The ability to work from home seems to have seeped into people's consciousness like it's something normal and expected. Employees now ask if they can work remotely when applying for a new job, and companies have to take this into consideration. But these expectations are changing the cybersecurity landscape and force organizations to adapt to a new paradigm in which employees are no longer entirely under the protective umbrella of the corporation. The responsibility for employees' cybersecurity is no longer clear-cut, and new definitions are needed.
The switch to work-from-home took place in many countries literally overnight. One day we're all working from the office, and the next day everyone is in the living room. In an ideal situation, employees had their work devices with them, and the company already had some infrastructure allowing people to connect remotely.
Such situations weren't the norm, as most companies had to quickly deploy the necessary infrastructure, purchase the right VPN solutions, and keep their workers safe. But a new responsibility appeared, one that wasn't present before; that of the employee who has to be extra vigilant to ensure their security and that of the company they work for.
The burden of responsibility
Bitdefender's telemetry shows that people have been using their devices for much more than simply working from home. The same devices have been used to shop online and have even been used by the kids taking part in online classes. Whatever the reason, using work devices for anything but work is a security risk, and it’s greatly exacerbated by the fact that people work from a less secure environment.
Worrying about corporate security when working from the office was usually an afterthought. It was much harder to compromise the infrastructure. Usually, there are layers upon layers of protection, all designed to prevent harm from employees’ inevitable mistakes.
Working from the living room is not quite the same. A cheap router replaced the complex web of network protection, and the same home network used by people to work is home to numerous IoT devices, many of which are likely unpatched and vulnerable. Surely this means that some part of that responsibility now falls into the employee's lap.
The situation is too complex for a simple solution
A piece of single universal advice, a single software solution or a 10-step guide to secure the home office and never worry about it again doesn't exist. It's a nice thought, but every situation is different, and needs various measures. But there is one motto in cybersecurity that encompasses both the most significant problem and the solution: the weakest link is between the chair and the keyboard. If we fix this problem, we take care of much of the security of the work-from-home situation.
First of all, the home network has to adapt to the new security requirements, meaning that people have to pay a lot more attention to routers. In the best-case scenario, they can choose an ISP that can provide a router capable of protecting a smart home. Following that is investing in software in a modern router with better security or at the very least patching the old one and keeping it up to date.
Secondly, companies have to invest more in training employees to recognize threats, and employees have to be much more careful when working from home. If the issue of work-from-home security is ever to be resolved, we must first recognize the split responsibility and plan according to the new paradigm.