|Answered by Mark Hofman, Chief Technology Officer, CyberCX|
Unfortunately, there isn’t a simple answer here. Many users will have a device provided, controlled and managed by their ISP without them having any control over how it is configured. Others may have devices that are no longer supported. There are, however, several approaches we’ve seen over the years to address this issue:
- Extend internal IT support to home devices
We have seen a few customers who have extended their internal IT expertise to BYOD devices, including routers. They would assist when routers break as well as helps users patch these devices as needed. I’ve seen customers even runs vulnerability scans on their staff home devices (with permission) to help manage risk. Whilst initially painful, over time they have found the management effort to be quite minimal
- Provide a device
Another option is to provide a device. Here an organisation provides a managed and monitored wireless router that users plug into their home environment. It provides a secure SSID for employees to connect their devices to. This, unfortunately, can get expensive but may be an option for high-risk users
- Provide Education
Support home users in patching their devices. This is not without its challenges but may work depending on their technical competence and comfort level
- Focus on the endpoint
Ignore the home router and focus on endpoints. Assuming that employees have a supplied device, you can deploy your own AV/EDR product as well as control and manage firewall configurations. Using a combination of VPN connections and managed endpoints will help reduce your risk.
- Use Virtual Desktop Infrastructure
If an organisation already uses Virtual Desktop Infrastructure, then endpoints and home routers are almost a non-issue.
View our 5 easy steps to improve your cyber resilience.