October is National Cyber Security Awareness (NCSAM) month, and as the relevance of cybersecurity at both home and work continues to explode, there’s never been a better time to underscore some underrated themes that we may not think enough about year-round. One oft-overlooked issue is the importance of securing our home devices with hardened network security policies, just as your security operations center (SOC) likely does at work.

Home Is Where the Data Is

In the modern workplace, personal devices inevitably find their way onto enterprise networks. Here’s a sobering statistic: According to a recent Infoblox report, about one-third of U.S., U.K. and German companies have more than 1,000 shadow, or unsanctioned, Internet of Things (IoT) devices connected to their network on a typical day. In the U.K., 12 percent of companies surveyed reported more than 10,000.

Even more alarming, 46 percent of those devices are smart TVs, and 33 percent are smart kitchen devices. These types of IoT hardware are far from inherently secure; because their core purpose is not to host proprietary data, the risks often go overlooked.

Should any of these personal devices become breached, the impact to both the individual and the enterprise can be dramatic. Francis Dinha, CEO of OpenVPN, has studied the effect of these breaches and said that bad employee decisions are sabotaging corporate security initiatives.

“If you’re working from home and your personal device is breached, not only is your own personal data at risk, but so is that of your employer,” Dinha said. “If you can connect with your company network via your personal device, then once that device is breached, hackers can do the same thing. That’s why security on home devices is of such paramount importance.”

What Network Security Policies Should You Apply to Your Home IT?

So how can you keep your connected devices secure at home — and, by proxy, better protect your enterprise networks at work?

The first thing both home IT users and enterprise security teams should do is make sure all software is up to date. Cybercriminals can use even the most innocuous connected appliances to form massive botnets that spread malware and facilitate large-scale distributed denial-of-service (DDoS) attacks.

“The most prevalent threat is automated attacks that are trying to take over devices as they would personal computers, to assemble into a group that can be used for their own purposes,” said Wendy Nather, director of advisory chief information security officers (CISOs) at Duo Security, as quoted by Engadget.

Another basic practice that’s crucial to both home and enterprise security is password management. Be sure to create unique passwords and, if devices come with default credentials, change them immediately. To keep track of all these unique passwords, consider using a password management tool.

The Engadget piece also advised users with sufficient computing power to consider setting up a separate Wi-Fi network for their smart home devices. This can help isolate devices such as smart speakers, thermostats and other appliances from personal computers and mobile devices, which are much more likely to access sensitive enterprise data.

Finally, be sure to do your homework before purchasing IoT products and read the terms of use before activating a new connected device. Although much of this language is legal and technical jargon, you can search for consumer reviews online to see if anyone else has researched how the vendor handles personal data.

Harden Your Network With User Education and Zero Trust

Once you understand how home IT risks translate to potential enterprise security threats, it’s time to ensure that you have the right data protection policy in place. Like anything involving cybersecurity, this is easier said than done.

Let’s start with the basics: According to Dinha, a security policy covering devices at home should include two-factor authentication (2FA) and a virtual private network (VPN) at the very least. For a security strategy to be truly effective, the enterprise needs to go a few steps further, beginning with user education.

“You’ll need an extensive education of your staff as to the risks of phishing and malware,” Dinha advised. “Your team needs to know what the policies are and why — and make sure they know how to recognize a dangerous or insecure link, and never to click on a link they don’t recognize.”

The next step, according to Dinha, is to implement a zero-trust network. Think of it like taking network segmentation to a whole other level: The granularity and microsegmentation of a zero-trust network enforces rules based on users, their locations and/or other relevant details to determine whether that user, machine or app requiring access should be trusted.

This new form of network won’t authenticate until it understands who the user is, where he or she is coming from and the security status of the endpoint. Once this is established, a restrictive policy can be applied to each situation. A zero-trust policy essentially gives users, machines and apps the least amount of network access required for their current needs.

Don’t Let Your Guard Down

If a zero-trust network isn’t an option for your enterprise, tried-and-true best practices always apply. If you have a bring-your-own-device (BYOD) policy, a mobile device management (MDM) system is a no-brainer. Keep all software on devices up to date, back up and encrypt their data whenever possible, and steer clear of public Wi-Fi networks.

Above all, organizationwide security awareness is what separates a business with strong defenses from one that is vulnerable to attack. When employees know what threats to look out for, they will look out for your business.

“The more tools and education you give your team, the more they’ll actively protect your data,” Dinha said.

This not only applies to how employees treat devices at work, but at home as well. As the IoT ecosystem expands and threat actors increasingly focus on hijacking connected devices for DDoS and other attacks, you can’t afford to let your guard down, even in the comfort of your own home.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read