The home workplace has become part of the digital working environment and thus unintentionally a weak spot within the corporate network. Malicious parties exploit these weaknesses to enter companies’ networks via the home environment. What can you do about this as an employer?
Privacy legislation
With regard to the employee’s home environment, as an employer you have to deal with privacy legislation and you are quickly treading on thin ice. What requirements and manners are you, as an employer, allowed and not allowed to impose on the equipment at employees’ homes? Facilitating a company laptop and other resources needed for a home-based workplace is not a problem, it only becomes sensitive when it comes to (wifi) routers and modems that are also used by family members. But how do you then ensure that hackers do not gain free access to company-sensitive data and systems via a home-based worker?
Hackers focus on home-based workers
In many cases, the flexibility of cloud and SD-WAN offers the solution. But even these techniques use VPNs over the unsafe public internet, and that is a major security risk! Hackers have shifted their focus to the at-home user. Quite understandably, as this is currently the easiest entry point to a corporate network. In general, households do not keep software, also called firmware, of their (Wi-Fi) routers and modems up-to-date. If it can be kept up-to-date at all, because in the consumer market, continuing to update firmware is not a requirement and therefore not common. In addition, updating firmware also requires technical knowledge. Why is keeping firmware up-to-date so important?
One of the main reasons to keep firmware up-to-date are bugs, which are errors that give hackers access to the system. An updated firmware includes bug fixes which close the “back doors” that unwanted guests could use to enter the system. Research shows that employees use their devices, which are made available for business, for private matters as well, now that we are required to work from home. The risk of successful phishing and installation of malware is therefore many times higher. Hackers don’t only have relatively easy access to data and traffic flows, but also to the VPN encryption keys used. And with that, the doors are open and hackers have free access to corporate data. Striking fact: according to the FBI, more money is currently involved in cybercrime than in the global organised drug trade.
Opening up networks
One solution is to establish a direct connection from the company network to employees’ home networks, without having to use the public internet. It is technically possible, and by far most households do not need to lay new cables in the ground to do so. What would need to be done for that? Parties like BT, VirginMedia, T-Mobile, VodafoneZiggo and DELTA Fiber Netherlands would have to open up their consumer networks. Now those networks are only used for television, internet and telephony, but there is more than enough capacity available to securely make the corporate network available to home workers. However, this is not going to happen over night, if it will happen at all. VodafoneZiggo and KPN, among others, got their way through the highest court last March (2020); the ACM decision that they should open up their networks to other telecom providers was overturned. This means that opening up these networks will not be an option for the time being.
The new internet
Another solution, which is being worked on behind the scenes, is a new internet where the dangers of the current internet can be avoided. Worldwide, there are numerous initiatives. In particular, the developers and companies that created the current internet are exploring new techniques out of dissatisfaction. One of the initiatives looking for a more secure internet, and in which NDIX is involved, is 2STiC (Security, Stability and Transparency in inter-network Communication). Ultimately, the various initiatives must reach consensus on this new internet, something that is not expected to happen any time soon. Meanwhile, China is making a serious attempt with the ‘NEW IP’ draft they submitted to the ITU in September 2019. According to many, the ITU is not the right body to determine whether the Chinese draft should be the basis for the new internet. The ITU is a politically driven organisation and not an independent research body like, say, the Internet Engineering Taskforce (IETF), which would normally handle these kinds of new standards. It is therefore likely that there is a political motivation behind this initiative. The Chinese design includes a fully controllable and steerable solution with an emergency button for governments. What else does the Chinese design include?
With, as the Chinese call it, the ‘shut up’ command, certain addresses can be shut down from the network. In doing so, the user must be authenticated before using this internet. This allows governments to monitor the behaviour per user and even shut users off from this internet. Whether the Chinese proposal for the new internet will make it depends on how many countries support and implement the design. From my western perspective, I do not expect this design to gain global consensus… but who knows?
Focus on awareness
Waiting for ‘the new internet’ is not going to solve safe at-home working in the short term. We will have to make ourselves more resilient to the dangers of the internet until then. The advice: start improving awareness of the dangers among employees. It is noticeable that cybercrime is making a lot of money, as phishing attempts are becoming more and more professional. Gone are the days of receiving emails with a shadowy sentence structure and also signed by the managing director. Many employees will feel that they are aware of these dangers, but the fact that more money is made from cybercrime than in organised drug trafficking indicates that this is somewhat of a let-down. Besides employee awareness, keeping VPN hardware and VPN software up-to-date is very important. The frequency of reports around the world that bugs have been found at a VPN vendor is increasing by the month. Unfortunately, this makes it evident that VPN hardware and software vendors are always playing catch-up. And if a bug is found you are already too late and can only act reactively. Therefore, keep the number of VPN connections to a minimum and ensure as many private and Internet-less connections as possible. The aim should be to avoid the current public internet as much as possible in business operations.
Secure connections with NDIX
NDIX can help by providing private internetless connections to business locations, data centres, partner companies and other hubs you want to securely connect to the corporate network. It is even possible in more and more situations to connect at-home workers’ addresses to the company network via NDIX!
Do you have any questions about this article and do you want to discuss them with writer Dylan van Dijk? You can contact him via d.vandijk@ndix.net.
