Since everyone is working from home, that means your data is being handled by home routers and employees’ personal devices, which probably aren’t behind your office firewall. As you can guess, this is not the best situation when it comes to business cybersecurity or WFH security.
Luckily, unsecured devices and weird locations are totally solvable security problems – here’s a Q&A that helps you understand how one Seattle business leader successfully secured their WFH setup. The Q&A also provides helpful tips on how you can do the same.
This interview was with Brian Place, the Principal and Founder of Interplay. Interplay has been a Seattle-based IT expert since 2001 and is now one of the city’s longest-standing Managed Services Providers (MSPs), as well as one of Seattle’s only true MSPs.
Learn more about Interplay here, or just jump right into the interview.
Brian: Sure! In general, the main worry with WFH is that your business data, including extremely sensitive data, is being transmitted all day every day over routers and devices that probably don’t have the latest security patches and updates. This could result in data leaks or an increase in successful hacking attacks… which, of course, no one wants.
However, that’s only part of the problem. The rest of the issue that that there are no controls on home user devices that exist in the corporate environment. For example, a company can’t control what someone can’t do with a document when it’s on an unsecured device like a home computer. Once that data is on an uncontrolled device, there’s also no way to audit what happens to it.
Brian: Well, the easiest answer would be to make sure that everyone on your staff always has installed the latest security updates and patches on every single device they use… but in practice, this is hard to do. Routers and Internet of Things (IoT) devices are especially difficult because your staff might be using super old routers with really out-of-date firmware that might not be able to be updated or, in the case of IoT, the devices might be riddled with security problems. And, of course, not everyone on your staff knows how to update their tools and keep them secure.
But, not to worry! Businesses can manage this situation with just a little bit of forward planning. The first step is to set up policies like, “everyone has to use good passwords and multifactor authentication” and “everyone has to install updates immediately.” The second step is to enforce those policies. That second step is harder, of course.
Brian: (laughs) Of course! The main areas businesses can focus on are tools, data storage points, employee education, threat prevention, and threat detection. Let’s go through those one by one, since that list sounds kind of overwhelming now that I’ve said it aloud.
When we’re talking about tools, we’re talking about laptops, tablets, phones… things like that. These can be managed directly if the company owns them or, if you don’t own them, you can manage them using Mobile Device Management (MDM) or Mobile Application Management (MAM) tools like Microsoft Intune.
Here at Interplay, we decided a while ago that it would be easier to manage security if we just issued all of our employees Microsoft Surface laptops that were packed with cybersecurity tools. Of course, the Surface was convenient for us, but really any company-issued laptop or device is going to be easier for you to manage than a personal device would.
But I know it’s not realistic for a lot of companies to purchase WFH devices for every employee, which is why I also mentioned Microsoft Intune. Intune is a Mobile Device Management / Mobile Application Management solution that lets you control and monitor device security for your employees’ personal devices while maintaining their data privacy. I could get really in-depth talking about Intune here, but I’ll just leave it at that for now.
Once you have secure tools, you need to make sure your data stays private. For that, it’s important to pay attention to where and how you’re storing that data. At Interplay, we rely on a handful of cloud-based tools, like Microsoft 365 (formerly Office 365), Microsoft Teams collaboration software, and other cloud-based apps.
Office 365 provides a secure online storage repository for all your team’s files and emails and stuff, which means your employees won’t need to download sensitive work files to their own devices to view or update them. Obviously, this is super handy for WFH settings as well, since everyone can access their files from their dining room tables or whatever. Microsoft 365 at the same price also typically includes good multifactor authentication tools and Intune in the service. This helps solve a lot of problems if you aren’t using company hardware.
Microsoft Teams is an online collaboration solution that increases cybersecurity because it provides a secured area for all brainstorming docs, chat discussions, phone calls, videoconferences – things that might be recorded and stored on a personal device if there wasn’t already an easy-to-access online storage area for them.
Intune helps limit data storage points too, actually, because it has a setting that you can use to limit employees from downloading or copy-and-pasting business data to their device storage (phone, tablet, etc.). So, with Intune, they can securely access the data when they need it, but they can’t store it on their phone for later, which would make that data vulnerable to a thief or a hacker.
What was the next thing on my list that I was supposed to talk about? I feel like I’m talking a lot here.
Brian: Thanks! And I’m relieved to hear that this is helpful. I know this is a lot to cover, but it’s really important stuff. So then…
With all your employees working from home, you have to make sure they’re prepared to identify and stop potential cyberattacks that you would never otherwise know about.
I think we can all agree that knowledge is the key to empowerment, so your best bet is to arm your employees with knowledge.
And, quick tip: don’t treat training like a “one and done” thing. You need to keep reminding them with little refresher courses to keep their knowledge sharp. KnowBe4 is a great tool for this specifically.
But, of course, even the best-informed person is going to miss some sophisticated or very well-masked cyberthreats, so you’ll want a strong safety net as your first line of defense. In practice, this ends up with you having good antivirus software that you keep up to date, ensuring that all patches and updates are downloaded and installed properly on all devices, and using Zero Trust methodology for authentication and access, which helps keep cybercriminals out of your most top-secret data.
As cybersecurity professionals, we’ve always focused on these safety measures for all our data and devices at Interplay, so we already had all this in place before everything was WFH. That helped us set up our WFH environment very quickly without much friction – in fact, most clients didn’t even know we’d switched to WFH, which made us proud.
However, getting back to the point, it’s not too hard for a good MSP to set all that up for businesses that don’t have all these measures in place yet. We’re the people to call when you want to install and maintain your antivirus and ensure that patches and updates are properly installed on every device that accesses your data, including employees’ personal laptops, phones, and tablets.
Brian: It’s really cool and it’s great for WFH. So, I’ll have to explain this with a little bit of history, but it’ll be quick, I promise.
Typically, setting up a perimeter around your data means that you define an area that holds your data and then you set up a firewall around it. It’s easy to imagine this if you think of a castle (which holds all your data) that you’ve protected with a moat (as your perimeter).
Brian: Heck, yeah! We’re putting alligators in the moat! (laughs)
Anyway, so typical cybersecurity has relied on these castles of data surrounded by alligator-filled moats and — this analogy is really working out for me! — criminals could send in Trojan Horses and stuff that helped them skip the alligators and get unlimited access to the data castle because now they’re inside the walls.
With Zero Trust, you don’t just have a castle with a moat, you have futuristic security that you can imagine as having to wave a different keycard to access each room you want to get into in the castle. Every room and every piece of information is protected separately rather than just the outer castle walls with a moat. So, even if someone were to get into the castle without being eaten by alligators, they’d still need access cards or passwords or retinal scans or thumbprints or some other kind of impressive authentication to get into your data.
We kind of went off the rails a little bit there but, in summary, Zero Trust methodologies block unauthorized access for all sensitive data at your company, whereas “castle-and-moat” perimeters only block initial access. Building bigger walls and wider moats won’t help you if the criminals happen to find another way in.
Brian: Yup. And here you were thinking I had invented this castle analogy. Instead, you were the creative one who came up with the alligators! (laughs)
But you know, that makes me think. One of the things I find most interesting with cybersecurity during the pandemic is that it’s making all the really complicated, expensive networks that businesses spent years buying and installing in offices, well, completely worthless now.
Companies used to spend $50,000-$100,000 on a good firewall which is like an ocean-wide moat with super-robot-powered alligators bred to have a thirst for human flesh… but how much good is that incredible firewall doing right now when everyone’s accessing critical company systems and data from a cheap computer they bought from Costco over a Comcast connection they share with their TV service?
Brian: Yeah. Home environments are basically the Wild West. They’re generally non-compliant with corporate IT standards, they aren’t under IT control, and they aren’t patched up. Plus, home routers and devices are notoriously out of date because home users just don’t know any better. That means home systems have huge holes, questionable equipment, and there’s no auditing capability on those systems.
And there’s the problem, as I mentioned earlier, of Internet of Things devices. People typically now have dozens of IoT devices in their homes, including Alexa assistants, security cameras, switches, lights, and WiFi-enabled robotic vacuums… to name just a few. There are very few vendors of consumer goods that are particularly great at keeping up with software and firmware updates on these devices and any one of them could be easily turned into an attack vector that could capture sensitive business data over a shared, unsecured home network.
In the past, unpatched consumer firewalls have been harnessed into botnets – and most of these devices have a direct comm link to their maker which, if hacked, could turn the devices into information-gathering or ransomware-distribution devices.
Of course! This is all fixable with a little bit of work, and Zero Trust is one of the ways companies can start fixing the issues.
A good Managed Services Provider can help you set up Zero Trust security in a balanced way that makes it quick for authorized employees to access, but slow and difficult for unauthorized people, like cybercriminals, to access. Zero Trust is such a good model that I think it’s going to drive a lot of the industry very soon. I think corporate networks are going to get a lot simpler and less expensive, and the “smarts” are going to end up as more sophisticated layers of software on the devices themselves to control and track all authentication and access.
Brian: Thanks for that reminder!
Threat detection helps businesses quickly identify and stop hacking attacks or other cyberthreats. There are generally four kinds of threat detection: (1) 24/7/365 network IT monitoring, (2) EDR Antivirus or “next gen” antivirus, (3) Managed Detection and Response or MDR, and (4) the traditional SIEM approach. At Interplay, we rely on Managed Detection and Response.
24/7/365 network IT monitoring is something that most Managed Services Providers (MSPs) focus on. At its most basic level, it means you have an automated system that’s keeping an eye on your status and performance monitoring around the clock. The system will check to see if specific services are running, or if you’re running low on memory or disk space. The system will send out alerts if it finds oddities that don’t fit its expectations or settings, or if it discovers that patches are missing or a virus was detected by your antivirus software. IT and network monitoring is important for when you need to keep an eye on your company’s hardware, like when it’s being used for extended periods of time in an uncontrolled network environment like WFH.
EDR Antivirus, or “next gen” antivirus, goes beyond the simple black-and-white classification of issues that IT and network monitoring performs. It offers a complete view of everything that’s going on inside a single system. EDR Antivirus can identify and report on suspicious activity and, in some cases, can freeze or shut down things that look “weird.” It can also take the computer off the network, so the “weird” thing can’t potentially infect other computers on the network. EDR Antivirus is around $5-10 per month per device, versus the $1-2 per month that regular antivirus costs. In my opinion, it’s likely to be the dominant security software in a few years.
Managed detection and response (MDR) is the next level up from EDR Antivirus and, as far as I know, only one vendor offers it and it’s only delivered by select MSPs. MDR differs from EDR Antivirus in two ways:
MDR typically costs about $15 per device and it’s a great choice for servers especially, but can work in other situations too.
Okay, there was network monitoring… EDR… MDR… oh! That’s what I’m forgetting!
The fourth option is Security Information and Event Management (SIEM), which requires you to build an elaborate system comprised of a bunch of interconnected tools that log everything that happens on every device you have. And I mean every device, including the ones you don’t think about, like switches and backup systems. Once you have all the logs collected from all these devices (that’s a huge amount of data), you use a SIEM to look through the logs and ID weird behavior. It takes a small army to set up and maintain these systems but, of course, they’re the gold standard for larger, very security-conscious companies.
However, I have to say that these days, it’s amazing how close you can get to the performance of a SIEM just by using MDR at $15 per device without the insane complexity.
And now, I think I’ve talked enough. Right? I’m out of breath! (laughs)
Brian: Definitely! Thank you again for a great interview! Seattle business leaders can always reach out to Interplay’s team of friendly IT experts for advice or to get started setting up their WFH or office cybersecurity.
For leaders who are more DIY, I can also recommend the free Network & IT Health Self-Assessment, which gives you an idea of where you need to focus your attention first, when you’re ready to improve your security.