Working From Home in Dual Income Households
Notes for securing WorkFromHomeÂ
My friend and his wife have a big apartment for lower Manhattan, 1500 sq ft. But as is typical for a married couple in their late 30s, they are a dual-income household. He works in the financial industry, and she works for a marketing agency. Their careers couldn't be more different. But as COVID-19 has confined New Yorkers to their respective square footages, he and his wife are working from the same room. That big apartment is a whole lot smaller when a senior manager at a Fortune 50 bank is sharing the same space as a senior leader at a marketing agency. Their story is not unique.Â
 But what can we do in Cloud Security to ensure privileged information from his bank is not overheard by an influencer in London who happens to be on a call with my friend's wife? Should we take into account a marketing agency's lax approach to network security when we consider security measures for our banks? How can a financial institution protect its networks and IP with distributed employees?
 When company leadership establishes work-from-home models, we in IT can't assume our employees work in a bubble. They're sharing connections, rooms, maybe even PCs with at least a significant other and perhaps even a child who is remote learning. We need to protect our networks like we would if everyone worked 100% of their time on a crowded subway car.Â
 I look at work-from-home security as a two-pronged approach. It is a shared responsibility between you and your employer, with the employer defining a proper employer-owned or BYOD security policy and the employee adhering to the plan. We need to remember that security goes beyond encryption, it becomes a people-centric solution. If we apply the people, process, and technology approach, we can secure our systems with more than a modicum of self-assurance.
 One of my favorite quotes from the movie Men in Black is "A person is smart. People are dumb, panicky dangerous animals, and you know it." When we design best practices and policies, we should consider the lowest common denominator. And we all know that denominator is not necessarily in the mailroom, its sometimes in the ivory tower. Some of the smartest people I've ever met also have been some of the most situationally naive, myself included.Â
 There are three significant ways employees can contribute to network and IP security:
Securing their home-router
 Creating password rules for employees to adhere will create a foundation for successful security confidence. We've all seen and laughed at the XKCD comic about passwords. But there's no way we can communicate upwards that CorrectHorseBatteryStaple is a more secure password than Tr0uba4or&3. I like to think that creating strong password rules for employees is more than plausible deniability, it's plausible certainty.
  So what technology should you employ?Â
 Two-factor is an obvious first step. While password security provides basic security, there is little to prevent someone from sharing the password with someone else. It would be relatively simple for someone to get on the network and using a "Packet Sniffer" (an application that can review network traffic) and watch for any unencrypted information useful to them.
 Dual-income households themselves produce interesting problems for companies but don't necessarily require creative solutions. Multiple computers from separate companies can run within the same home network. Still, the most secure way of doing this is to enable Network Isolation on your home network to prevent individual devices from communicating directly with each other through the router.
 Ensure your antivirus/anti-spyware software is up-to-date and enabled on workstations deployed to your users - this can help avoid a cross-system infection within your home network
 If your applications are not all cloud-based and   accessed via a web browser over TLS/SSL connections, ensure that your   systems connect back to your data center/hosting provider via a VPN   connection. Best if it automatically connects without requiring user   interaction
Allow split tunneling on the VPN connection to prevent   all user traffic (streaming, video conferencing, VoIP calling, etc.) not   intended for corporate systems from traveling through the company network
 A software option to reduce the risks of working on a shared network would be purchasing a reputable Virtual Private Network Service. Using a VPN effectively creates your own private network and end-to-end encryption.Â
 Another issue relates to BYOD. Many companies shifted aggressively (or were forced) into work-from-home models and, as a result, have needed employees to use their personal computers. Acers, Apples, Dells, HPs, and custom builds are now under the same IT policy.
 In the scenario where your users must use a personal computer or tablet to access company systems or services, your best-case scenario is to ensure enrollment of the device in an Enterprise Mobility Management solution. As an example of this, using Microsoft Intune will ensure that corporate resources are provisioned to those systems based on what you choose, and can be entirely removed by IT when required.
 For households where multiple users share the personal computer or tablet, ensure that the profile that your users log in to is separate from others who will use the system and ensure that the password is not shared.
 Screen obscuring: When I was at HP, I briefly had the opportunity to consult with the NPI team on SureView, their screen hiding technology. With the click of a button, the screen will obscure from every angle except head-on. Other commercial PC manufacturers have started implementing such technology, but it hasn't made its way to consumer PCs yet. I expect that will change as work from home models displace traditional offices. Without an automatic or bolt on screen hider, have your users position their workspace in such a way that the screen is not visible from outdoors to protect corporate data from theft via shoulder surfing. Additionally, set short timeouts for screen locks to avoid misuse of a system by others in the same household.
At the end of the day, security should be layered by applying the People, Processes, and Technology approach. With each having different roles to play. People can create some of the most significant risks to security. However, when well informed, they can also be an asset and the first line of defense. Often, cybercriminals will specifically target people as an attack vector based on their lack of knowledge for security best practices. For example, cybercriminals might target people with phishing emails designed to get them to click on a malicious link or divulge credentials. Knowledge, they say, is power.
 Our government flipped the switch and forced us to work from home. The silver lining is the security officers, information officers, and operations officers can very quickly turn into rock stars. Implementing proper work-from-home security policy, developing a working and scalable cloud infrastructure, and getting weird by experimenting with business model adjustments to account for the new normal will ensure that the stigma of working from home won't return. Happy employees are productive employees, and if the employee can get their work done efficiently at the beach (or riding a crowded subway car) while strictly adhering to security and IT policy, our archaic office model shouldn't have to persist.