A malware expert offers telecommuters security tips about their work computer, remote access and network connections, phishing emails, and more.
The spread of the coronavirus has forced more people to work from home to avoid close contact with others. Many companies are now requiring or permitting employees to do their jobs offsite. But working from home can be challenging. You have to learn how to separate your personal and professional lives, and you need to take the proper measures to protect your environment, your equipment, and yourself from security threats. In a recent blog post, Pieter Arntz, malware intelligence researcher for Malwarebytes Labs, offers a variety of recommendations for people who may not be accustomed to working from home.
Physical security
Securing your work computer and other equipment when you’re not using them is a good idea, especially if you live with other people. You want to ensure that no one can access or tamper with these devices, particularly if they belong to your company. In this regard, Arntz offers three tips:
- If you need to leave your home for supplies or other reasons, make sure your work devices are either shut down or locked—including any mobile phones you might use to check email or make work phone calls.
- If you live with a roommate or young children, be sure to lock your computer even when you step away for just a bit. Don’t tempt your roommates or family members by leaving your work open. This is true even for the workplace, so it is imperative for working from home.
- If you can’t carve out a separate work space in your home, be sure to collect your devices at the end of your workday and store them someplace out of sight. This will not only keep them from being accidentally opened or stolen, but will also help separate your work life from your home life.
Separate your work and personal devices
As you work from home, balancing your personal and professional tasks can be tricky. Maybe you have one set of devices for home and another set for work, or perhaps you have only one set of devices for both situations. Either way, you want to maintain a separation between home life and work life. Here are a few tips from Arntz on how to do that.
- Don’t pay your home bills on the same computer you compile work spreadsheets. You can not only create confusion for yourself, but also end up compromising your personal information when a cybercriminal was looking to breach your company.
- Don’t send work-related emails from your private email address and vice versa. Not only does it look unprofessional, but you are weaving a web that might be hard to untangle once the normal office routine resumes.
- Speaking of homeschooling, it’s especially important to keep your child’s digital curriculum separate from your work device. Both are huge targets for threat actors. Imagine their delight when they find they can not only plunder an organization’s network through an unsecured remote worker, but they can also collect highly valuable PII on young students, which garners a big pay day on the dark web.
Secure system access
As always, you need to protect the files and information that you access, both on your computer and across your organization’s network. With the increase in remote workers, hackers and thieves are looking for ways to compromise or steal confidential data. Arntz suggests several ways to safeguard your information from threats, both physically and remotely.
- Access to the your computer’s desktop should at least be password protected, and the password should be a strong one. If the system is stolen, this will keep the thief from easily accessing company information.
- If office network permissions previously gave you unfettered access to work software, now you may be required to enter a variety of passwords to gain access. If your workplace doesn’t already offer a single sign-on service, consider using a password manager. It will be much more secure than a written list of passwords left on your desk.
- Encryption also helps protect information on stolen or compromised computers. Check whether data encryption is active on your work machine. If you’re not sure, ask your IT department whether you have it, and if they think it’s necessary.
- If you’re connecting your work computer to your home network, make sure you don’t make it visible to other computers in the network. If you have to add it to the HomeGroup, then make sure the option to share files is off.
Secure connections
As you connect to your organization’s network from home, you need to ensure that the connection is as secure as possible. That applies to your both remote access and your home network. Here’s some advice from Arntz in this regard.
- Make sure you have access to your organization’s cloud infrastructure and can tunnel in through a VPN with encryption.
- Secure your home Wi-Fi with a strong password, in case VPN isn’t an option or if it fails for some reason.
- Access to the settings on your home router should be password protected as well. Be sure to change the default password it came with.
Cybersecurity best practices
Cybercriminals are exploiting the repercussions of COVID-19 by deploying coronavirus-themed phishing emails and by targeting remote workers. As you work from home by yourself, you need to be extra vigilant about malicious emails and malware trying to take advantage of the current situation. Arntz offers the following three pieces of advice:
- Be wary of phishing emails. There will be many going around trying to capitalize on fear related to the coronavirus, questions about isolation and its psychological impacts, or even pretending to offer advice or health information. Scan those emails with a sharp eye and do not open attachments unless they’re from a known, trusted source.
- Related to phishing: I’m pretty sure we can expect to see a rise in Business Email Compromise (BEC) fraud. Your organization may be sending you many emails and missives about new workflows, processes, or reassurances to employees. Watch out for those disguising themselves as high-ranking employees and pay close attention to the actual email addresses of senders.
- Beware of overexposure on social media, and try to maintain typical behavior and routine: Do you normally check social media on your phone during lunchtime? Do the same now. Once again, watch out for scams and misinformation, as criminals love using this medium to ensnare their victims.
Other security precautions
Confusion will naturally arise with you working from home. Hopefully, your organization has outlined the different roles and responsibilities among you, coworkers, managers, and IT department. But if there is any doubt in your mind, you’ll want to ask the right people the right questions as Arntz has suggested:
- When you are working remote for long periods, make sure you know who is responsible for updates. Are you supposed to keep everything up to date or can your IT department do it for you?
- Your system may require additional security software now that it has left the safer environment of your organization’s network. Check with your IT department on whether you should install addition solutions: Will you need a security program for your Window PC or for your Mac (which was hit with twice as many threats as Windows computers in 2019)? If you’re using an Android device for work, should you download security software that can protect your phone? (iOS doesn’t allow outside antivirus vendors.)
- How will data storage and backup work? Can you save and back up your local files to a corporate cloud solution? Find out which one they prefer you to use in your specific role.
Finally, you’ll want to set up a suitable environment for working from home to make the transition smoother and easier.
« When working from home, find a comfortable working area where you can assume a healthy posture, minimize the distraction from others, and where your presence has the least impact on how others have to behave, » Arntz said. « Take breaks to stretch your legs, and give your eyes a rest. And if you enjoy WFH, now is the time to prove to your employer that it’s a viable option in the long run. »