Technology, security, and privacy in a Work From Home (WFH) environment
Will Work From Home (WFH) be an Alternative Asset Management Firm’ new norm?
Firstly, let me address the question that comes to mind after reading the title, this isn’t just another article about how COVID-19 has affected us………now keep reading.
I’m not writing this article to express my opinion about whether WFH is good or bad, although, if you are interested, I’m all for WFH, if it can truly be done in a safe, cost effective, and secure manner. I am writing this article to provide facts about technology, security, and privacy in a WFH environment.
Firms are probably contemplating terminating a lease (or at least downsizing), saving on rent and facilities, reducing the need to travel, letting everyone wake up to start work in their pajamas, and dealing with their own decisions on what they will have for breakfast, lunch, and dinner. They’re also thinking about the benefit of saving on technology and security costs. While it is certainly important to consider all these things if WFH is being considered, I’m only focusing on technology, security and privacy in this article.
I’ll start with technology…..
Many people have been working from home for almost two months now. The IT teams have done a good job at getting everyone set up on company issued, or personal devices that are used to access corporate resources.
This is great, but what else do people need, or want, to make it even easier? Maybe an extra monitor, a printer will be useful at times, a headset so they don’t have to hold the phone to their ear all the time, a faster internet connection, or better yet, the soft gel pad that goes under the chair so rolling around is easier and less harmful to the floor.
Do you see where I am going with this? In a WFH environment, users probably want all the traditional things they had at the office to make it easier to WFH. Is this achievable? Absolutely it is, but at what cost? Since working from home today is more of a temporary situation, users don’t think about the costs associated with turning on a laptop, making calls from cell phones (or land lines), figuring out if the bandwidth is enough, etc. What will happen if users are permanently encouraged or forced to work from home? What will the firm be responsible for providing/paying for?
If a firm is strongly considering a WFH model, they should determine if they are prepared to pay for:
- The internet connection, possibly a second one if a user needs redundancy. Maybe those connections will have to be upgraded to business class instead of residential.
- The lines used to make phone calls, whether it’s ringdowns (if people are still using those) digital, cellular or analog.
- Phones, headsets, turrets, etc.
- Firewalls, wireless, routers, switches, repeaters, etc. (if users want to work outdoors and have large properties, an enterprise wireless system may be needed)
- The television service so users can keep up with the latest news.
- Battery back-up systems or generators, if uptime is important (e.g. the trader’s computer can’t lose power during the day).
- Computers, monitors, keyboards, webcams, etc.
- Mobile devices, tablets, etc.
- Printers, fax machines, copiers, shredders, etc.
- Paper, toner, staplers, pens, pencils, etc.
- Tables, desks, chairs, lamps, lightbulbs, etc.
- Utility bills and food.
- Spare parts for the super critical users.
There’s probably more that can be added to this list, however, all I am trying to do is make a point. Where does it stop? Can users be so demanding, and do they have the right to ask for these things if they are being asked to work from home? Can an actual per person cost be determined? These are the questions that a business should find answers for if WFH is being considered. But the considerations don’t stop there. I didn’t touch on the security and privacy concerns yet.
Let’s start with a hypothetical. There is a hedge fund that has one office in Manhattan with 20 employees. They are in a 50 story building, on the 34th floor, have guards on the lower level, 2 points of entry and exit, a receptionist, a central location to print and scan, conference rooms to collaborate in, computers that are plugged into outlets that are on circuits protected by generator power, redundant internet connections protected by redundant firewalls, other layers of security to keep bad people out, and on-prem technology support, or a consultant that is close by to help them when they are in need.
Take those 20 people and tell them all to WFH. Now there are 20 home offices spread across (possibly) various states, in different neighborhoods, with different points of entry and exits, probably no security guards (unless there are some well-trained protective pets), a living room, bed and dining room that serve as an office and/or conference room, a self-managed internet connection with a Wi-Fi router configured with a password my 6 year old daughter can guess, or one that my 10 year old son can easily hack (yes, he takes after his dad).
This becomes 20 locations that are ripe for the picking. WFH presents many security and privacy challenges that need to be thought about. I’m an ethical (emphasis on ethical) hacker (too), so I’m going to give you my perspective starting with the risks on the outside of the home and then the inside.
Some external risks:
- Everyone in the home is a target for social engineering attacks, not just the user. Technically this doesn’t just apply to WFH situations, but it increases if someone knows that a company has adopted a WFH model, and they are being targeted.
- The trash becomes treasure, especially documents that haven’t been shredded.
- Eavesdropping on conference calls can occur because users are doing them outdoors, or by an open window.
- The perimeter of the home is not well-protected and can easily be broken in to. Computers and business data can be stolen.
- It may sound silly, but drones with high definition cameras can be used to zoom in on monitors that have sensitive information on them.
- Wireless attacks, such as spoofing, or jamming can be performed with high-gain antennas (can be done from a distance while sitting in a car). Drones can also be used to do this.
- Breaking into cars that may have laptops or sensitive data inside of them.
Some internal risks:
- A basic internet router with no additional protection.
- A mis-configured router or switch that is exposed to the internet.
- Unpatched IOT devices that can be exploited.
- Weak or no wireless protection.
- Sensitive documents tossed around the house.
- No shredder (crosscut) to make sure sensitive documents are destroyed properly.
- Computers that are left on that anyone can walk up to and access.
- Unencrypted devices.
- Corporate and personal devices on the same network.
- Land lines that can be tapped from the outside of the home.
- No alarm system to protect against attempted burglaries.
- No web filtering.
- No privacy screens.
- Sensitive calls/discussions that other people can hear (e.g. A user’s child is on a Google meet with their friend, and that child’s parent or someone in that home can hear what the user is saying.)
- Webcams that haven’t been disabled or unplugged (e.g. block the video or disable the audio, never know who’s watching, or listening.)
I’ve only listed a few of the very many risks that exists. Who now becomes responsible for securing the home offices? Will the business need to pick up the costs of protecting the home, and where does that stop? Is a camera and alarm system good enough, or should there be a 24×7 security detail patrolling the home?
As you can see, there are many things that need to be considered before making the decision to WFH. Wait, I didn’t touch on incident response and how that would work if a user is a victim of a breach, while working from home. I’ll save this for another article.
Technology, security, and privacy will possibly be taken for granted because many think it’s easy to address, especially since they have all been working fine for the last two months. But the reality is, it’s a monster of a problem that needs to be dissected to uncover the risk it presents, the cost, etc.
My last comment before I let you go, opinions are great, but the facts help people make more informed decisions. I hope the things I left you and your firm to think about are helpful. If you want to discuss it further, feel free to reach out
Just some quick background on myself. My name is Anand Mohabir, founder of Elteni, a cybersecurity and consulting firm. I’ve spent twenty plus years working for buy and sell side firms, 6 of which were spent in consulting. I am a technology, cybersecurity, and ethical hacking expert that has seen and done many things. I built, designed and deployed highly secure and complex infrastructure solutions across various US Exchanges, (NYSE, AMEX, NYMEX, CBOE, PHLX, etc.,) and have worked for several alternative asset management firms managing various aspects of technology, security and compliance. I’ve spent my time becoming an expert in what I do, so you don’t have to. If you are interested in learning more about us or working with us, feel free to reach out. We’re here to help.
Thanks, and stay safe.
Anand Mohabir, CISSP, CISM, OSCP, CREST-CRT, CEH
Founder & CEO