When Hackers Come Knocking: Protecting Corporate Networks When Working from Home

With the rapid increase of remote workers, many employers have a remote or telework policy. There are enormous benefits to allowing employees to work remotely, either from home or while on the road, but telework can open your company up to numerous cyber threats and vulnerabilities that can be very disruptive, and even devastating, to a business. Hackers can use an employee’s home as an entry point into a corporate network, leaving your company vulnerable to:

• Exfiltration of sensitive user information and company tradecraft, including intellectual property
• Manipulation and/or destruction of data
• Malware and ransomware
• Compliance issues, fines, and loss of public faith and reputation

It’s very likely that an employee’s home network does not have the same level of security as a corporate network. Home networks often use lower security wireless standards which could allow hackers within physical range of a network to gain access to it. Hackers can also breach networks by using newly discovered flaws in physical hardware, such as the recent VPNFilter router malware issue reported on extensively in the media.

We live in a world where increasing numbers of everyday devices are connected to the Internet—from smart TVs, kitchen appliances and fitness trackers to medical devices, HVAC systems, home security systems and even cars. These Internet of Things (IoT) devices make our lives easier, but they also come with serious risks to cyber security—in the race to be first to market, many manufacturers design and ship IoT devices with little or no security measures built in. This is an enormous problem and a major opportunity for almost unlimited hacking potential. These devices collect huge amounts of user data that can be a goldmine for hackers and cyber criminals. Let’s break down the problem.

Top Three Cybersecurity Issues

Most IoT devices have one thing in common: they’re connected to a home network and/or a smartphone. This creates a series of issues from a cybersecurity standpoint.

1. Many IoT devices don’t require complex passwords, and often users employ the default password option, which provides next to no security.
   
2. Devices connected to a home network can potentially be a gateway for hackers to infiltrate that network, and if one or more connected devices such as a work laptop, also accesses the corporate network, all a hacker has to do is break into one of the connected devices to potentially access the corporate network as well. For example, if one of your people has weak security settings on a smart TV, then the hacker can use that entry as an access point to a home network, work computer and therefore your corporate network.

3. IoT devices collect vast amounts of user data, from  geographic location at any given time to internet browsing habits and online purchases. We freely give away this information by accepting the terms of use of IoT devices and device manufacturers routinely sell this data for marketing and other purposes. From a cybersecurity standpoint, the user data we provide through our IoT device use can be used by cyber criminals and hackers to build a pattern of life on when we are home or where we are at a particular time on any given day and using this information for cyberattacks. In a recent news story, an Amazon Alexa IoT device recorded a user’s personal conversation and emailed the recording to one of the user’s contacts, which Alexa had access to per the terms of use. The risk is that personal assistants, such as Alexa, are always on and always listening and recording ambient conversation by default, in order to pick up on the keywords that put the devices into active mode. In this case, Alexa thought the user told it to record and send the conversation to a particular person. This presents a significant threat. If an employee is working from home, the potential exists for a phone or web conference that includes confidential company information to be recorded and potentially accessed by a malicious user.

What Should Your People Do

What are the Top 4 Things Remote Employees Should do and Leaders Should Mandate?

1. In order to mitigate the risk associated with widespread IoT device use, businesses should ensure that users never employ default security settings on IoT, network, or any other devices.  It’s critical that the highest security and privacy settings possible are always used, including complex passwords that contain alphanumeric and non-alphanumeric characters.

2. Employees working from home should turn off recording capability on all personal assistant devices.

3. Employees need to be sure that home networks have strong encryption and access corporate networks via a Virtual Private Network (VPN). It is critical to separate IoT devices from work devices. Most home routers will allow users to create a separate guest network, usually a secure WPA2 encrypted network, that can be used only for IoT or other less secure devices.

4. Users should always download current update patches for their network.  

These steps combined with cybersecurity awareness and a good amount of common sense can go a long way towards combating cyber threats that can potentially wreak havoc on corporate networks, sensitive data and intellectual property. Even better would be to make sure your team is trained! Whether you are responsible for board and executive cybersecurity training, cybersecurity certification training, or have custom education needs, CyberVista has the information security training to fit your needs.