With the world’s largest remote-working experiment in full swing, hapless workers need to gauge if they are endangering their organization.
With the current impetus to work from home to reduce the risk of COVID-19 infection, employers and staff alike have suddenly found themselves going from a zero percent remote workforce to 100% in a matter of days. While this can be quite daunting, wait until they find out that remote-working can pose an even more daunting risk to data security if staff have not been well-trained and practiced.
Here are 13 lucky checking points to evaluate if current remote-working arrangements are sound:
Use a good password manager. Do not share logins and passwords unless you absolutely have to. If you have to, then it is time to invest in a password manager for your team or company. Good password management tools make sharing large amounts of secure data easy, and help secure your teams even more.
- MFA vs 2FA
Use Multi-Factor Authentication (MFA). Authentication is the process by which a computer validates the identity of a user (i.e., username and password). Two-factor authentication (2FA) commonly combines a password with a phone-based authentication factor. However, there are shortcomings with 2FA, as hackers can bypass wireless carriers, intercept or redirect SMS codes, and easily compromise credentials.
Multi-factor authentication is more secure as it adds an additional layer of protection. Instead of just asking for a username and password, MFA requires additional credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition.
- Work from home and stick to it!
Stay at home. If you can, work from home, not from a coffee joint or shopping mall with free public WiFi, to reduce the chances of (corporate) espionage. It is preferable to leave the laptop at home (locked) and go out for a break and then return. If you really need to go to the coffee shop, then use a private virtual private network (VPN) for any untrusted network or location. VPNs are not the end-all-be-all for security though.
- Use the corporate VPN as needed
Disconnect from the company’s VPN you do not need it. Leaving your connections open can increase the likelihood that if you are breached, the infiltration extends past your machine and into your corporate network. Also in a time where many more people are connecting via these services, it will give your infrastructure team a little more room to breathe.
- Secure your home router
It is essential to ensure your home wi-fi router has a strong password and its firmware is up to date. Search the name of your router, and the words “breach” or “security issue” and see if yours is on the list. Most of these can be fixed by doing a simple software update. If your network equipment is no longer being updated by the manufacturer, chances of vulnerabilities increase over time. It is also important to use a strong administrator password. Make sure you have modified the default administrator password on your router and other network equipment. Ensure your wireless networks are using WPA2 security or higher. Separate guest devices onto a different segment of the wireless network, isolated from your personal devices, if you can.
- Observe social media discipline
Do not share your online meeting IDs or meeting URLs on social media. Online meetings are increasingly productive tools that allow people to work from anywhere, not just the office. But they come with a caveat: sharing the meeting ID or URL can allow people to drop in and listen to sensitive conversations, record your voice or video, and infiltrate your new virtual workplace. Some meeting tools allow you to limit meetings to only people in your organization or add a password, but not all do.
- Be vigilant of phishing and scam attempts
Be even more paranoid of phishing and other scams when working from home. If something looks suspicious, do not click or act on it. Email scams related to COVID-19 are already on the rise, and the USA. The Department of Health and Human Services recently announced that they have fallen victim to a cyberattack that involved a COVID-19 misinformation campaign that quickly spread via text, email and social media. In general, never share personal or financial information via email if you were not expecting it. If you get such a request, it is best to call or video conference the individual directly to confirm.
- Beware of cyber imposters
Expect criminals to try and take advantage of the increased distances in our workplaces. Often a lot of the checks and balances around things like financial requests and last minute invites to meetings or other services are done in person. Now that they might happen via email be extra diligent about checking who is sending them.
Phishers are going to take advantage of the lack of processes that are in place. If you get a request via email or messaging services, always try and verify outside of the initiated chain of request. For example if you get a request from your CEO to refund a customer to a new bank account, instead of replying to that thread to confirm, message them in a new email, or via a different medium (call/instant messaging, etc.) to verify the request.
For large transactions, always have another person on your team double check the request and your work as well for safety. It is rare that an extra hour will make a difference in the case of a wetransfer, but the consequences of moving too quickly can be felt for a long time.
- Use your office device
Do not use your personal laptop or desktop. Do not fall prey to the habit of using your personal machine for work. It is inherently less secure than your work machine. Also, if you install extra tools for work to your home laptop, who knows what access you are giving to your company. It is safer to keep personal and work machines separate.
- Observe healthy cyber hygiene
Avoid installing new apps without permission from IT. Some apps may be harmless, but installing more apps to your device can raise cause for concern. Employees working from home may create or take into use new software tools and services that will not be as thoroughly tested and protected as the tools vetted for office use, posing great risk for the corporate network.
- Separate personal and work activities
Do not mix personal and work-related internet browsing. If you use Chrome, use a personal profile for personal browsing, and a work profile for work browsing. At home, it is a lot easier to sink into mixing work and personal browning, which can lead to problems later on.
- Lock your laptop
When we are at work, oftentimes we get really good at locking our laptops when we walk away from them, but at home we leave them unlocked.
- Stay connected online.
Connect with your co-workers often, to help feel like you are still connected to each other. Security is often tied to visibility; staying connected helps keep you and them visible.