Home Network Security

Most home networks have security that would fail any corporate audit:

  • Default router credentials: Most people never change the admin password on their home router. Default credentials for many ISP-provided routers are publicly documented.
  • WPA2-PSK with weak passwords: "MyHome2024!" is not a strong password. WPA2-PSK is vulnerable to offline dictionary attacks if the password is weak.
  • No network segmentation: The laptop with corporate VPN access is on the same network as the smart TV, the kids' tablets, and the IoT thermostat with known vulnerabilities.
  • No firmware updates: Home routers often run firmware from 2018 with known exploitable vulnerabilities.
  • UPnP enabled: Allows applications on internal devices to open ports on the router — a common malware and lateral movement vector.
The IoT Attack Path

The most likely home network attack path: an IoT device (smart camera, thermostat, doorbell) with known vulnerabilities is compromised. From there, the attacker ARP-poisons the router and intercepts all traffic, including the corporate VPN session. The corporate credentials flowing through the compromised home network are captured. This chain — IoT compromise → router compromise → corporate access — is entirely plausible for most home networks.

Coffee Shop Work Risks

Working from a coffee shop combines the insecurity of public WiFi with the convenience of being outside the home. The risks are identical to those described in the Corporate Travelers profile — with the additional factor that remote workers may spend many hours per week in these environments, increasing their exposure over time.

  • Regular coffee shop workers are predictable targets — attackers can return to the same location repeatedly
  • Regular hours and locations create a profile that attackers can use for social engineering or physical surveillance
  • Screen visibility in public spaces is a data exposure risk in itself

Employer Responsibilities

Employers who allow or require remote work have a duty to provide secure access — and to clearly communicate security requirements to employees:

  • Corporate VPN with full tunnel and kill switch — provided, configured, and enforced on all work devices
  • MDM/UEM enrollment — enabling remote wipe, policy enforcement, and compliance monitoring on all work devices
  • Security training — at least annual WiFi security awareness training for all remote workers
  • Acceptable use policy — clear written policy on what networks are acceptable for work access
  • Home router security guidance — written guidance for employees on how to secure their home networks (or provision corporate-grade home routers)
  • Endpoint detection and response (EDR) — deployed on all work devices, including those used remotely
  • Dark web credential monitoring — alerting when employee credentials appear in known breaches

Defense Checklist for Remote Workers

  • Use corporate VPN on all work devices — always, on all networks including home
  • Enable VPN kill switch — prevent traffic leaks if VPN drops
  • Change the admin password on your home router — use a strong, unique password
  • Update your home router's firmware — check for updates at least quarterly
  • Use a guest network for IoT devices — separate them from your work devices
  • Disable WPS on your home router — use WPA3 or strong WPA2 with a complex password
  • Don't access work systems over coffee shop WiFi without VPN — even "trusted" cafes
  • Use a privacy screen when working in public spaces
  • Don't share your work device with family members or friends
  • Report any suspicious activity (unexpected network behavior, unusual system prompts) to your IT security team immediately