Many employers are asking people to work from home in response to the COVID-19 coronavirus and the government’s advice. The current guidance recommends remote working wherever possible and to partake in social distancing as part of the delay phase strategy. Other people are self-isolating because they have symptoms or wish to work from home by choice, to play their role in slowing the spread of the coronavirus.
Technology makes it reasonably simple for employers to set up employees to work from home. However, this means that online security threats need extra considerations. Remote working poses a dual risk that could result in a company security breach or a breach of the worker’s privacy.
If you are an employer, you must protect your company and your workers. To help companies, the National Cyber Security Centre has published guidance on preparing for home and remote working. We cover all of this advice here.
Online threats of working from home
When employees work from home, there are three main areas of threat and vulnerability:
- Personal devices and personal networks that home workers use to carry out tasks increase the risk of malware and a leak of private company information. An employee’s device may not have the inbuilt security of business networks, such as customised firewalls, antivirus software, and online backup.
- Unsecure Wi-Fi use poses a risk, although most employees can use their home Wi-Fi. If you are an employer, you should help ensure the network employees use is secured. However, some employees use unsecured public Wi-Fi, which is notoriously more susceptible to spying activities and information theft.
- Scammers are targetting the opportunity presented by the flood of remote working personnel in several different ways, which we also cover below.
Remote working cybersecurity tips
Employers should provide security guidance and work from home protocols for their workforce. The following steps are an excellent place to start:
Use strong passwords and review your passwords to make sure the same password is not used more than once. A strong password should include upper and lower case letters, numbers, and special characters. Not using a password more than once is essential because if one password and username are compromised, cybercriminals partake in credential surfing. Credential surfing is a tactic where criminals attempt to access other accounts using the compromised username and password. You can tackle this problem by using a password manager, which makes it simple to create unique and robust passwords, and best of all, you do not need to remember them yourself.
Secure your router and change the router password. Using the default password when you acquired your router is extremely risky. You should also check for firmware updates, ensure encryption is set to WPA2 or WPA3, use the highest level of encryption, turn off WPS, and restrict outbound and inbound traffic.
Install software updates, which are security patches that resolve vulnerabilities discovered since the last update or from the creation of the software. You should encourage your workers to check that all updates are set to automatic so that they do not need to worry about checking for updates in the future.
Set up two-factor authentication (2FA) and two-step verification (2SV), which adds an extra step to security. Many second step security choices include biometrics (fingerprint or facial recognition), text message and email confirmations, or even a USB fob.
Back up data because this can be lost in a number of different ways, operator mistakes can result in a loss of data as can hardware damage. Cyberattacks can purposefully wipe data or hold it to ransom (ransomware) with malware, in an attempt to extort the company. You can back up data with a cloud backup service or go retro and use hardware, such as an external drive.
Use antivirus software to detect and remove malware and other viruses. Good antivirus software includes those made by McAfee and Norton. If you are an employer, you should encourage remote workers to run their antivirus scan more often or change the schedule settings to do this automatically.
Use a virtual private network (VPN) to encrypt your internet traffic. Companies can use a multi-worker VPN provider to support their workers, and this makes good financial sense as well.
Lock your devices because work information should not be shared with other family members and should be protected against access from others, especially if you work in a public space.
Be cautious of remote desktop tools (RDPs) because many have security problems. So, be sure to research remote desktop tools before choosing one.
Set up your firewall because this creates a barrier between your device and the internet. A firewall helps stop data leaks and prevent malicious software from getting in. Firewalls are usually built-in as part of the device’s operating system, but you should ensure that they are active.
Avoid phishing emails where cybercriminals try to obtain your information with emails, as well as through other mediums such as text messages or voicemail. You can watch out for a variety of things that helps you spot a phishing email. Look to see if the sender’s email address is correctly spelt, check if the email contains grammatical errors, and avoid clicking on links unless you 100% trust them. If you do open a link from an email, look in the URL bar for the padlock symbol (HTTPS), which indicates that the website is safe and up to date.
Use encrypted communication to protect information. If an encrypted communication app has not provided by your company, you should choose a messaging service with end-to-end encryption.
Employers and businesses should also ensure that employees know how to report a problem and make them aware that they will not be in trouble if a problem occurs. If your employees are too scared to report a problem, your company cannot protect itself and take remedial action. You should also consider creating how-to guides on security tasks or work with a cybersecurity company to create these and aid your employees.