Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Home Office Security Considerations
Quick Take
On this week’s episode, the Compliance Unfiltered guys are invading your home! Home office, that is, as they take an in-depth look at Home Office Security. With the transition we’ve all undergone in the last few years, it’s important for organizations and employees alike to focus on having their home office cybersecurity bases covered. From your home workstation, to at-home data handling, to your home network concerns, the Compliance Unfiltered guys have you covered. All these topics and more, on this week’s episode of Compliance Unfiltered!
Highlights include:
- What are some initial considerations for folks working from home?
- Machine setup — what should you have on your laptop/workstation?
- What about connections to work assets?
- Data handling in the home office
- What about the home network?
- What should personnel be on the lookout for?
- Things to avoid
These topics and more on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who knows compliance as if it were his own family member, Adam Goslin. Adam, how the heck are you?
I’m good.
Morning. Morning indeed. Today, we’re talking about something where the phrase morning really does apply. Because for those of you who are not aware, whenever you hop on the phone with Adam, it could be 11pm. It could be 4am. It’s always morning. And the reason why I say that’s particularly applicable today, Adam, is because we’re talking about working from home and specifically home office security conditions. And you know, it can kind of feel a little bit like Groundhog’s Day when you’re working from home. And so you can kind of get a little lax on your home security. What are some of the initial considerations for folks working from home?
Well, first of all, making sure that you’re following the policies of your organization. You know, really, you know, the guidelines for what you should be doing and how and all that fun stuff, you know, they really apply whether you’re, you know, sitting in the office, whether you’re, you know, whether you’re working from home. You know, in some cases, you know, the frontliners don’t really have any idea where, you know, what the policies are. So, you know, take a minute. It sounds no brainer, but, you know, get a copy of the policies, take a look at them, read them through, make sure you’re doing everything you’re supposed to be doing. You know, and as folks are going through reading those policies, you know, if there’s things that we bring up in this session, now some of this stuff is gonna be no brainer and some of this stuff is, oh, geez, I never really thought about that. You know, but as you’re going through the, you know, this session, you know, and you, you know, you hear things we talk about that, you know, they aren’t in your policies or they’re not clear or whatever it may be, then bring those things up to your, you know, to your organization. It may be things that they didn’t consider. It may be things that they thought would be, you know, kind of, you know, no brainer, but didn’t bother to put them into the policies, that type of thing. So, you know, bring them up, you know, that’ll give an opportunity for feedback loop and kind of making some improvements. And you may be bringing things up to the organization they never really thought about too.
That’s a good point. So let’s talk about the machine setup, right? Like what should you have on your laptop or your workstation?
So, you know, several things, this is gonna kind of be all over the board, but, you know, antivirus, making sure you’ve got antivirus on your machine, that it’s running, that it’s being kept up to date, that it’s sending out alerts and actually monitoring things that you can’t shut it off. You know, another arena, disk encryption. So, you know, you’ve got your, you know, from your office laptop that you have at the office, but now you got it at home. You know, make sure that there’s disk encryption on that device, you know, that way, you know, even if it’s, you know, temp files from web traffic, and if somebody steals the machine, let’s say you’re, this actually happened to somebody, happened to somebody, it caused actually quite a, quite an uproar, shall we say, is they were, you know, on their way to work, or on their way home from work, and got their car broken into while they were, you know, grabbing breakfast or dinner.And they had the machine stolen and, you know, and whatnot, which caused a myriad of, you know, kind of issues and problems. So, make sure you got disk encryption on, you know, on your devices, you know, your screen saver. Make sure that you’re, that you’re turning, you know, that your machine is turning off after a, you know, relatively short period of time of inactivity for most organizations, it’s kind of 15 minutes or less. Some of them are a little more strict, and they’ll make it five minutes, that type of thing. So, you know, make sure that your screen saver is actually turning on. You know, make sure that you’ve got something is handling the patching of the hardware and the software that your machine is being kept up to date, that it’s doing it on a, you know, kind of a regular basis. And some, in some cases, you know, the application of the patching is something that the, you know, that is being monitored, but the, you know, the staff kind of controls when they want to do it. In other cases, those patches are getting pushed from, you know, sometimes the central console on a schedule, you know, but make sure that those patches are actually getting applied to, you know, to your system. Password management systems. Make sure that you’ve got a password management system. We did an entire podcast on passwords, and there’s all sorts of, you know, information in depth around one of my favorite topics. But, you know, just make sure that you’ve got a password management system that’s approved by work, you know, so that you can leverage that to, you know, to, you know, store all of your passwords into, you know, making sure your passwords are different things on those lines.The local firewall on your machine. Make sure that it’s turned on and that it can’t get turned off.You know, if you’ve got the ability to turn it off, then, you know, maybe that’s a discussion. Make sure you’re actually using your work approved machine.
Not your home device. So, you know, it doesn’t, you know, all of the controls that we’ve been kind of talking through, you know, that should be on the, you know, should be on the machine. You know, all of those are, you know, kind of governed centrally, you know, by the organization. Well, that gets completely thwarted if you’re, you know, if you’re now using your home, you know, home machine, you know, the organization doesn’t have any control over what’s going on on there. You know, and lastly, for the machine itself, you know, getting one of those little sliding covers for the, you know, for the video, that way you’re only displaying the video on the, you know, on your machine when you’re actually planning, you know, planning to do it.
Well, let me ask you about that before we move forward, because I’m just personally curious. How often is that an issue?
The video cover?
Yeah.
Oh, well, I mean, there was a whole period of time where people were hacking into people’s video cameras and whatnot, and keeping in mind that those camera setups often come along with connections to voice as well as image, et cetera. So yeah, I mean, you can’t do anything about the voice side of it, but at least from an imaging perspective, depending on where your machine sits, who knows what could be behind the lens, if you will. So it’s just easier to just leave the cover closed. Most certainly.
What about connections to work assets? Just kind of going back to it here.
So, you know, making sure that as you’re connecting to work stuff, you know, whether I’m connecting to a, you know, to a website or I’m connecting to the network, whatever, just making sure that you’re using, you’re forced to use secure connections. So, you know, if you, you know, if you’re on websites and whatnot, you know, looking for the lock symbol, looking for HTTPS on the, you know, on the site in question, if you see any that, you know, that don’t have that, you can start asking questions, you know, the VPN in order to make the connection to work. I mean, that’ll protect the data and the information from, you know, kind of from the host, from the laptop to its destination over at work. But, you know, you want to make sure that you’re using that VPN so that you make sure that that, you know, kind of tunnel, if you will, that that tunnel is is kind of handled handled appropriately for, you know, for the connection to the work environment.
Now, what about data handling in the home office? And I’m sure that that’s something that comes up right.
Yeah, well, you know, you figure, you know, folks have, you know, have printers, you know, if they’re, you know, in their home offices that can print out sensitive data, etc. Sure, a lot of those are digital connections, too. Yeah, yeah, I mean, make sure that your print, if you’re printing sensitive information, then make sure you’re turning around, you know, kind of shredding it. Um, you know, don’t, there’s a lot of, and I’ve actually found this on, you know, on in several different ways on engagements, despite the fact that the office is littered with, you know, with drop boxes for putting your secure shredding into, you know, it’s too much effort to go, you know, take the 10 steps to go throw it into the bin. You know, instead, they’ll go throw a, you know, throw a cardboard box underneath the desk and, you know, pile up all of their, all of their shredding there and then bring it over to the, you know, to the locked bin. So, you know, making sure that, you know, if it is some type of a bin store, at home, it’s usually easier just to, you know, just have an onsite, you know, onsite crosscut shredder, you know, but if you have to, you know, kind of store it up in some type of a bin, then make sure that the bin is secure, you know, until the point at which you’re ready to, you know, go ahead and shred that information. And my personal preference is don’t print anything. If you don’t print anything, and you don’t have anything, you know, that you’ve got to worry about, if you will, right? That’s a fair point.
What about the home network? I mean, that’s something where with all the different devices that I know that I have with my kids and my wife, you know, interacting with the network, how do you make sure that that’s well taken?
Sure. So, you know, first things first, the whatever the firewall is for, you know, for the home network, making sure that that firewall is patched, that that’s up to date. You know, the home network is an area where not a lot of organizations really kind of think about the ripple impacts of, you know, of attacks on the, you know, on the organization. So, you know, making sure your firewall is all up to date and patched and you do that on a regular basis. I know for, you know, for myself, I’ve kind of gotten in this habit of, you know, going through going through and double checking. Are there any patches that I need to apply, etc. And I’ll do that kind of on a weekly basis. That way I just make sure that I can’t keep up to date with everything. You know, the other area is the, you know, the home wireless network, right. Making sure that that is set up, you know, kind of, you know, making sure that you’re using appropriate encryption, you know, etc. I mean, if you’ve got the capability to do so, certainly, I would strongly recommend segmentation on that internal home network so that, you know, you’ve got your kind of your zone for, hey, this is my work zone. And then over here is my home zone, right. Because you don’t have any idea, you know, you do whatever the kid, you know, one of your kids got a friend over, hey, can I have the Wi Fi password and blood, putting their, you know, their device, which is maybe never been patched or whatever it may be, you know, boom, they’re dropping that onto your network, right. You know, making sure that you’ve got segmentation between, you know, kind of the work side of, you know, that home network and the, you know, the family side of that home network. If you can pull off segmentation, that certainly is a lot better scenario from a, you know, kind of a security and compliance perspective.
Well, that makes a ton of sense, actually. What should personnel be on the lookout for?
Well, you know, making sure that, you know, they’re attending their security awareness training is a big one, right. You know, those typical security awareness training sessions are going to show them, you know, how to avoid things like email attacks or, you know, voice-based phone attacks, you know, text-based attacks. You know, bar none in the, you know, in the kind of in the security arena, the area with the highest level of, I’ll call it volatility in terms of its consistency is absolutely the human beings. So, you know, humans are prone to error, humans are prone to mistakes, you know, etc. So, you know, most folks have seen the, you know, kind of the email from the boss, right. It quote from the boss that, you know, that says, oh my gosh, I’ve got this emergency and I’m on the road and, you know, can you please send me a text message on my cell phone? Because I need, you know, I need something, I need assistance with something immediately, you know, and people will just, you know, jump, you know, they want to go help the boss, you know, type of thing. And, you know, meanwhile, the email is coming from, you know, from somebody in some foreign country, you know, type of thing and they’re laying the groundwork for the employee going outside of the confines of, you know, the controls and oversight that would be held with work. And, you know, they’re trying to get them to go to, you know, kind of secondary channels. So, you know, definitely being aware and especially, especially when you’re in that home environment, it’s real easy to, you know, kind of be lulled into this, you know, false sense of security. You know, you’ve got to remember if I’m sitting on my machine, on my home network, I’m VPNed into the corporate network, you know, hey, if they manage to take control of my machine that’s directly connected to the corporate network, there’s not a big level of difference between that and sitting at work and, you know, and having gotten had, right? It’s still a direct connection to the corporate network. So, you know, just kind of being, you know, being on the lookout for, you know, for those elements.
OK, talk me through some of the other things to avoid.
Well, storing your work data and personal assets, we talked about that a little bit earlier about use your work laptop, that type of thing, but making sure you’re not storing work data on your personal assets and your personal machines. And the other piece that kind of comes up a lot while I’m doing engagements is personnel that will use their personal online storage location. So let’s say it’s like a personal OneDrive or something as an easy place where they can go ahead and kind of drop zone stuff. Maybe the whatever the corporate, the corporate system for the file server or whatever. Oh gosh, I gotta go, I gotta connect the VPN and then I’ve got to connect to the file server and I’m not gonna do all of that. Instead, I’m just gonna go ahead and dump my work files into my personal OneDrive, which is, by the way, also conveniently connected to my home machine. And that way I can just go ahead and either transpose files that way or they’ll actually do it from their work-based machine, connect their personal OneDrive to it, not their work OneDrive, but their personal one. They’ll connect it there just so that regardless which machine that they’re on that they can go ahead and get access to the files that they need. Yeah, don’t put it onto your kind of personal arena. You know, certainly, you know, falling subject to any of those phishing schemes we were talking about earlier, you know, whatever, you know, the, you know, so-and-so, you know, needs to pay a ransom or, you know, or any of those, you know.
I’ll tell you what it is. A quick story is literally I was working for a startup company in San Diego, and the CEO was the type of guy that would just shoot out a request of me or my team. And I got an email that was like, Hey, I need you to run to wherever and give me these gift cards. And when you get back, we’ll send them wherever. And, you know, I responded, sent one of my guys to get gift cards. Anyhow, it ended up working out the way that it needed to but it clearly it was not from it was not from my CEO.
Haha
Hey! Well, I mean the one thing the one thing that I’ll do they’ll typically You know kind of recommend to folks is if you get these, you know, kind of all requests and whatnot Validate through a secondary and known channel. So it be any and that mantra is the same whether it’s You know, hey, you’re you know, whatever your bank account has gotten breached Please look, you know login here to authenticate yourself and we’ll lock your account up, you know, blah Meanwhile, you’re giving them your banking credentials, you know So whether it’s that or the whole boss needs you to fill in the blank go through a secondary and known channel So, you know, I won’t click on the links that come into the email So if the bank is sending me a notification that says hey, you got some massive problem Well, guess what if I go and go and open up a browser and go to the known bank website and go log in Well, then if it was that damn important, then they’re gonna have some type of an alert, right? You know It’s so super convenient to just go click on the link in the email, but I just I just don’t period You know you you do that you bypass it You know, the other the other thing to avoid you know is you know the You a lot of the security awareness training a lot of the policies and procedures are gonna have things in there about not sharing You know sensitive data, etc. with others Including don’t share your work device with other people at home, you know You know if the if the kids need to go and do a project and you know Your main home computer is currently being leveraged by one of them Don’t give your work machine up to you know go do the research on fill in the blank because Lord knows where they’re gonna go what they’re gonna do with click on etc. That dramatically increases the you know, the chances of issues and problems and things along those lines You don’t want you know, you don’t want the you know, kind of the family members on the work device now.
That’s a good point. Any final tips for the folks out there? Because I mean, the work from home workforce has, you know, increased enumerably in the last three plus years. And it’s not going back down in the way that folks thought it would. So these things continue to remain extremely relevant.
Sure. Well, some additional elements, and this is something that folks unfortunately don’t think about until it’s too late, is that machine that you’ve got, make sure that you’ve got backups of it. I’m going to tell you what, I went through a period, I’m going to call it with some hardware challenges. I was trying to do some high end things with my machine, and I was using secondary market parts and whatnot to go do it. And I was just having nonstop problems with it, and my machine just literally kept blowing up. And I think I ended up blowing through two, three different laptops in a relatively short period of time, two years or so. And holy moly, is that astronomically painful when that thing goes poof, especially depending on what your role is within the organization. If your day job consists of using primarily SaaS-based applications, et cetera, that’s not the end of the world. But if you’re deep into the compliance arena, if you’re a developer, whatever, you’ve got a bunch of specialized software that was custom configured and everything’s working. I tell you what, it’s a whole lot easier just to be able to punch a button and put Humpty Dumpty back together again than it is to have to start from scratch with a fresh OS and somebody says, good luck. You’re going to be dealing with fallout from that for freaking weeks, maybe a month plus. It’s just not worth it. So make sure you got backups to that local machine. That’s going to save you just a ton of extra time. The other thing is that unnecessary software. You go in and just look at what all do I have installed on, let’s say, my machine and on my phone. Oftentimes, there’s additional pieces of software that maybe at one point in the game you leveraged or needed or thought you did or you’ve never gone through and kind of cleaned it up, especially on your phone with all the apps that you can go and pull and download, et cetera. Go through those. Clear off whatever you don’t need because every single piece of software that I eliminate from the machine or that I eliminate from the phone, it’s one less thing that I got to patch, one less thing that I got to worry about, one less security hole that could possibly get opened up by removing that software. You’re also kind of closing up those holes or those opportunities for bad things to happen, if you will. When you’re working from home, one of the challenges is that you figure if you can just sit at home and do everything from there and then leave, okay, well, that’s cool. But for a lot of folks, they’ve got to travel to a meeting or go meet somebody over here, et cetera. So when you’re on the road, make sure that you’re using some type of a company sponsored or proof hotspot. So these days, it didn’t used to be this case, but these days, most cell phones will have the capability to go ahead and hotspot from there. Make sure you’re using that hotspot rather than just connecting to the mom and pop coffee shop’s Wi-Fi.
At least the cellular carriers have actually had to make sure that the security is pretty good on those hotspot related connections. So generally speaking, their security is going to be substantively higher than what you’re going to find at the free Wi-Fi that you can go ahead and pick up. It sounds odd, but make sure you’re actually locking your machine. So you’ve got a series of keys or a button you can press on it, et cetera, that will kind of put the screen saver on. So it is just force of habit. I’ve done it since the dawn of time. Just lock your machine if you want to lock away from it.
So I used to earlier in my career coach young reps and one of the things that I had in these are fresh out of college kids first jobs and one of the things that I had to do in order to teach them this having worked in you know for a large corporate entity for many years before moving in the startup world is there is a chrome extension called caged and essentially what it is if you’re not familiar is it’s just a regular chrome extension you can install it uninstall it just as normal but what what it essentially does is that anytime there is any sort of a picture at all whatsoever on your machine it is now replaced with Nicholas Cage and it is just some picture of Nicholas Cage not always the same picture it’s just kind of all over the place and you go and try to google search something and everything comes up in a cage it doesn’t it doesn’t nothing matters and and to watch to watch young reps learn the value of locking their machine thusly was very very fun.
I actually had, you reminded me of something. One thing that one of the organizations is working with what they would do is if anybody left their machine unlocked, so they happen to be working in the IT of the engineering department. They had a distribution list that would go to everybody within the IT and engineering arena. And if you walked away from your machine and you left it unlocked, then what the person that found it would do is they would send an email from that user’s email. They would send it to the DL for the whole group. And they would just put in the subject line donuts. And if that message went out, then whoever’s device that came from would have to buy donuts that Friday for the office. Yeah, oh, yeah. And I’m like, that’s brilliant. So yeah, it’s fun when you can get the different things in play that will get people to pay attention and take this stuff seriously. It makes it a little more difficult when we got work from home. Now I’ve got to go break into so-and-so’s house to send the donuts email. I’m thinking, no. But anyway, the last thing that I was going to say is devices. So you think about, we’ve talked a lot about storing things in the right spots and making sure that you’ve got encryption on your disk, et cetera. But if you think about it, whenever you have to have a device that turns over, whether it’s a phone, whether it is a laptop, an extra hard drive, whatever it may be, as you send those devices off to pasture, just making absolutely certain that they’re either logically or physically destroyed as you’re doing that, especially in this world of increased remote connectivity, that’s something you definitely want to go back to your IT crew, make sure that that’s getting handled properly and appropriately, that you’re appropriately clearing devices. Because there’s a lot of organizations out there that how they end up getting nailed is with either tossing or otherwise losing devices that weren’t encrypted, that weren’t appropriately handled, and thereby exposing sensitive data to third parties. It’s definitely a hot button topic. So if you know you’re going to be switching something out, and honestly, your work may not even realize. Let’s say there’s nothing stopping me from going, picking up an external hard drive, plugging it into my machine at home, et cetera. Maybe some organizations would pick up on that and be cognizant of it, but I guarantee you there’s a ton that wouldn’t. So you as the home user taking responsibility for that, and for that, its storage and kind of its turnover, it’s partially your responsibility to kind of help to protect the company.
I’m always a fan of personal accountability. I appreciate that. That’s the good stuff.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
