Working from home is not a new reality but the extent to which it became the “norm” for many companies in 2020 has been a drastic shift. Many companies large and small woke up in mid-March to the reality that their workforce would not be allowed to go into the office until some undefined point in the future.
Images of cleaning crews in hazmat suits walking through rows of cubicles shocked us. Companies like Dwolla, who were already largely cloud-based and rely more on information than physical “things” had an easier time than others, but still had to adjust. A big shout out to those who put themselves at risk in critical infrastructure sectors like healthcare, energy, water, telecommunications and public safety—we owe you one (to say the very least).
While we are hoping for an end to the current public health crisis soon, we understand the reality is that expectations around time spent in-office versus working remotely might never be the same. A question that has come up a lot is how to ensure employees working fully remote are able to maintain the same level of security as they did when working in an office.
Dwolla has modified a number of our fleet management and security assessment processes to ensure we can continue to meet our obligations and keep our risk level within tolerance. This has been greatly helped by our awesome workforce who have been proactive about doing their part.
We wanted to share some of the other things we have encouraged our employees to do, or that we have done on their behalf, during this exceptional time.
Let’s Talk About VPNs
We are bordering on a post-VPN world. This is not really news, as zero-trust concepts have been common for at least several years (NIST standards aren’t written overnight).
Some companies have already largely or fully made the switch from network-level to application-level controls. VPNs based on TLS authentication have long blurred the line between VPN and protocols such as HTTPS. However, the reality remains that not all applications are easy to fit into such an architecture, and so a need for VPNs often remains.
Why is this particularly important for a WFH workforce? Many of the cyber threats we worry about are contingent upon an attacker—or software directed/deployed by an attacker—getting a presence on the same physical network as a trusted device.
What devices do you have on your home network? How confident are you in their security (see next point)?
Just as many companies adopt a “contested territory” mindset for their corporate networks, we must assume that at least some individual’s home networks have been or will become compromised. A properly configured VPN can wrap a cozy security blanket around all the traffic coming from the corporate system and protect it from anything or anyone else lurking on the local network.
Even for applications that don’t require a VPN to access, we encourage all our employees working outside the office to default to being on-VPN.
Keep Personal Equipment Updated, If Possible
Quick experiment: try to count how many devices you own that have a processor in them or even an active connection to the internet? Did you know that every one of those is just as susceptible to security compromise as your laptop?
In the days of internet-connected refrigerators, bathroom scales, toasters, toothbrushes and yes even forks, it can be incredibly hard to assess the risk from all the “things” on your home network. Making this worse is that typically vendors are not good about making updates available to address security issues.Even if they do, many push responsibility to consumers to pay attention and upgrade those devices themselves.
When’s the last time you updated the firmware on your thermostat, or more to the point—your wireless router?
When these devices are left with open security issues, they can be used as unwitting drones in massive global networks, such as the Mirai botnet. That aside, most home networks are not segmented, so your trusted work device might be sharing the airwaves with some very hostile companions.
Make a concerted effort to be cognizant of the devices you connect to your home network, make use of “Guest Network” capabilities for smart devices if your router offers it and jump on that VPN!
Holding High Standards for Personal Accounts
In the workplace, you almost certainly have to conform to standards around things like password complexity, password expiration, multi-factor authentication, not sharing your passwords, etc. Well, those standards are there for a reason and can be valuable in your personal life as well!
If your WiFi password is along the lines of “wireless” (you do, of course, have a WiFi password?) or your router is more than a few years old, there’s a decent chance that it could be abused by a neighbor or passerby. Likewise, while you should maintain separation between your personal and professional accounts (see below), keeping your personal accounts secure prevents you from becoming a victim in your personal life, which could easily bleed over into your professional life.
Making use of a trusted password manager tool to help you generate, store and auto-fill strong passwords along with making use of multi-factor authentication anywhere it’s available will keep your defenses up across the board.
Ensuring your router is configured with WPA2 or WPA3 and a strong WiFi password will keep your network yours.
Maintaining Some Separation
Keeping your personal and professional accounts separate is a good idea for a lot of reasons. You don’t want your personal account to become involved in company legal matters and you don’t want your personal correspondence or documents residing in an account that is the property of your company.
In the modern workplace, many of the lines between personal and professional can become blurry, but this is one worth keeping crisp.
This also ensures that your company can help protect you from being a part of a security incident by managing and monitoring your corporate device. When you work from a personal device, you are taking a personal risk of being responsible for dealing with the fallout if there is an issue that could have been prevented.
Security at the Edge
When it comes to company devices, Dwolla is constantly evolving our strategy to ensure we can deploy the best tools and processes for keeping tabs on our current security profile and ensuring these devices meet our standards at all times.
More “traditional” IT and InfoSec paradigms focused heavily on monitoring network activity, under the idea that you can’t trust a compromised machine to tell you it’s compromised. In a fully-WFH model, this is simply not possible. An endpoint-focused control and monitoring paradigm, combined with defense in depth anywhere sensitive data resides, is required. This relies on clear expectations being set about how much (or when) employees should be on the VPN, as well as different classes of tools that don’t have a VPN dependency.
Dwolla has implemented a blended strategy in this area, helped by the quick movement of many companies to offer features or products to assist with just this challenge.
Friends Don’t Let Friends Kill Trees
You, yes you, the one with the stack of printed sensitive information on your desk. Could you have done that electronically? While there are definitely still use cases for printed material (speaking as someone who spends a fair amount of time reading research papers), there are a multitude of safe tools available to view, share, annotate, tick & tie, slice & dice, sign and protect electronic documents.
Did you know that Mac OS’ built-in Preview application will let you annotate and sign documents, for example? Our advice to our employees on this topic is simple—don’t print sensitive information, especially at home!
The Human Detection Network
Much like the dependence on individual laptops to feed information to us for monitoring purposes, each and every employee is a critical sensor in our strategy. We have tools to catch known threats and prevent the types of threats that we’re aware of. But we humans carry a massively-parallel pattern-recognizing supercomputer around in our skulls and that is (for many reasons) the most valuable asset any company has.
It’s fitting to post this during National Cybersecurity Awareness Month. The best person to know if your system or account might have been compromised is you.
You know what “normal” looks like and if you get a nagging feeling that something is off, listen to it! We counsel our employees regularly on the importance of being on the lookout for phishing emails, malware or any indication of other security issues and to bring them to our attention immediately. If you see something, say something!
If you’re not a part of our employee community and think you’ve found a security issue, you can still contact us at security at dwolla dot com (our PGP key is here: https://keybase.io/dwollasecurity).
If your issue is found to be valid, we’ll invite you to our private Bug Bounty program.