VPNs and Work From Home: Security under scrutiny in times of COVID-19

VPNs secures communication between company servers and employees’ devices, but end user devices are exposed if not secured enough. Also, other compensating measures need to be in place.

Courtesy of The Cyber Security Hub™ (TCSH), I would like to depict a link that TCSH had pointing to, citing that Work From Home(WFH) using VPN is not 100% secure, other risks existing in that activity (WFH). This article I wrote is for those who believe that VPN is all you need for a secure WHF. I extract selectivelly from the mentioned article only what I believe is critical in order for non-expert readers to grasp the essence.

Conclusions:

1. So, BYOD (Bring Your Own Devices) is a high risk. At least, it has to be approved by the company which the employee works in. This device MUST be secure enough against penetration, so I would strongly recommend: (i) remove admin rights from this device (to the extent possible) and (2) anti-virus and firewall on them is a must (although recently I have learnt that such amunition is not enough against a skilled hacker).

2) The IT infrastructure support generally i.e. in normal time (not these times of pandemic crisis) around 30% of users that work remote. Generally. During COVID-19, if all users go remote, then ” Houston, we have problem!”. I mean, no organisation has envisaged so far that its staff will work from home in such a huge majority. Therefore, buying an additional equipment to support the increasing demand of users to work using VPN takes time (months). Configuration and integrating such new equipment into the existing infrastructure also requires time.

3) I will end up with this recommendation (excerpt from the article) that I fully agree with:

So, stay safe not only from COVID-19 virus, but also to avoid get viruses (electronic form) or other electronic malware from hackers.

For this purpose, employees need a secure device (as I have mentioned above, i.e. remove admin rights and have installed anti-virus and firewall software) and instructions regarding how to counter phishing attacks (about these I hope you have already introduced regular simulations as I have recommended in this article on LinkedIn previously) so when employees working from home and they are not supervised or no quick requesting and support link with IT department, they hopefully be able to apply at home that knowledge.