Skip to content ↓ | Skip to navigation ↓

I don’t think it’s uncommon in today’s employment market that employees take their work home with them. Whether it is a report they need to write or a market analysis that is due for a Monday morning 8AM meeting, I would say confidently that we’ve all done it at one time or another.

As security professionals and practitioners required and responsible for applying security specifications such as PCI, NERC and SOX in our work place environments; do we take our work home with us? Do we apply the same guidelines, policies and best practices on our own home personal networks and equipment that we do in our work place? I’ve had this conversation with several friends and colleagues and it seems that most of them do not apply the same guidelines at home. I’ll admit I’m guilty of only applying very basic best practices in respect to my personal equipment and accounts.

One could argue that the comparison and needs are completely different between the respective environments and while this may be true, after all, as individuals we don’t have to answer to a yearly audit of our home. However, we do have a need and I argue a responsibility to protect our personal data so that it can’t be misused and abused if a security breach were to take place.

The idea of a breach on an individual could be characterized much differently than that of one that could take place on a company. With so much technology available today in the consumer market; laptop computers, cell phones, credit/debit cards and drivers licenses with RFID chips embedded in them the vectors are nearly limitless for a evil doer to get their hands on our data.

If an attacker is able to breach our laptop for instance, if like me, you do your banking online in addition to paying bills, booking vacations, checking email and any other number of activities that take place where sensitive personal data is exposed you’re suddenly forced to cancel accounts and re-open new ones, change passwords and keep an eye on your credit report to ensure that somebody has not stolen your identity or managed to get a hold of data they can use for malicious purposes. Another example are cell phones, I don’t password protect mine even though the option is there as it seems to just be a “hassle” I don’t want to deal with when I want to access an application quickly. Yet I am subscribed to text banking and have mobile applications for other financial institutions installed and accessible. If my phone is lost or stolen I’m immediately at risk.

Applying some of the paradigms in use in the work place in our personal lives can help mitigate that risk. Instituting complex passwords with required change dates, ensuring that patches are quickly applied to our computing equipment, enabling encryption on our wireless access point, creating a password or pattern lock on our cell phones, installing tracking and remote wipe software on our cell phones and most importantly enforcing and auditing ourselves honestly to verify that we’re following our own guidelines.

So I believe the question; Do we take our work home with us? Should be re-phrased and re-imagined to How much work should we take home with us?  I look forward to seeing how much work my peers in the security industry bring home and apply to their own personal corporation.

Hacking Point of Sale
  • Mrs. Y Iswhy

    I still think you're asking the wrong question. In certain highly populated metropolitan areas, the daily commute is no longer an efficient model or even feasible. As more enterprises offer telecommuting options, IT needs to be a stakeholder in defining policy and procedures facilitating this access. That may include setting minimum bandwidth requirements, performing assessments on home networks, liberal use of VPN technology, laptop endpoint security  and/or the use of VDI in order to allow teleworkers secure access to the enterprise network. It's no longer a question of *should* you bring home work. As contributors to a strategic vision of an organization, part of IT's fiduciary responsibility is to ensure that the enterprise has a telework security strategy.

    • Drew

      I agree with you completely in regards to telecommuting and the role IT security needs to play in defining and employing a security strategy. I had planned to address that particular question in another future post as I, myself am a remote worker. This particular post was targeted towards taking the lessons learned in our work as security practitioners and applying it to our own personal digital security. 

  • Support

    Are you Andre Agassi?

  • Pingback: The intersection of work and home | The State of Security()