Blurred lines: How your employees’ home WiFi connection could be putting your data at risk
With society on a rollercoaster ride of lockdowns and social restrictions, working from home has become commonplace. But while most people have adapted to this new normal, corporate cybersecurity seems to be stuck in the pre-pandemic past – and cybercriminals are taking advantage.
With just over 40% of employees working remotely at least one day per week at the start of 2021, home networks are increasingly being used for professional purposes. It’s a societal shift that has significantly widened the attack surface for cybercriminals, and increased the risk of sensitive data falling into the wrong hands, as home WiFi networks tend to be a much easier target for hackers than the typical business network.
That’s because home networks are less likely to be secured behind firewalls than office networks, and are often reliant on consumer-grade modems and routers that come with obvious security vulnerabilities. Worse yet, these routers are likely to be shared with private devices and consoles.
Cryptoloc founder Jamie Wilson says that in the unavoidable rush to embrace working from home, businesses have been forced to live with these weaknesses, contributing to a recent spate of ransomware attacks.
“The boom in remote working caused by COVID-19 has dramatically increased IT vulnerability, especially for businesses that haven’t tracked which of their devices are being used by their employees on home networks,” Jamie says.
“In reality, they have lost control of the security of their WiFi connections. With employees operating across different networks in multiple locations, using the same devices for work and personal purposes without the benefit of their organisation’s security perimeter, the attack opportunities for cybercriminals grows exponentially.”
Fortunately, there are a number of things your employees can do to make their home internet connection more secure.
How to harden a home WiFi connection
Change router passwords
A router creates a network for devices, and has its own password. If a cybercriminal is able to gain access to a WFH employee’s router, it’s only a matter of time until they can gain access to your business’ data.
Many routers ship with a default username and password, and because these passwords are often publicly available online, a cybercriminal can gain access to a router by simply working their way through a list of makes and models. It’s imperative, then, that employees change the password to something that will be difficult to guess.
Router settings can usually be accessed by typing ‘192.168.0.1’ or ‘192.168.1.1’ into a browser. As well as changing the password, the SSID – the name of the wireless network – can also be changed, to make it more difficult for cybercriminals to identify. This probably goes without saying, but names, home addresses, and anything that could be used to identify your employee or your business should be avoided when resetting the SSID.
While most people know to regularly update devices like laptops and phones to get the latest security patches, routers are often overlooked. But exactly the same principle applies, and new firmware for routers needs to be updated regularly to address and close off security vulnerabilities before cybercriminals can exploit them.
To make sure they’ve got the latest firmware installed, employees can log in to their router settings and check for updates. Some routers even have a button that can be pressed to automatically check if a more recent update is available.
Disable remote management
The remote management feature on a modem or router is intended to make it easier to access its settings from a remote location. Since most employees will never need to use this feature, and leaving it on makes it easier for cybercriminals to gain access to your network, it’s a good idea to disable this function and prevent outsiders from being able to tamper with it.
Enable ‘guest’ networks
If visitors need access to your employees’ home network, they should enable the ‘guest’ WiFi feature. This way, they won’t need to share their real WiFi password, and the guest user won’t be able to access the rest of their network or change their WiFi settings.
Similarly, if your employees’ WiFi access point enables them to create multiple networks, then they should be encouraged to put their private devices on a separate network to the one they use for work – so that even if one of those personal devices is hacked, the work device will remain secure.
Employees can also limit their network access to specific MAC (Media Access Control) addresses. To identify a MAC address, just open a Command Prompt and enter ‘ipconfig/all’. The addresses of the desired devices can then be added to the router settings, and only those verified devices will be able to connect to the WiFi.
Utilise firewalls and VPNs
Most companies have firewalls in place to protect their office network, but the same can’t be said for home networks. If it’s practical – and particularly if a WFH employee is going to have access to a significant amount of sensitive data – you could consider installing firewalls to protect your employees’ home WiFi systems.
Similarly, if you have a secure corporate VPN (Virtual Private Network) that you use to connect devices to your network and authenticate information before it’s allowed through your firewall, make sure you specify that employees use this VPN on any devices that they use for work.
Encrypt, encrypt, encrypt
Most routers will come with an encryption protocol that employees can enable. If the router was made after 2006, it’ll likely be WPA2, which is still the strongest encryption protocol a router can provide. (If your employees are using routers from before 2006, they should probably strongly consider replacing them, anyway.)
Encryption is important because it protects your data when the other protections you have in place fail, so that even if an attacker gets into your network, the data they find there will be of no value to them without an encryption key.
Unfortunately, the built-in WPA2 protocol is relatively easy for a skilled hacker to exploit – so to ensure your data is truly secure, you should use Cryptoloc’s ISO-certified encryption technology.
Cryptoloc’s patented technology combines three different encryption algorithms into one unique multilayer process, ensuring that businesses and their customers can interact securely, with each piece of data assigned its own separate audit trail, and every user and action verified and accounted for.
Cryptoloc’s technology also encrypts data while it’s in transit between networks, so your business can continue to flow smoothly and safely, no matter how many of your employees are working remotely on home WiFi systems.
Beware of public networks
Working from home is one thing. But if your employees are using the free WiFi at a coffee shop, library or any other public place, that adds a whole extra layer of risk.
These networks often require no password, and if your employee sets their device to remember the network, it will then automatically join any other network with the same name that isn’t password-protected. A hacker can easily set up a rogue network with an identical name, and use it to access your employees’ device.
Of course, even that level of subterfuge may not be required – a cybercriminal could simply set up a free WiFi network with any legitimate-sounding name and use it to steal valuable information.
Make sure your employees know not to let their devices automatically connect to free hotspots, or to remember networks their devices have joined. You should also make sure they have file sharing turned off, so their files can’t be accessed by other people on the same network.
As a general rule, it’s best to avoid using public WiFi for work purposes altogether – no matter how tempting it is to take advantage of a freebie.
Ultimately, securing your network while employees are working remotely will require a level of trust in your people to do the right thing.
“Organisations need to ensure that all of their employees are aware of the importance of timely patching, and regularly briefed on the latest techniques being utilised by cybercriminals,” Jamie Wilson says.
“It’s every organisation’s responsibility to engage their employees with that training – because while it may seem time-consuming, it’s vastly preferable to the alternative.”