How does your organization keep work devices secure at home?

juwan-for-hp · 2023-04-12T18:03:42.000Z

Keeping your data safe is a top priority no matter where you and your users are operating from. Many are logging into their employee network through company-issued devices. There’s also a worry about users using personal devices to access company data. According to a report by HP on work styles, half of the remote office workers said they now see their work device as their own personal device, with 46% saying that they use their work laptop for personal usage, and 30% saying they let someone else use their work device. To top it off, 69% reported that office workers have used their personal laptops and devices for work tasks. All of these open up the user and the organization to security risks. These issues can be tough to combat with users away from the office but utilizing tools like VPNs and endpoint security can help.

How does your organization keep work devices secure at home?

@HP

blake-murphy · 2023-04-12T21:37:05.000Z

Only really education. We keep a discussion going on a social platform so that people can check it later etc. Luckily our sales are interested because it helps them with their communications to be abreast of issues. Ours is a high tech industry so even our sales have ‘better’ devices at home. There is no reason to install programs on their lesser work device & the education they are interested in, because they don’t want to take a nasty home.
Yes agreed that their devices are seen as personal, but the caveat is that they take responsibility for the device security.
We did have an issue previously (with a largely Mandarin speaking workforce) of people downloading QQ browser & it’s updater software’s.
Thankfully it only installed bloatware but was useful to help educate the users at large “Did you install this, did you want it? SEE!”

Can’t wait to see what becomes popular next to make me eat my words

aboyandhisdog · 2023-04-13T10:13:12.000Z

Our philosophy is to protect with software, anitvirus, VPN connection to work resources, etc. They do their thing, while I work with users to educate them on what to look for, what to do/not do, how to recognize a threat, and what to do if they suspect something. All of the firewalls and other software in place can easily be rendered ineffective by one uneducated person. You can’t build anything fool-proof because they’re always building a better fool.

SaucyKnave · 2023-04-13T10:49:39.000Z

My philosophy has always been user education. The systems, software, and hardware can be designed and developed with ABSOLUTE security in mind, and then a user opens a bad email and it all blows up. On the other hand, if the systems, software, and hardware was actually designed correctly, it wouldn’t blow up. So the real answer to these kinds of questions is a two-pronged approach: user education and good security systems to protect when users do dumb things.

We used to have LOTS of laptops available for employees to take home (or simply keep home for anyone and their dogs to use), but over the years I’ve eliminated 90% of those. We’re in North Dakota, so we’ve gotten LOTS of snow and travel has been difficult for some users, so now-a-days when a user wants to connect remotely, I help them setup a VPN on their personal computers to connect to work, and I help them setup a RDP connection to their work computer. Something tells me that’s not the best way to handle this, but I’m not ready to buy all the licensing required for something like a company-wide BOMGAR or LogMeIn or whatever.

patti8216 · 2023-04-13T13:02:52.000Z

We try education but the lawyers think they know better. VPN, network segregation, no rights to install software. Have to go extreme but it seems to be working. For allowed software; secondary browers, utility apps etc we have an intranet store they can self serve.

chrisf7 · 2023-04-13T15:57:28.000Z

They have to use a company device and connect via the VPN.

yellowshirtcc · 2023-04-13T17:59:07.000Z

Patti8216:

For allowed software; secondary browsers, utility apps etc we have an intranet store they can self serve.

^This is the way. Once a third party app is cleared for use by InfoSec, etc, and assuming no extra costs/licensing issues it can be added to Self-Service.

Virer7 · 2023-04-14T11:03:05.000Z

With all due respect, I disagree with the general consensus from the replies that “user education” should be the most important item in the list. This thinking is no only dangerous but also it goes against common sense.

Even the most security conscientious users will click on an e-mail that comes from their bosses, contact, supplier or client. I see this ALL THE TIME! it’s easy for users to distrust an e-mail that comes from an unknown source, in fact I have seen very little incidents where a user has opened an attachment or clicked a link on e-mail from an unknown sender.

Last week I had a close call with a client that I consider very security aware and it’s a smart person, however his boss forwarded an e-mail that his boss himself did not open but was asking this person to find out what it was because the subject says “Past Due Invoice”. Sure enough the subordinate opened the PDF attachment.

My policy is ZERO TRUST, I have to assume people are stupid when it comes to computer technology (most are), I have to assume that at some point they will eventually open an attachment (most will). Therefore, I never trust the user (trained or not)

So what can I do? The answer was simple in my case.

GET A SECURITY SOLUTION THAT BLOCKS EVERYTHING EVEN LEGIT APPLICATIONS!!!

Yes, I prefer 1000 times to get a 100 calls about a legit application being blocked that ONE CALL from a user asking why all the files inside the network drive look weird and he cannot open any file. Because they are ALL encrypted stupid !!!

It’s 1000 times less stressful, easier and faster to allow a false positive than deal with a Ransomware infection. You do the math.

I sleep better these days knowing that my Security Solution trust NOTHING unless I say so.

Get an EDR Solution with NextGen A.I. AV like Sentinel ONE (If you cannot afford CrowStrike Falcon) and combine it with a threat hunter like Huntress and I can assure you the only calls you will get will be from users asking why they cannot open WinRAR, 7Zip or some bootlegged PDF editor.

Better be the asshole than be the victim and feeling sorry for yourself.

Take care.

vnuuyen · 2023-04-15T05:15:10.000Z

As long as users don’t have local admin privilege they can do normal stuff like going online webshops, basically just webbrowsing, check personal emails, even watch Nexflix i don’t care. As long as they keep their computers updated with antivirus and windows updates but of course IT department already taking care of those automation in the background. I don’t know any restrictions where company says users are not allowed to do some personal stuff on company computers.

jeremym · 2023-04-18T13:05:55.000Z

We do not allow local Admin privileges. We also use the @Fortinet forticlient for VPN and endpoint security. We leverage Office 365 and try to keep as much in the cloud as possible.

spiceuser-6fqbg · 2023-04-19T12:49:15.000Z

the solution varies:
for this non profit I am giving a license of antivirus to install on the personal laptop from which the use is access corporate email.
the user are not connecting to internal LAN,