I wrote previously of what the key ingredients are for a successful travel program might include, as it was a topic which had not garnered much attention over the course of the past couple of years as pandemic took hold. What most entities have experienced since early 2020 is the IT scramble to accommodate the migration by employees from onsite and in their seat, to off-site and sitting wherever they could find internet access. Just like that, CISOs found themselves having to formulate work-from-home (WFH) policies, implementation and procedures.The shift was swift, and while some companies did nothing but allow the employee to access their networks via an external internet connection, others took a more programmatic approach. One such entity was XYPRO. According to Steve Tcherchian, CISO and chief product officer at XYPRO, he observes the shift was swift, \u201cWe had lost the air cover that the office security infrastructure provides, we had to quickly adapt our WFH procedures and controls to address a situation where everyone was required to work from home at once.\u201dMulti-factor authentication first followed by technical controlsXYPRO prioritized steps putting multi-factor authentication (MFA) at the top of the list to \u201censure all services were adequately protected against credential attacks,\u201d Tcherchian continues. \u201cSome of our staff had never worked from home and were ill-equipped to work efficiently.\u201d He further observes how, \u201coftentimes, work on computers doubled as school computers.\u201dIn sum, the implementation was an infosec nightmare. To rectify the situation, Tcherchian cataloged the changes that XYPRO rolled out to help ensure their remote workforce was as secure as those working from within security afforded by the office.Require MFA on all servicesMaintain BYOD devices at a certain OS\/patch levelInstall antivirus tools and keep definitions currentProperly secure Wi-FiProhibit company data from BYOD devicesDo not shared computersAssign corporate computers or cloud workspaces for employees who had to share computers for their children\u2019s schoolThis was followed, Tcherchian advises, by implementing technical controls to include mobile device management and the ability to remotely wipe the employee devices, which may include personal, non-company data. He notes that employees \u201cvoluntarily enter into our BYOD program.\u201dWhile remote work is at its apex, so are credential reuse attacks, says Bojan Simic, CEO\/CTO of HYPR. He shared how \u201caccording to ESET research there was a 768% increase in RDP [Remote Desktop Protocol] attacks targeting remote workers in 2020. The number of virtual private network (VPN) users also increased by more than 54% in 2020, while MFA adoption remained relatively flat.\u201dSimilarly, Mike Puglia, chief strategy officer at Kaseya, emphasizes the need to mandate the use of MFA and conditional access policies. Those working from home or at a far-flung beach bungalow \u201cmake extensive use of cloud apps and one can no longer make assumptions based on physical location or device.\u201dA few entities were impacted less than others, as was the case with Abnormal Security, which according to its CISO, Mike Britton is \u201ca \u2018remote-first\u2019 company, which means we treat all employees as work from home. Our policies and procedures are designed with that operating model in mind. We reinforce that security is a critical aspect of how we operate, and the expectations of good security habits and requirements apply whether working from your home, a local coffee shop, or the office.\u201dOnboarding employees for remote workBritton continues how Abnormal has a well-defined automated process that onboards the employee, who is provided a \u201ccompany-issued laptop that is configured according to our security baselines and centrally managed.\u201dThe devices, Britton explains, \u201cleverage an enterprise SSO [single sign-on] solution that requires multi-factor authentication to access any company resources. All devices have endpoint detection and response (EDR) software and web filtering at the endpoint level to prevent access to malicious websites.\u201d Additionally, via a third-party solution, he emphasizes \u201cthese devices are monitored for compliance and to prevent employees from making changes.\u201dWhile David Matalon, CEO of Venn, notes a Harris Poll showing that 71% of Americans admit to working around their company\u2019s security protocols, when a protocol asks them to work in a non-natural way or cumbersome manner. His team \u201cenjoys the notion of \u2018freedom without compromise.\u2019\u201d Venn employees are permitted to use any device, anywhere. This is possible using a platform that \u201censures all work-related data is secure and eliminate the possibility of enabling unrestricted access to such data with cutting edge DLP [data loss prevention].\u201dNeed for a BYOD policyVenn embraces the BYOD without exception, and it, too, has in place a methodology to \u201cenable administrators to pull back or wipe all work-related data as required,\u201d Matalon says. \u201cUnlike traditional remote management monitoring, which wipes an entire device\u2019s data, the secret sauce for Venn is being able to execute that same level of protection while ensuring that employee privacy is protected, too. LocalZone focuses exclusivity on separating work-related data from what is personal. If a wipe is required, an administrator can protect all work relating data while not interfering with the employee\u2019s personal and private data.\u201dPuglia of Kaseya reflects how \u201cmost companies do not have a comprehensive BYOD strategy. They have a policy that enables employees to get email and maybe a few apps on their phones as a matter of convenience when the employee is not on their primary device. Organizations need to re-think their BYOD strategy to embrace access and more importantly, security, no matter what location or device users are on.\u201dAll the policies and procedures already in place need to extend to every user and device no matter where they are as the physical boundaries of the office no longer apply. This may explain why Tcherchian led with the requirement of having MFA in place as the first bullet point in XYPRO\u2019s migration to all employees working remotely, all at once.Work from home requires a comprehensive architectural plan and decisions to be made, some which will increase the operational expenses of the CISO\u2019s span while also increasing the security of the company. The aforementioned, examples from industry, highlight the diverse opinions on how to tackle the WFH conundrum, be it BYOD or company issued devices, both require process and procedures to implement securely.