The coffee shop is fine
I hear too many acquaintances worry that employees might work from a coffee shop or other public network, putting their whole company at risk. So what if they do? The idea that a coffee shop’s Wi-Fi is insecure implies that there’s a mythical “secure” network that can be trusted with the company’s secrets. That’s almost never true.
Work-from-home employees are on a tame home Wi-Fi setup, right? Don’t count on it. Is their gear current? Are they sharing Wi-Fi with their neighbors? Are they using their apartment building’s network? Who’s their ISP? Although their home setup might – or might not – have fewer people on it than the local cafe’s, that doesn’t make it trustworthy.
What about the employees we coerced into returning to a legacy office and using its Wi-Fi? Oh. You mean that named network that sits around with a target on its back as belonging to important people? Unless you manage your own office, and it’s in a Faraday cage blocking all outbound or inbound radio signals, and you pretend that MAC filtering is a security feature, and all your equipment is patched with the latest security updates, and you have guards walking around with fox hunt antennas to spot rogue access points, it’s not substantially better in the ways that count. If you can read this at work, at least a few of those assumptions are likely wrong.
The idea of a “trusted network” is dead. It’s time we stop pretending. If an employee can be compromised at the coffee shop, they can be compromised at the office. We have to design our defenses as though our staff are working from the free network at DEF CON. That means making sure all employee devices and servers are patched. That all connections are encrypted, even those between internal systems. That authentication uses cryptography, not passwords. That we don’t pretend that “route all traffic” VPNs are a good idea. That we don’t rely on allowlisted IPs as a critical defense. That we don’t trust any network our employees might use, and that our systems are robust enough to endure hostile environments. Yes, even the ones we tell ourselves are safe.
And if we’re not comfortable with our coworkers typing away next to a fresh latte, it’s our responsibility to figure out what part of that bothers us and then fix it. The issues that would make that scenario dangerous affect the “secure” office, too.