chain, each employee should consider connectivity security as the initial control to protect one’s environment, and ultimately the most important asset, our data. Even if your IT department has installed multiple tools and processes to secure our environments and data, ultimately responsibility to implement the security controls of our remote environment fall the end-user. So you ask “What can I do?”. The answer is actually quite simple: ask yourself each time you connect to your firm’s network, “Am I doing everything in my power to ensure my connection is secure?”.
While this might appear elementary, the first line of defense is securing our home Wi-Fi by ensuring that encryption is enabled. Though the steps may be dissimilar on different devices and operating systems, determining whether encryption is enabled is relatively easy. In most cases, one can just click on the Wi-Fi icon on your system which shows the names of the available wireless networks, which are called Service Set IDentifiers (SSIDs). Check the properties of the SSID, and make sure encryption is enabled, preferably a flavor of Wi-Fi Protected Access (WPA). A majority of systems are configured using WPA2, which is a version of WPA that uses Advanced Encryption Standard (AES) encryption and long passwords. Many older wireless networks allowed Wired Equivalent Privacy (WEP) encryption. WEP encryption no longer considered very secure, as hackers have devised ways to compromise them. If your device only allows for WEP, it may be time to invest in a new wireless device.
Though both of these encryption methods provide a level of security, there is another option which is also prevalent: lack of any encryption! This basically turns your home into a public Wi-Fi provider. If you are unsure, check the SSID properties to see if encryption shows “None” or “Unsecured“. The consequences can range from minimal to major. Your neighbor may be siphoning your bandwidth for their new 4k TV, or worse a hacker could gain access to your home or office network and any devices connected to them. Securing your Wi-Fi with even the minimal encryption would seem like a no-brainer, but occurrences of non-secure networks are more prevalent than one might suspect.
In my role as an IT auditor, I have been tasked in the past with performing onsite Wi-Fi assessments for clients, during which I would use a laptop to identify Wi-Fi networks, both authorized and rogue, detectable internally and externally. Through the use of specialized software, one can obtain a very detailed assessment of a client’s Wi-Fi footprint, along with their exposure to potential rogue Wi-Fi networks. As you may have guessed, you do not need any specialized equipment to conduct a basic assessment of your remote work environment—even a cell phone will suffice. Many times, taking a walk around your block will reveal a plethora of unsecure Wi-Fi networks. Hackers can do this too and it is referred to as wardriving.
Sometimes SSIDs have very cryptic names like ATTabcde123, NetGear01, xfinitywifi, linksys123, etc., which are usually the default name when the wireless network was first established. Keep in mind one can name a network almost anything. Nefarious characters know this, and sometimes set up wireless access points with the same name which spoofs a known wireless network, hoping the end-user will connect unknowingly. This is most likely to occur when attempting to connect to public Wi-Fi, so caution is highly recommended.
Once you’ve ensured your Wi-Fi network is secured, the security protocol doesn’t stop there. As mentioned earlier your firm’s most important asset is its data. Even though a Wi-Fi network is encrypted, it is not 100% infallible and protected from potential exposure. This is where leveraging a Virtual Private Network (VPN) comes in. A VPN is a secure connection into your Firm’s network. Think of it as your own little encrypted tunnel, which keeps all of those bad actors from accessing the data between your laptop and your firm’s network. I will say that there are some shortcomings associated with connecting through a VPN, such as performance latency due to the encryption. However, this is a small price to pay, and leveraging the VPN far outweighs the notion of the potential exposure of unsecure data. Your IT department has probably installed a VPN client on your laptop, make certain you use it!
There are additional aspects of security controls, such as performing system health checks (malware scanning, security updates, system cleanup), securing of physical assets both electronic and paper, and controlling access to systems in the remote work environment. However, ensuring that you are doing all in your power to secure connectivity in the remote work environment is a great first step.
Wayne Greene serves as a Senior IT Auditor within McConnell & Jones’ Risk Advisory Services Team, where he helps organizations protect their data and their systems from cyber incidents. A CISA certified professional, he started his career in IT roles at AMD and Dell, spent four years at the state of Texas as a Senior IT auditor, and most recently has worked for consulting firms in IT security roles. He can be reached at firstname.lastname@example.org