October is National Cybersecurity Awareness Month (NCSAM), and as the relevance of cybersecurity at home and at work continues to explode, there’s never been a better time to highlight certain undercurrent themes. estimates that we may not think about enough all year. An often overlooked issue is the importance of securing our home devices with strong network security policies, just like your Security Operations Center (SOC) likely does at work.
Home is where the data is
In the modern workplace, personal devices inevitably end up on corporate networks. Here’s a sobering statistic: According to a recent Infoblox report, around a third of businesses in the US, UK and Germany have more than 1,000 phantom or rogue Internet of Things (IoT) devices connected to their network on a typical day. In the UK, 12% of companies surveyed reported more than 10,000.
Even more alarming, 46% of these devices are smart TVs and 33% are smart kitchen appliances. These types of IoT hardware are far from inherently secure; since their primary purpose is not to host proprietary data, the risks are often overlooked.
If any of these personal devices are breached, the impact on the individual and business can be dramatic. Francis Dinha, CEO of OpenVPN, has studied the effect of these breaches and said poor employee decisions sabotage companies’ security initiatives.
“If you work from home and your personal device is hacked, not only is your own personal data at risk, but your employer’s is as well,” Dinha said. “If you can connect to your corporate network through your personal device, once that device is hacked, hackers can do the same thing. That’s why the security of home devices is of paramount importance.”
What network security policies should you apply to your home computing?
So how can you secure your connected devices at home and, through proxying, better protect your corporate networks at work?
The first thing home IT users and corporate security teams should do is make sure all software is up to date. Cybercriminals can use even the most innocuous connected devices to form massive botnets that spread malware and facilitate large-scale Distributed Denial of Service (DDoS) attacks.
“The most prevalent threat is automated attacks that attempt to take control of devices as they would personal computers, to assemble them into a group that can be used for their own purposes,” said Wendy Nather, director of advisory directors information security (CISO) at Duo Security, quoted by Engadget.
Password management is another crucial basic practice for home and business security. Be sure to create unique passwords and, if devices come with default credentials, change them immediately. To keep track of all those unique passwords, consider using a password management tool.
The Engadget article also advised users with sufficient computing power to consider setting up a separate Wi-Fi network for their smart home devices. This can help isolate devices like smart speakers, thermostats, and other devices from personal computers and mobile devices, which are much more likely to access sensitive company data.
Finally, be sure to do your homework before buying IoT products and read the terms of service before activating a new connected device. While much of this language is legal and technical jargon, you can search for consumer reviews online to see if anyone else has researched how the provider handles personal data.
Strengthen your network with user education and Zero Trust
Once you understand how home IT risks translate into potential business security threats, it’s time to make sure you have the right data protection policy in place. Like everything in cybersecurity, this is easier said than done.
Let’s start with the basics: according to Dinha, a security policy covering home devices should include at least two-factor authentication (2FA) and a virtual private network (VPN). For a security strategy to be truly effective, the company must go further, starting with user training.
“You will need extensive training of your staff on the risks of phishing and malware,” advised Dinha. “Your team needs to know what the policies are and why — and make sure they know how to recognize an unsafe or unsafe link, and never click on a link they don’t recognize.”
The next step, according to Dinha, is to set up a zero-trust network. Think of it as taking network segmentation to a whole new level: the granularity and microsegmentation of a zero-trust network applies rules based on users, their location, and/or other relevant details to determine whether that user, machine, or application requiring access must be trusted.
This new form of network won’t authenticate until it understands who the user is, where they’re from, and the security status of the device. Once this is established, a restrictive policy can be applied to each situation. A zero-trust policy essentially gives users, machines, and applications the least amount of network access required for their current needs.
Don’t let your guard down
If a zero-trust network isn’t an option for your business, proven best practices still apply. If you have a bring your own device (BYOD) policy, a mobile device management (MDM) system is obvious. Keep all device software up to date, back up and encrypt device data where possible, and avoid public Wi-Fi networks.
Above all else, organization-wide security awareness is what separates a company with strong defenses from one vulnerable to attack. When employees know what threats to watch out for, they will watch over your business.
“The more tools and training you give your team, the more actively they will protect your data,” Dinha said.
This not only applies to how employees deal with devices at work, but also at home. As the IoT ecosystem grows and threat actors increasingly focus on hacking connected devices for DDoS and other attacks, you can’t afford to let your guard down, even from the comfort of your home.