Securing Work from Home Wi-Fi Access

Wi-Fi networks, whether in public or private, are by their very nature dirty. Security professionals warn that every network carries inherent risk to our devices, data and resources, because they are exposed a myriad of attacks, including these “Dirty Half Dozen” Wi-Fi risks: eavesdropping; exploits; evil-twin Wi-Fi; lateral network infections; DNS hijacking; and scanning, enumerating and fingerprinting.

Safe at Home?

However, at least for the next month or more, Work from Home (WFH) has supplanted all other remote work locations; employees simply aren’t working in mostly closed or near empty public spaces like airports and coffee shops.  Experts acknowledge that security teams aren’t ready for the inherent risks that also exist on home Wi-Fi networks.

Threat actors are smart and adaptive, and attacks on employees working from home are already increasing in the new WFH reality. Attackers know that on-premise enterprise security stacks can’t protect devices of those working from home and that home Wi-Fi networks, like public ones, don’t have enterprise multi-million-dollar security stacks protecting them.

Unmanaged consumer devices like personal computers, smartphones, home IoT devices and gaming consoles) on home Wi-Fi increase the attack surface. Many family members don’t understand the risks of spam, and they can’t spot the difference between real and fake apps; gamers often download executable code, and teens have been known to browse some of the Internet’s riskiest sites. 

There are strong odds that once a device on the home network is corrupted with malware, the other devices will also become corrupted. Organizations have no visibility or control over these home Wi-Fi networks, and therefore cannot trust them.

The VPN Myth

Many organizations use VPNs for secure remote access for employees working from home. However, there are two problems associated with this: VPNs only encrypt data in transit and don’t isolate the device from the home Wi-Fi network, meaning devices are still exposed to threats. But more importantly, VPNs aren’t practical for full enterprise-scale usage – the resulting slow connections from overloaded VPN servers frustrates users and kills all productivity.

How Can Organizations Make WFH More Secure?

Good home Wi-Fi hygiene can reduce the attack surface and there are simple steps that tech savvy WFH employees can take to improve it:

  • Creating strong passwords for Wi-Fi networks

  • Changing router default passwords

  • Segmenting networks for different types of devices – Guest Wi-Fi network for guests and IoT devices, etc.

  • Keeping router’s firmware up to date

Despite these, the risk will persist for organizations with WFH employees because they will never achieve full compliance, and enforcement is impossible. That leaves organizations needing to find an easier way for securing WFH employees.

Extending Zero Trust Access to Any Remote Wi-Fi Connection

Assuming all networks are dirty is fundamental to any effective remote work security strategy such as Zero Trust. To ensure that a home worker doesn’t corrupt the corporate network or otherwise expose key assets, it’s crucial to find a way to isolate their devices from their untrusted home Wi-Fi networks. 

The answer lies in micro-segmentation for all remote devices: extending Zero Trust access to any remote Wi-Fi network connection.

The Center for Internet Security’s Wireless Access Controls recommends users “Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.” 

This is exactly what micro-segmentation achieves: the device is physically isolated from the rest of the home Wi-Fi network’s devices and hazards. By giving WFH employees their own plug and play USB hardware that delivers a “micro-segment of one,” the individual’s device and the organization’s network are protected from home Wi-Fi borne threats that security software doesn’t address.  

It’s a win-win. Security administrators get real-time security policy enforcement capabilities and proof of compliance over devices connected to uncontrollable Wi-Fi networks.

For the first time, it’s easy to deploy, provision and manage security in WFH environments. The only other secure current alternative – installing network security gateways and cloud controllers on every remote employee’s home Wi-Fi network for traditional network segmentation – is unrealistic and unscalable across the enterprise.  

WFH is the new reality. Organizations have a responsibility to make working from home both frictionless and secure. Endpoint micro-segmentation is a practical, plug and play approach to improving the current home Wi-Fi security gaps.

Cleaning up “Dirty” Wi-Fi for Secure Work-from-Home Access

RSAC Insights: Matias Katz, CEO and Founder of Byos - Enterprise Security Tech