<img alt="" src="https://secure.hall3hook.com/198337.png" style="display:none;">

8 steps to keep your organization safe while working from home

Cyber    Alex Yong, August 20 2020
9 mins
icon-108-gray

Remote workforce brochure

As businesses send their employees to work from home, it’s imperative for security professionals to provide guidance so remote workers can do their part to help you keep your organization secure and protected from breaches.

Download the brochure

If you are just starting your journey as a remote worker, additional security measures need to be taken by you while relying on remote access to the organization. These security measures will help you keep your company and its data safe from breaches. With these 8 tips, protecting your organization from breach while you work from home is easier than you think.

Before I share a few easy tips on what you can do to keep your organization safe, start by reaching out to your IT team with any questions you might have – including understanding which tools are company-approved and your workplace security policy. I’m sure they will appreciate your questions and your interest in keeping the company secure. They’ve often got a lot on their plate and you are the first line of defense!

If you are reading this blog and responsible for the security of your team—check out this blog post.

Okay, let’s get started:

Step 1: Check your network settings and equipment

When working from home, I recommend checking that your WiFi is configured correctly as a secure network (WPA2). The ICO guidance can help you determine what steps to take. Avoid open WiFi networks, as if it’s open to you it’s likely open to others who want to eavesdrop on your private communications.

If your company mandates it, it’s critical to be on your VPN. Tunneling your network traffic through your company’s VPN means that others on the network can’t intercept or eavesdrop on your connection to see credentials and other information you enter when browsing the web. This will help avoid Man-in-the-middle (MITM) attacks and other network-based threats. Remember to keep your VPN client software up to date at all times - check with your IT team for specific instructions.

When possible, it’s better to use company-managed devices – whether it’s a phone, tablet, laptop, or desktop. The reality is unmanaged devices are unprotected by the organization, and therefore more vulnerable to attack. You most likely don’t have an IT team monitoring, patching and backing up your personal devices, and you are using them for more than just work, so exposure to threats increases as a result.

Step 2: Communicating with your team

To ensure you don’t lose touch with your co-workers while adapting to new ways of productivity, flexibility, and security, it’s worth thinking about how you use e-mail, instant messaging, and video conferencing tools. There are many options including; Slack, Microsoft Teams, Google Hangouts, and Zoom. Use the approved tools made available to you by your company. Company-approved communication tools are partly chosen because of their level of security and integration to your existing systems. Avoid using tools that are outside your company’s control.

Try to avoid using USB sticks as the data tends not to be encrypted at rest like your device should be. To collaborate, cloud-storage services such as G-Suite, Office 365, Dropbox, or Box are a great asset. With a company-approved service, you can work together in real-time and easily share documents with your team whilst keeping your data encrypted at rest and in transit. Make sure you only share access with the correct people on a need-to-know basis.

Step 3: Never reuse passwords

Maintaining different passwords everywhere is close to impossible and can challenge one’s sanity. However, with the use of a password manager, such as LastPass, OneLogin, 1Password, or Apple’s Keychain Access, you can generate unique passwords each time you create a new account, and the password manager will remember it for you. These password managers have browser extensions and mobile apps, making them embedded in your chosen browser and applications so you have easy access. Google Chrome and Firefox Lockwise have this capability built right into the browser. All you have to remember is the one master password–the last password ever. Better yet, use a passphrase instead of a password. Many password managers are free and offer checking for compromised, weak, reused, and old passwords. By always using unique passwords, you only need to change your password in one place if your account is breached and you limit your exposure to credential stuffing attacks.

If your laptop or other device is ever stolen there is an additional benefit of having the password vault stored in the cloud. You will be able to access all your passwords from another device, and have a list of accounts that could have been compromised.

ADDITIONAL TIP: You can check if any of your accounts have been compromised at Have I Been Pwned. If there has been a breach, change the password as soon as possible. If you used the same login credentials for any other accounts, change the password for these too. You can also learn about the strengths of different passwords with How Secure Is My Password?, although we discourage ever typing a real password into anything but the resource it’s meant for.

Step 4: Enable multi-factor authentication everywhere

You can also help with password compromise by using a second factor. Sometimes called two-factor authentication (2FA) or multi-factor authentication (MFA), it’s a mechanism by which you provide additional proof of who you are (something you have) that isn’t a password (something you know). If you have MFA enabled when a bad-actor obtains your credentials, they are prevented from logging into your account without it. Many of your everyday services like Google’s G-Suite, Microsoft’s Office 365, Slack, LinkedIn, Twitter, Facebook, and Instagram all offer this as an option (see a full list of providers at Two Factor Auth List). Check out TeleSign to see how straightforward this is to enable on many popular sites–or contact your company’s IT security team.

There are different types of authenticators – both software and hardware – designed to help make securing your accounts easy. Most applications integrate with Universal 2nd Factor (U2F) Keys (hardware authentication devices like YubiKey), authenticator applications (software application tokens like Google or Microsoft Authenticator) or simply printing out authentication codes. While you might want the IT team to buy you U2F Keys, authenticator applications are free and simple to download to your mobile phone. Avoid using SMS or telephone authentication if possible as they are not considered as secure as other options(Krebs on Security). Remember to have more than one authentication method, in case you lose one and get locked out of your account.

Step 5: Keep your software up to date

At the office, your IT team performs regular security updates. While working remotely this might fall to you. It is important you don’t miss out on security patches by keeping your software up to date. Often security isn’t about outrunning the lion, it’s about outrunning the other antelope and software patching can help with that. A good practice is to set your devices to update automatically or overnight to reduce the impact on your workflow. Software patching can be tedious but vendors are constantly finding and fixing security vulnerabilities in your software, so having the latest patches is crucial.

Additionally, it might be worth checking your systems’ current configuration and how secure it is when compared to the following system hardening guides.

Guides:

These provide advice along the lines of keeping your software up to date and using antivirus software, but also actionable scripts and controls to check and use to ensure your device configuration is more secure than the defaults (such as enabling full disk encryption).

Step 6: Install antivirus

With a sudden rush to enable remote workers, your company-issued device might not have antivirus software already installed. Antivirus significantly reduces your chances of being a victim of ransomware attacks, trojans and other malware. There exist many vendors providing great antivirus tools, including Windows Defender, ClamAV, Malwarebytes, and Eset, which are available for many platforms. There are also free options out there that you can use for your personal devices - but be aware that sometimes free isn’t really free. Ask your company’s IT team whether you have antivirus installed or what actions you need to take.

Step 7: Look closely at your e-mails before your click on anything

Double-check e-mail addresses (not just the contact name) and web links (hover over links) before clicking on anything in an e-mail. Hackers are experts in social engineering and will use whatever information they can to fool you via phishing or vishing attempts. Spear phishers will even research you in advance to optimize their chances of you sending them the information they want, e.g. your bank password. Be extra wary of anything that mentions short deadlines–as less time combined with stress can lead to honest mistakes. If you receive an e-mail that you suspect is spam, report it as spam/phishing and delete it immediately.

Step 8: Back up data

While in an office your IT-administrator backs up your data. This might not be the case in a remote workforce setting, so check with IT what the situation is. If it falls to you (or you’re worried about your own devices) it’s important to back up your data periodically. This is good practice in case something happens to your device, or you accidentally delete something. Backups for documents can be automatic by using Google Drive or Dropbox desktop sync. For entire systems there exist cloud services like Backblaze or using built-in backup solutions like Windows backup and restore, or Apple Time Machine. Whatever you choose, ensure that some backups are read-only or versioned apart from your computer. This way, if you’re a victim of ransomware, the files cannot be encrypted and/or deleted.

This post was originally published in March 2020 and has been updated for comprehensiveness.

Security is everyone’s responsibility

As we see more workforces taking the brave step towards remote working, the cybersecurity concerns can seem daunting. More so for smaller companies without large IT teams. However the goals are the same as always, keeping your organization and your own data safe, so you can continue to do business. For every threat there is a tool, a process, or information that can help mitigate the risk so that you can go on doing what you care about. Hopefully this guide can help you take steps today to increase your personal and professional cybersecurity. Good luck, and stay safe out there.

Alex Yong, Technical Lead
icon-108-gray

Remote workforce brochure

As businesses send their employees to work from home, it’s imperative for security professionals to provide guidance so remote workers can do their part to help you keep your organization secure and protected from breaches.

Download the brochure