SINGAPORE — As the coronavirus pandemic continues to sweep across the globe, companies are sending their employees home – en masse – to work.
This unprecedented shift brings with it a whole new set of cybersecurity challenges. Most corporations have not had to support so many employees working remotely at the same time. Employees themselves may be unfamiliar with data security best practices when working from home. The last thing that any company needs right now is a data breach.
“When companies have to move from a traditional in-office work environment to an online distributed model, the risk increases, especially for companies that are not prepared to do so,” said Aaron Zander, head of IT at HackerOne, a hacker-powered security platform that helps organisations find and fix critical vulnerabilities before they can be exploited. “Without a doubt, in nine months from now, we’ll be hearing about all the breaches that have happened during COVID-19 because of negligent infrastructure or lack of basic security awareness among employees.”
Employers can do their part in ensuring that their employees are set up with the appropriate tools such as password managers and multi-factor authentication, said Zander, who is based in San Francisco. Employees can also help by practising basic cyber hygiene principles and being extra cautious with suspicious emails, texts and social media links.
Here are more cyber security tips from Zander for employees who are working from home.
Stay at home. If you can, work from home – not from a coffee shop – to reduce the chances of (corporate) espionage. It’s preferable to leave the laptop at home (locked) and go out for a break, and then return. If you really need to go to the coffee shop, then use a private VPN for any untrusted network or location, like encrypt.me. VPNs aren’t the end-all-be-all for security though.
Disconnect from the company’s VPN when not in use. Leaving your connections open can increase the likelihood that if you’re breached, that extends past your machine and into your corporate network. Also, in a time where many more people are connecting via these services, it will give your infrastructure team a little more room to breath.
Secure your home router. It is essential to ensure your home wifi router has a strong password and is up to date. Search the name of your router, and the words “breach” or “security issue” and see if yours is on the list. Most of these can be fixed by doing a simple software update. It is also important to use a strong password. Make sure you've modified the default administrator password on your router and other network equipment. Ensure your wireless networks are using WPA2 security or higher. And, separate guest devices onto a separate wireless network isolated from your personal devices if you can.
Don’t share your online meeting IDs or meeting URLs on social media. Online meetings are increasingly productive tools that allow people to work from anywhere, not just the office. But they come with a caveat: Sharing the meeting ID or URL can allow people to drop in and listen to sensitive conversations, record your voice or video, and infiltrate your new virtual workplace. Some meeting tools allow you to limit meetings to only people in your organisation or add a password, but not all do.
Be even more paranoid of phishing and other scams. If something looks suspicious, don’t click or act on it. Email scams related to COVID-19 are already on the rise. The US Department of Health and Human Services this week said it suffered a cyber attack that involved a COVID-19 misinformation campaign that quickly spread via text, email and social media.
Never share personal or financial information via email if you weren’t expecting it. If you get such a request, it’s best to call or video conference the individual directly to confirm.
Don’t use your personal laptop or desktop. Don’t fall prey to the habit of using your personal machine for work. It’s inherently less secure than your work machine. Also, if you install extra tools for work to your home laptop, who knows what access you’re giving to your company. It’s safer to keep them separate.
Avoid installing new apps without permission from IT. Some apps may be harmless, but inviting more apps to your device can raise cause for concern. Employees working from home may create or use new software tools and services that won’t be as thoroughly tested and protected as the tools they normally use in-office, posing great risk to the corporate network.
Don’t mix personal and work-related Internet browsing. If you use Chrome, use a personal profile for personal browsing, and a work profile for work browsing. At home, it’s a lot easier to sink into mixing work and personal browning.
Lock your laptop. When we’re at work, oftentimes, we get really good at locking our laptops when we walk away from them. However, when at home, we tend to leave them unlocked, and it’s a bad habit to get into. It may create a habit, then it will be more likely that you won’t lock your machine when you’re out and about.
Stay connected online. Connect with your co-workers often to help feel like you’re still in-tune with each other. Security is often tied to visibility – staying connected helps keep you and them visible.