Tips for Securely Working From Home
We offer some helpful tips for improving the security of your remote work experience for those who are working from home during the Coronavirus epidemic. Unless you have planned for this, suddenly working from home during this public health crisis has thrust you into a world of new technology, conferencing programs, managing paper files without storage, and possibly juggling kids who are home from school. Many people are working from laptops, home offices and other spaces that are not really equipped to handle the everyday workload of a busy professional. Even fewer are working securely now that they are dependent on their “home office” for nearly everything that their boss, clients and others need from them. Since the COVID-19 crisis is likely to last for several months, it is worth your time trying to protect your devices and information while working remotely.
Basic Cybersecurity. The best place to start is with the basics that everyone should know:
- Keep your security software up to date.
- Remove unnecessary software and disable unnecessary services on your computers.
- Make sure you have, and run, up-to-date antivirus software.
- Watch out for scams and phishing campaigns.
- Use firewalls on your network and all computers connected to it or the Internet.
- Do not write down your passwords, but if you do keep them in a secure (read: secret and locked) place. Do not post important information in plain sight or on a sticky note under your keyboard or on your monitor. If this is too much for you, use a password manager.
- Back up your data.
- Don’t ignore problems. If you receive a warning from your system or anti-virus software or some other unusual occurrence, immediately raise it with your IT resource or supervisor.
- Training is vital because it teaches employees about the basics of data security, such as avoiding phishing emails, dangerous website and public Wi-Fi.
Follow the Rules. Follow your employer’s security practices. Your home is now an extension of your workplace, so follow the rules that are in place. They are there to protect you.
Secure Your Home Network. Regardless of how secure your work network or connection might be, your home network must be secure too. The signal from most wireless networks is accessible for 150-300 feet so neighbors or someone driving by could potentially access your home network. This means an unauthorized person could gain access your network to commit a crime or send malware or spam, which would be traceable to your account.
Starting with your router, you should reset the default password it came with and make sure the router is not publicly visible. If it must be visible to others, turn off the option to share files. Turn on network encryption (look for WEP, WPA2 or WPA3 level encryption) so outsiders cannot read information sent over your network. If you do not see an encryption option, try updating your router software and check again. If that fails, consider getting a new router.
You should also restrict access to your personal computers and devices with passwords and other restrictions available in the security settings. Anti-virus software, firewalls and, ideally, device encryption should also be employed.
Strong Passwords Rule! Every computer and device that you use should be password-protected, including your phone and other mobile devices. Thanks to cybercriminals, it is not enough to have a password – YOUR PASSWORD MUST BE STRONG! A strong password is relatively long, at least 15 characters, and a mix of numbers, symbols, and capital and lowercase letters. These days, experts recommend using phrases that combine “multiple unrelated words” or that follow a pattern that is known only to the user. A solid strategy is combining different concepts or names that are familiar to you and that you can remember but that others could not guess and then supplementing it with numbers or symbols to replace similar letters in the phrase or that are punctuation-like.
As a rule, every person who uses a computer connected to the Internet should have a strong password and never share it with anyone. You should never use the same password on multiple accounts, but it is generally acceptable to use the same phrase with a modification like adding a word or two to remind you of the site you’re logging into. A critical security feature is limiting the number of unsuccessful log-in attempts to limit password-guessing attacks.
Use Multi-factor Authentication. Many applications, devices and systems offer multi-factor, or two-factor, authentication. If this is not available on the application or system being used, ask your employer about implementing this feature. The increase in phishing attacks targeting remote workers during the COVID-19 crisis means it is more likely that credentials will be compromised. Multi-factor authentication helps to ensure that stolen credentials cannot be used to access company assets so it should be implemented wherever possible.
Avoid Public Wi-Fi. Public Wi-Fi networks like those found in Starbucks and airports are, by definition, not secure. Do not use them for work.
Be Careful Where You Put That! Confidential data must be disposed of securely, not by putting it in a trash or recycling bin. Shredders are cheap and any papers containing personal or confidential information about customers or employees should be shredded.
When it comes to electronic files and information, you should avoid flash drives and local storage of anything that might be confidential or in need of protection. Saving files to your desktop or the drive on your home computer may be easy, but it is not secure and is easily forgotten, deleted inadvertently and compromised. Don’t make this mistake! Remember, most companies have policies regarding how electronic files are supposed to be stored and locally storing files like this would likely violate your employer’s policy.
Beware of Conferencing Technology.
Be careful choosing and using videoconferencing technology. As we all become more reliant on this technology, there are some simple things users can do to avoid problems, including:
- Do a little research and avoid public-facing videoconferencing solutions as they are visible or accessible to the public or that lack basic protection like passwords or unique credentials.
- Make sure your application is up to date with the most recent version.
- Avoid hijacking by not posting meeting credentials or links to your videoconference on public websites or forums or sending them to large or questionable email groups.
- Create a unique ID and password for each meeting.
- Do not give remote control to or share the screen with participants.
Reading the latest news and reviews about videoconferencing solutions is also important. For example, news reports indicate that Zoom recently acknowledged allowing certain customer data to be shared with Facebook despite failing to disclose this to users. Zoom is currently being sued for allegedly unlawfully disclosing users’ personal information and is being investigated by the New York Attorney General’s Office. See https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/.
Use VPN Access to Your Work Network. A virtual private network (VPN) is one way to secure data between your home computer and your work network. A VPN allows remote workers to connect directly into the office network and primary IT systems. VPNs offer an additional layer of security by encrypting the data being transferred between systems and concealing the user’s IP address and location.
Most larger organizations already have a VPN service in place and should check they have sufficient seats to provide this protection across their employee base. If your organization already uses a VPN, apply multi-factor authentication for all remote access to further enhance security.
Encourage the Use of Cloud Services. As Cloud-based services have improved their capabilities over the years, they now offer another way to improve security for remote users and to better protect confidential information by ensuring it is stored securely in the Cloud, not locally. It is important to investigate these services and make sure that the service being considered is secure and appropriate for your needs and legal requirements, but Cloud-based platforms like Office 365 are widely used today.
Physical Security is Fundamental. Since your family, roommate or young children should not be able to see or overhear your work communications or sensitive information, you need a separate and private workspace in your home when working remotely. Be sure to maintain privacy when you are on the phone and lock your computer or device when you step away, even if only for a short period. If you need to leave your home, be sure to lock up and that your work devices are either shut down or locked, including your smart phone. Remember, thieves love technology.
Another reason to maintain a private workspace is that many of us are learning that Alexa is always listening. While it makes for a funny joke, many of us use voice-activated technology in our homes that will pick up conversations occurring nearby. If you are having confidential phone conversations or conferences within earshot of such a device, ask yourself this question: How does Alexa know when I’m talking to her? The answer is that much of this technology is always listening for prompts so that it knows when to respond or engage with you. While it is product-specific and sometimes unclear exactly what is recorded and done with the information voice-activated technology overhears, the point is that you should not be sharing sensitive data with people or things that can overhear (or record) it.
Working from home also means you will need a place where you can safely keep your work materials and store your devices at the end of your workday. Work devices and materials should be stored out of sight so they are not stolen or accidentally opened or misused. If you need to bring papers or physical materials with confidential information from office to home for some legitimate purpose, you must keep these materials out of sight and secure (in a locked space) when not in use. If you do not have lockable storage like a file cabinet at home, you should use a locked room.
If you have any questions or would like to schedule a consultation about data security practices please contact Kurt E. Bratten, Shareholder, at (518) 694-5678 or via e-mail at firstname.lastname@example.org.