This is Part I of a two-part series on improving work-from-home security. Part II details some of the steps that businesses with a distributed workforce can take to keep staff, clients, and overall operations “cyber safe”.
Here in Part I, we discuss how you can recognize and mitigate some of your cyber risks while working remotely.
Many of us have been working at home for a few months now, and depending on your location in the world, that’s a situation that may not be changing any time soon. While some jurisdictions are easing work restrictions, others have already extended work or study-from-home programs until at least September, or even through to the end of 2020. And when the pandemic is finally over, many businesses will have learned the value of supporting distributed workforces, and may implement remote access as a standard way of doing business going forward. Similarly, many employees have found that working from home suits their lifestyle, improves their productivity, and addresses their health concerns – so they may push to remain offsite. In this landscape, it’s important for individuals and the employees themselves to review and reflect on their cybersecurity posture for the long haul.
1) Phishing – No work-at-home/pandemic article would be complete without a reminder about the ever-rising dangers of phishing. Hackers realize that more people are spending more time online than ever before. Capitalizing on jittery users – many of whom are working from home for the first time – phishing and texting attacks featuring bogus COVID-19 updates, software/security updates, financial news, insurance scams, and more have increased over 600% over the first few months of the pandemic. Fraudulent websites containing the term “COVID” or “coronavirus” have been registered by the thousands, poised to harvest personal information or financial details from unsuspecting users visiting the sites. You’ve heard this before, but use the utmost caution when opening emails from unknown sources, or messages that you were not expecting even from trusted colleagues. Anything with a web link or an attachment should be examined carefully before opening. Refer to our article on social engineering and phishing for more tips on keeping your inbox safe.
2) “Smart Home” Security – One of the biggest risks faced by home users is, unfortunately, one of the most common. Home networks and Wi-fi setups are easy to set up, but can create significant security holes if not configured correctly. Our guide to smart home security provides great tips on securing your home router (which should be your number one priority) and all the rest of the smart home devices in your house. Making sure you have an inventory of what’s connected to the Internet – and why – will help give you more confidence that you’re keeping the bad guys at bay.
3) Personal Devices – If at all possible, each person working or studying remotely should have their own individual device. This will limit the risk to your company, and to others in the event of compromise. Where it is too costly or impractical to provide individual devices, at least consider designating a device exclusively dedicated for work, and separate from others used for personal computing or gaming. This will help to keep your professional life and personal life separate and secure. On any computer, it’s imperative that each user has their own non-admin account to reduce the exposure in case of a malware attack. Contact your IT support team, ensure that your remote access is secured using a virtual private network (VPN), and that you are using dual or multi-factored authentication to gain access to corporate resources – a plain text password is simply not strong enough. Finally, always remember to log out of your account at the end of every work session, particularly on shared devices.
4) Personal Copies – In the rush to move to a work-from-home model, appropriate and secure file transfer processes may have fallen by the wayside. Work product should never be sent over public email systems (particularly gmail.com) as there is no guarantee of privacy. Enquire at your office about using a secure file transfer/storage system, or rely on accessing all files directly on a corporate network through secure channels. The use of USB drives to shuttle data between home and office, or from computer to computer, has risen significantly during the pandemic as well. Aside from the obvious risks of loss or theft of the devices, pulling files out of your corporate system onto a standalone device can create confusion with multiple copies and file ownership. It’s much better to keep your files within your corporate systems for version control, security, and appropriate backups. If a USB is your only viable alternative for file transfer, ensure that the drive is password-protected and encrypted to reduce the risk in case of loss or theft. Keep an inventory of the drives you’re using so nothing goes astray, and be sure to keep a tracking system so you know what version of your document, spreadsheet, or presentation is the most current. “Check in” your documents back on the office network as soon as possible to keep everything safe and in sync, deleting your own versions afterwards.
5) Privacy – This is perhaps the least technical of all of the cyber risks we’ll discuss – and one of the easiest to forget. Most of us are unaccustomed to maintaining the same level of security at home as we do in a traditional workplace. While working from home, it’s important to remember to maintain the confidentiality and privacy of the work you’re doing. If at all possible, a separate workspace area should be designated. This will help keep your computer screen and paperwork separate from others in the area, and will also help you reinforce a psychological separation of home and work, often difficult these days. If the space or physical layout of your home cannot support an isolated workspace, at least your computer screen should be sheltered from view by others in the area. Detachable monitor/laptop privacy screens are an inexpensive way of reducing your risk from accidental disclosure of sensitive material. Don’t let family activities, pet interactions, competing priorities, and day-to-day home routines cause you to let your guard down in maintaining your diligence to cybersecurity.
6) Phone Calls – Just as your computer screen should be shielded from others, phone calls should be made or taken in a quiet, separate part of the house. The use of the speaker phone should be avoided unless you’re confident that your discussions will be kept private. Headphones can easily be attached to your computer, laptop, or phone, keeping the other party’s words for your ears only.
7) Videoconferencing – Similarly, videoconferencing should be done with due consideration of the privacy and sensitivity of the subject matter. Take care to have access to a camera cover to control who’s viewing you and your home office, and make sure you know how to control the mute feature on your conferencing software of choice. Refer to our article on videoconferencing best practices for lots more practical tips on how to conduct safe and secure meetings online.
8) Over-sharing – Continue to take care about sharing details about your remote work location. Though the novelty of work-from-home has likely worn off for most people, accidentally sharing details by posting selfies or “kitchen office” setups may inadvertently show work product, confidential reports or screen shots. Worse, depending on the sensitivity of your work and work environment, you may expose yourself as a target for cyber or physical attack by unwittingly revealing your home address or clues about your passwords or living arrangements.
9) Printing – Printing should be kept to a minimum for security reasons, and any work product should be securely locked away in your home office. Never throw out or recycle old paperwork in your home garbage – take steps to store the paper and ensure it gets shredded securely. Home shredders are available, but they can be slow or ineffective – check reviews and capacities before you buy. Many public shredding facilities remain closed, but you can store obsolete documents and have them shredded during a visit to the office, or make arrangements for a mobile shredding service to stop at your home if the cost and volume of printed material warrant it. If you are authorized to print work product at home, make every effort to use the facilities provided by your employer. Office 365 – for example – can be configured to allow direct printing to a home printer, without having to transfer a copy to a USB or personal email address first.
Working from home is expected to be much more prevalent and accepted, even post-pandemic. Remember that cybersecurity isn’t just your IT department’s responsibility. It takes a team effort to make sure that everyone is as cyber safe as possible.