Just a few months ago, it would be unimaginable that so many of us would be working from home. While more and more companies had been allowing some users to work remotely to some degree, the situation that we now find ourselves in is that a significant chunk of the workforce is now working from their homes, on very short notice.
As the Covid19 pandemic grips the world, cyber criminals have seen this increased online activity and confusion as an opportunity for them to take advantage of, and have stepped up phishing and scam attacks. We’ve already covered some of the main threats to look out for in another article, but now we’d like to share some of our tips on making sure you protect your company and your family’s data while working from home.
Here at Tech Guard, we’ve come up with a handy list of our top security tips for those who find themselves suddenly working from home.
Phishing scams are rife. Think before you click!
Remote workers must be aware that many phishing scams will be targetting them with sensational or emotional message. There has been a huge upsurge lately in coronavirus-based scam emails, which hope to catch users off guard as they are distracted by the crisis.
Without your colleagues around you, you need to be extra vigilant of both emails and phone scams. Don’t open emails or attachments that you are not expecting, and always remain sceptical of any requests for sensitive information. If you do see any suspicious messages, we recommend reporting them immediately to your IT team.
Beware of fake login sites
Don’t fall for ‘credential phishing’ attacks, where scammers create fake landing pages (websites) to trick you into handing over your username and password. It’s best never to click on links asking you to update or input your credentials, and instead bookmark the correct link for sites that you frequently use.
Always check the URL (website address) before proceeding, by hovering your mouse (don’t click!) over the link in the email. This should give you a little pop up that tells you the real URL (website address) , which may not match the one it claims to take you to.
Beware of fake news sites
Watch out for intentionally misleading news and malicious websites taking advantage of newsworthy events such as the Covid19 pandemic. If in doubt, check with your IT team to find out if a site is trustworthy.
Undertake security awareness training
Companies which take security seriously should have an awareness training program in place. Security awareness training is a requirement of the GDPR, and also plays a crucial role in ensuring staff know how to detect malicious content online and act accordingly.
If your company has assigned you training, you should complete it as soon as possible and ensure you understand the lessons it is delivering. Doing so will greatly reduce your own risk online as well as your company’s.
Secure your home WiFi network
There are two basic steps that everyone should undertake before connecting to their corporate work network:
- Ensure that your router password has been changed from the default one. Each router is different, but there is a guide here which can help you.
- Set a secure password for your WiFi network and make sure you choose WPA2 encryption. Whatever you do, do not use a WiFi network that is unsecured and doesn’t have a password. See here for more info.
(Important: Don’t use the same password for Steps 1 and 2)
Keep your work environment private
It’s important to keep the space where you will be working at home safe, and ensure no one is allowed to access your work computer, even your family and kids. Ensure to lock your PC, laptop and mobile devices when you are not using them.
Unintentionally, others could download malicious software or access files that they shouldn’t see.
You should also have a clean desk policy at home, ensuring no corporate information is left lying around. Ensure your work conversations via phone or video conference remain private, and don’t forget to check your policy on smart home devices like Alexa or Google Home.
Avoid printing out any work-related documents at home. Not only is it better for the environment, it will further reduce your risk and prevent corporate information from falling into the wrong hands.
If you do need to print sensitive documents, ensure they are locked away safely and when you no longer need them, shred them thoroughly before discarding them.
Company Work policies still apply
You may be working from home, but that doesn’t exempt you from following company policies, which were designed to prevent data breaches and protect the privacy of employees, customers, clients and business associates. Circumventing policy in any way undermines these efforts.
If you need more information on applicable work policies, we would advise you to reach out to your manager to ensure you have all the resources you need to securely work from home.
Use a VPN
If your workplace provides a virtual private network (VPN), please use company-approved VPN software to connect you to the corporate network.
A VPN helps ensure a secure tunnel for all your internet traffic, preventing criminals from intercepting your data.
Ask your IT team for advice on setting up a VPN.
Avoid USB devices
Do not use personal USB devices for storing any corporate data or connect them to your work PC. If you are allowed to use USB sticks, please only use company-approved encrypted USB sticks.
Do not send company data to your personal accounts
Do not send work files to your personal email accounts, or upload company data to personal non-company approved file sharing websites such as Dropbox, Google Drive, etc. To do so is usually seen as a major breach of company data protection policy and can get you in a lot of trouble.
Only use approved video/audio conferencing software
Only use company approved video conferencing software. Do not host video or audio conference meetings via unapproved software.
Be careful sharing your screen
Often remote workers will share their screens with colleagues and vendors/contractors. You should ensure that you only share the appropriate window or monitor to prevent them from accidentally seeing information that they shouldn’t. If you have two monitors, only share access to the one you need to share access to.
You can also cover your webcam with a piece of tape or use a webcam-slider for added security to prevent hackers from using it in the event that they infect your PC with malware.
Don’t forget about physical security
You should ensure that company devices are always kept in a secure location, where thieves cannot get at them. Work devices should always be locked away when not in use and never left unattended at home or elsewhere (like your car).
If you do lose your company device for any reason, it’s important to report it immediately to your IT team so that they can act quickly to prevent unauthorised access.
Do not use personal devices for work, unless approved
If you don’t have a work laptop or PC that you can use to work from home, you should request one from your manager or find out the company policy on using a personal device for work.
Do not access or download company data onto personal devices without prior approval.
Do not use public WiFi
Beware of free WiFi hot spots! Do not connect to them from your corporate devices without approval and without using approved VPN software.
Cheap, battery-operated rogue WiFi access points exist, which criminals use to mimic WiFi hotspots and trick your device into connecting to it instead of the one you intended. All they need to do is give it the same name as the free WiFi hotspot (for example in your local café) and then sit near you. Devices tend to connect to the closest hotspot, leaving your traffic open to be viewed by criminals.
If you need to use your smart phone hotspot to provide internet to your work laptop, please ensure you set a strong password.
Use strong passwords and 2-factor authentication where possible
Ensure all your passwords for company websites are strong and unique. use long passphrases where possible and enable 2FA on all (work and personal) websites and email accounts that you have to log into.
Companies themselves need to ensure that all email accounts that can be accessed via the internet have 2FA enabled. This step greatly reduces the risk of a cyber criminals accessing company email accounts or the data within.
2FA (or 2-factor authentication) simply means that in addition to your normal password, you must enter a code that is texted to you or generated by an app in order to log into a website, and provides a strong extra layer of security against would-be hackers.
Check if your company allows the use of password managers, and if allowed, use a company-approved one and ensure 2FA is enabled.
Using a personal device for work?
If you have been approved to use your home laptop or desktop to connect into your corporate work environment remotely, then you should follow these additional steps to stay safe!
Use approved antivirus software
You should ensure that your PC has appropriate antivirus software, which is kept up to date. You should ask your IT team for recommendations. Sophos Premium or Bitdefender are examples of some reputable, modern antivirus solutions.
Install a web filter and advert blocker
If you are browsing on your home computer, we recommend you install a web filter if your Antivirus software does not come with one. Solutions like Cisco OpenDNS can be a good choice to protect all devices at once in your home (by making a quick easy change to your broadband router DNS settings) or upgrade your Antivirus software on each device to one which has web filtering functionality built in (e.g. Sophos Premium).
You should also install an advert blocker on every browser you use, as online ads can infect your computer – even if they are on a reputable website and you don’t click on them. We would recommend Ad Block Plus. Beware some sites will ask you to disable your Ad blocker as they indicate their main revenue comes from Adverts. Disable with caution.
Update your applications regularly
You should ensure that your PC has all the latest updates, both from Windows/Apple and on any applications that you use. Security patches are an important line of defence against cyber attacks as they often fix flaws/bugs that hackers want to take advantage of.
Use a separate login for work
For productivity as much as security, we would recommend using a separate login for work purposes on your laptop or PC. Do not give it administrator privileges, instead use a separate admin account for installing software. Do not let your family members use your work account or know the password for it or the admin account.
Avoid Windows 7
Windows 7 is no longer support by Microsoft and security vulnerabilities will no longer be fixed by them.
Do not use a Windows 7 home device to do work or connect to your corporate network unless you have company permission. Instead use an operating system that is still in support (e.g. Windows 10).
Encrypt your devices
Ensure your personal devices, both laptops and mobiles, are protected with a strong password, and encrypted if this is possible. Ask your IT team for additional information on how to encrypt your device if you are unable to do it yourself.