Security when you're suddenly remote
Imagine a scenario where forces outside of your control have suddenly made it impossible for people to be in close proximity to each other, forcing them to vacate their offices but somehow continue "business as usual." This upheaval of daily life is all to help limit the spread of a virus that is spreading across the globe.
It sounds like the opening scenes to a sci-fi movie, but it's our reality. In late January here in the US, and earlier in many other parts of the world, the global pandemic known as COVID-19 forced authorities to respond by recommending and/or requiring that we all stay at home and avoid non-essential contact with people outside of our households. This, of course, makes it very difficult to maintain a business.
If you're reading this blog, you're probably either already working in IT or adjacent industry, or you're considering it. Most IT workers have the ability to think and work at a keyboard all day, no matter where they're geographically located. Other than a few datacenter roles that require you to be physically onsite, most IT jobs can be done from anywhere in the world. That also goes for most of the support, customer service, billing, and even human resources roles at an organization.
So, in order to avoid shutting down business when the pandemic hit, most companies sent their workers home and asked them to continue work from there until all this blew over. Initially, these work from home timelines were measured in weeks, but several months have passed, and the situation hasn't changed much—it looks like we need to settle in for the long haul.
Working from home for a short time, you might be able to temporarily get away with a less secure environment, but working from home for the long term means it's time to tighten up security and data privacy measures.
There's a slightly different approach to these depending on whether you're working on your own home computer or a loaner laptop from your company. You might assume the laptop is nice and secure, but now you're taking it to an insecure environment—your home—and you might be doing things with it that require a level of privacy and security that your living room might not offer. Not to mention, what if the darn thing breaks? Do you have the know-how to repair it like the hardware guy at your office would?
Endpoint security
If you're on a company-owned machine, it's more than likely managed by your IT department. If you ARE that IT department, you may have a special exception. You likely have things in place meant to monitor for threats like viruses, malware, or in some cases, data exfiltration. You likely won't be allowed to install third-party applications on your machine, nothing that hasn't been blessed by your company policies.
However, if you've been asked to make do with whatever old PC you had sitting around at home, that whole landscape is different, and you're going to have to be very careful of what you're doing. If it's a machine you weren't using prior to the pandemic, I'd suggest you completely wipe it out and install a fresh operating system on it. If you can do so by running a Linux distribution and still use the tools you need for work, I'd highly recommend it, as you'd be starting with a safer base. Linux has a better chance of not being attacked as a desktop because it's just not a common platform. I'm not usually a security-by-obscurity kind of guy, but in a pinch, everything helps.
If you're stuck in a Windows world because of office requirements like Outlook or thick-clients for access to company data…then you'll just have to be more careful. Make sure to keep the system up to date (this applies to Linux or any other OS, honestly), enable Windows Defender at the absolute minimum, and see if your company has any endpoint security apps to help protect you from things like ransomware and other threats.
On the other hand, if your home PC doubles as your family computer, you may want to consider setting up a separate profile that is used ONLY for work purposes. It will help cut down on distractions, for one thing, but it could also serve as a thin barrier of protection between your private life and your work life. I would be hesitant to let your company install any remote monitoring or management software on a home computer that isn't dedicated to work. Though, to be honest, I'd be very surprised if they even asked you to do so. However, if they're willing to let you use things like their corporate anti-virus or endpoint security suite, you might benefit from it. This crosses a fine line, in my opinion, but these are, as they say, unprecedented times, and some gray areas are bound to be trodden.
Secure communications
This advice assumes that you have a steady internet connection, though, in today's world, that might not be the case, as many households have ditched the broadband bill in favor of mobile devices. If that's the case for you, consider asking your company for some sort of compensation for the data cap you're about to obliterate.
Let's not forget that, whether you're on a cellular network or your home DSL, the communication between your machine and your systems, either at the office or in the cloud, might not be secure. Now the transport between you and your office could pass through several Internet Service Providers instead of that nice private network that you had at your desk. To solve this, hopefully, your company provided you with some form of Virtual Private Network to use when you need to interact with sensitive systems back at the office. In today's cloud world, this becomes less important, because many of those sorts of systems are now run on a cloud provider, designed to be secure without requiring a VPN.
User awareness
Finally, but no less importantly, a little bit of end-user security training really goes a long way. If you're a company expecting your users to work remotely, many for the very first time, it might pay you dividends to teach them how to be more secure. Knowing what I know about IT security helps me put that at the front of my brain when I'm interacting with my employer's data because I know that it could be valuable to competitors. I'm not suggesting that your workers need to be OSCP certified, but a little bit of training on what a phish looks like, how to be good data stewards, and what makes privacy important, could really help them reframe how they think about working with sensitive data.
Stay safe out there
This a trying time for everyone. The restrictions being placed on all of us are a strange combination of comforting, scary, and utterly frustrating. Just remember that this is temporary, and we're all following these guidelines for the good of everyone around us. Stay safe, and try to remember that the measures we're being asked to take are not methods meant to control us, but methods meant to help limit the spread of a possibly deadly virus.
[ Want to learn more about security? Check out the IT security and compliance checklist. ]
Nathan Lager
Nate is a Technical Account Manager with Red Hat and an experienced sysadmin with 20 years in the industry. He first encountered Linux (Red Hat 5.0) as a teenager, after deciding that software licensing was too expensive for a kid with no income, in the late 90’s. Since then he’s run More about me