Working From Home

Next Article

Working Remotely

Setting up and maintaining

A SECURE HOME IT INFRASTRUCTURE

The dos and don’ts of setting up a secure home IT infrastructure. Itumeleng Mogaki speaks to Shaun Gordon, chief security officer, Duxbury Networking.

Before the pandemic, only a fraction of the workforce was working from home, and usually only occasionally. With remote working being the new normal, an increasing number of people have had to set up secure home infrastructures to operate from.

According to Gartner, some 54% of HR leaders in a snap poll indicated that poor technology and/or infrastructure for remote working is the biggest barrier to effective remote working.

The requirements of setting up remotework IT infrastructure with end-user computing and dispelling cyberthreats can be a daunting task for the average (non-technical) home user.

The first thing you need is a stable internet connection with a decent quality router and an effective firewall at the office, within which to run a virtual private network (VPN) in full tunnel mode. That is, of course, in an ideal world.

With that said and depending on your budget, there are many affordable firewalls such as the Sophos XG87/107, which are ideal for a much smaller environment. Sophos also offers free home XG firewall, but it does require one to have a spare computer to convert into a firewall.

It’s important to mention that prior to finalising working-from-home conditions, at this point, your company should have made sure that there is an acceptable use policy (AUP), which all employees working at home must sign. This should clearly outline the acceptable use of company equipment, such as laptops, desktops and other mobile devices.

Next, you will need a decent anti-virus or malware. There are several free options out there but – as the old saying goes – you get what you pay for. Therefore, it is important to note that one of the dangers of working remotely via VPN is that whatever affects the home user’s computer has the potential to infiltrate the company’s network. In other words, a decent anti-virus/malware should be nonnegotiable at this point.

The protection of intellectual property against cyberthreats is highly dependent on your company’s budget, user awareness training and implementation.

For example, Duxbury Networking’s own work from home information protection policy includes installing dual Sophos XG310s running in a cluster. So should one fail, the other immediately takes over with various local area network (LAN) to wide area network (WAN) policies designed to limit access to questionable websites.

All internal computers are connected remotely and run the Sophos Intercept X anti-malware. That is to ensure all company equipment is encrypted, safe from malware, and is able connect to company resources, regardless of geographic location.

Threats closer to home The biggest threat any information security (infosec) engineer needs to look out for is not some mysterious hacker sitting in a basement somewhere, but is much closer to home in the form of the end-user.

Many companies unfortunately do not allocate sufficient resources to end-user awareness training, which makes every employee within a company a potential attack vector.

Employees who are not trained for what to look out for can very easily become victims of phishing attempts, social engineering and various other ploys designed to compromise their computers. And, should they be compromised, the company’s network integrity as a whole may be too.

Even if you have the most advanced security system in place, humans unfortunately tend to be easily fooled. It is like having a house that has burglar bars, dogs, IP cameras, electric fencing, armed response, a moat, etc. but then a child that has never been taught the concept of ‘stranger danger’ simply opens the door for a would-be burglar. End-user awareness training is key because potential hackers know that they are the easiest to bypass.

In- or outsourcing? So, should you install your own security IT infrastructure or hire managed services? For anyone willing to learn and try to figure out something themselves, the former is always a good thing – but only if you are confident that you know what you are doing.

With that said, in the realm of infosec, engineers and architects are trained to think as hackers and would, in fact, carry the certified ethical hackers (CEH) certification. They will always know to look for each vector that could potentially bring the whole house of cards down.

A DIY approach from an untrained professional would pose a similar risk to your data as would a plumber trying to perform open heart surgery. One just wouldn't know what to look for and anything overlooked can spell disaster.

Shaun Gordon is the chief security officer of Duxbury Networking and the head security architect for Johannesburg and Durban. He has over a decade of experience in cybersecurity, risk mitigation and technical training.