October is National Cyber Security Awareness (NCSAM) month, and as the relevance of cybersecurity at both home and work continues to explode, there’s never been a better time to underscore some underrated themes that we may not think enough about year-round. One oft-overlooked issue is the importance of securing our home devices with hardened network security policies, just as your security operations center (SOC) likely does at work.
Home Is Where the Data Is
In the modern workplace, personal devices inevitably find their way onto enterprise networks. Here’s a sobering statistic: According to a recent Infoblox report, about one-third of U.S., U.K. and German companies have more than 1,000 shadow, or unsanctioned, Internet of Things (IoT) devices connected to their network on a typical day. In the U.K., 12 percent of companies surveyed reported more than 10,000.
Even more alarming, 46 percent of those devices are smart TVs, and 33 percent are smart kitchen devices. These types of IoT hardware are far from inherently secure; because their core purpose is not to host proprietary data, the risks often go overlooked.
Should any of these personal devices become breached, the impact to both the individual and the enterprise can be dramatic. Francis Dinha, CEO of OpenVPN, has studied the effect of these breaches and said that bad employee decisions are sabotaging corporate security initiatives.
“If you’re working from home and your personal device is breached, not only is your own personal data at risk, but so is that of your employer,” Dinha said. “If you can connect with your company network via your personal device, then once that device is breached, hackers can do the same thing. That’s why security on home devices is of such paramount importance.”
What Network Security Policies Should You Apply to Your Home IT?
So how can you keep your connected devices secure at home — and, by proxy, better protect your enterprise networks at work?
The first thing both home IT users and enterprise security teams should do is make sure all software is up to date. Cybercriminals can use even the most innocuous connected appliances to form massive botnets that spread malware and facilitate large-scale distributed denial-of-service (DDoS) attacks.
“The most prevalent threat is automated attacks that are trying to take over devices as they would personal computers, to assemble into a group that can be used for their own purposes,” said Wendy Nather, director of advisory chief information security officers (CISOs) at Duo Security, as quoted by Engadget.
Another basic practice that’s crucial to both home and enterprise security is password management. Be sure to create unique passwords and, if devices come with default credentials, change them immediately. To keep track of all these unique passwords, consider using a password management tool.
The Engadget piece also advised users with sufficient computing power to consider setting up a separate Wi-Fi network for their smart home devices. This can help isolate devices such as smart speakers, thermostats and other appliances from personal computers and mobile devices, which are much more likely to access sensitive enterprise data.
Harden Your Network With User Education and Zero Trust
Once you understand how home IT risks translate to potential enterprise security threats, it’s time to ensure that you have the right data protection policy in place. Like anything involving cybersecurity, this is easier said than done.
Let’s start with the basics: According to Dinha, a security policy covering devices at home should include two-factor authentication (2FA) and a virtual private network (VPN) at the very least. For a security strategy to be truly effective, the enterprise needs to go a few steps further, beginning with user education.
“You’ll need an extensive education of your staff as to the risks of phishing and malware,” Dinha advised. “Your team needs to know what the policies are and why — and make sure they know how to recognize a dangerous or insecure link, and never to click on a link they don’t recognize.”
The next step, according to Dinha, is to implement a zero-trust network. Think of it like taking network segmentation to a whole other level: The granularity and microsegmentation of a zero-trust network enforces rules based on users, their locations and/or other relevant details to determine whether that user, machine or app requiring access should be trusted.
This new form of network won’t authenticate until it understands who the user is, where he or she is coming from and the security status of the endpoint. Once this is established, a restrictive policy can be applied to each situation. A zero-trust policy essentially gives users, machines and apps the least amount of network access required for their current needs.
Don’t Let Your Guard Down
If a zero-trust network isn’t an option for your enterprise, tried-and-true best practices always apply. If you have a bring-your-own-device (BYOD) policy, a mobile device management (MDM) system is a no-brainer. Keep all software on devices up to date, back up and encrypt their data whenever possible, and steer clear of public Wi-Fi networks.
Above all, organizationwide security awareness is what separates a business with strong defenses from one that is vulnerable to attack. When employees know what threats to look out for, they will look out for your business.
“The more tools and education you give your team, the more they’ll actively protect your data,” Dinha said.
This not only applies to how employees treat devices at work, but at home as well. As the IoT ecosystem expands and threat actors increasingly focus on hijacking connected devices for DDoS and other attacks, you can’t afford to let your guard down, even in the comfort of your own home.