When COVID-19 hit, we seen an unprecedented amount of people start working from home. Most companies have scrambled to get this working to avoid as much loss of productivity as possible because lockdown came around very quickly with not a lot of time to prepare. Most companies have continued the practice, but not all are secure.
Companies set up VPNs so staff now working off site can connect to the company network. This is all very good but what device is the staff member using and which network are they connecting from?
A VPN creates a secure connection from one device or network to another. In most cases for work purposes this will be a corporate network which allows access to files, intranets or CRMs.
This is great. But what if the computer connecting to the corporate network is on a home network which has been compromised with malware.
A scenario for this would be a home network with multiple computers shared by the whole family. If say the teenage son had downloaded a pirated computer game which contained malware and installed that on his computer that could in turn spread to all the devices on the home network. Here lies the problem, as soon as the VPN connection is made to the corporate network the malware has direct access to it.
The problem isn’t the security of the VPN, it’s the home environment and the risk there’s malware from files a family member may have inadvertently downloaded.
How can this be stopped?
Don’t use a VPN.
For file management, look at using Google Suite, Amazon or Office 365 but do make sure there are access roles in place for home users only to have access to a limited area. So, in the unfortunate event that their account is breached that the impact of that breach is limited.
For 3rd party services, look at making them available online with heightened security such as IP access rules and on-going pen-tests for exposed infrastructure.
However, when exposing any internal tools like CRM to the internet, make sure it’s secure by undertaking a CRM penetration test.
If you need to use a VPN, look at ways to reduce the risk.
Firstly, use a dedicated work router connected to the home-network, this will shield the network and work laptop/computer from other devices on the home network and lower the risk of malware infection as home devices can not connect to it. It it important that security controls are in place on the work devices not to connect to other networks, in case the user accidental uses the wrong home network.
Secondly, operate an internal vulnerability scan and internal network pen-test on those VPN devices to confirm that the devices themselves are secure on a network level. This will confirm that if a home device is subject to malware, that it cannot use any vulnerabilities or weaknesses in the work laptop to then go on to infect the work laptop, and then the work network.
If you’d like to know more about the risks of home networking and how to reduce them, please contact us.