Security checklist for working at home

With the coronavirus forcing so many to work at home, the usual security posture of a business will be impossible to maintain. Your employer may have provided you with sufficient resources and guidance for working at home securely, but that’s not true of most workers—and times are unusual.

Follow company IT and cyber policies even when at home. For instance, if you are using a personal computer, you should store only company data on company network storage, not on a home computer. If you are using a company-issued device, the rule is to follow company policy on data storage. If there is a guideline you have trouble following, make sure to inform IT or the relevant security staff, as is appropriate for your company.

Much of what follows is evergreen advice; you should always follow it. The work-at-home pandemic crisis is a reason to increase attentiveness.

Since the number of possible configurations of computers, homes, and families is so high, guidelines cannot be precise. But, in addition to your company rules, keep this checklist in mind.

1. There are already multiple reports of phishing and scam attempts based on COVID-19 interest:

  • A spam text message was identified by security company Crowdstrike urging users in the U.K. to tap a link in order to receive a government payment. The actual text is “URGENT: The UKGOV has issued a payment of £258 to all residents as part of its promise to battle COVID 19. TAP here ******* to apply.” [We have removed the address for safety.] Crowdstrike believes it is an opportunistic variation on an old tax refund scam.
  • Messages impersonating the U.S. Centers for Disease Control (CDC) and World Health Organization (WHO) are out there. The fake CDC message delivers malware related to the HawkEye family. The fake WHO message is a phishing campaign looking for email login credentials.
  • A phishing message in Japan claiming to be from “a disability welfare service provider” in that country offers updates and health information in a Microsoft Word attachment that installs the Emotet Trojan malware.

If you receive suspicious messages to your company account, report them immediately to IT or security staff, as others may be receiving them as well and quick action may be necessary. Note also that the Federal Trade Commission is reporting online scam cures being sold (here and here).

2. It’s a rare, high-end attack, but also be on the lookout for phone calls that appear to be from someone you know but are actually fakes. Caller ID is easy to spoof, and The Wall Street Journal reported in 2019 on a case of an attacker who used AI to simulate a person’s voice to defraud a company of $243,000. Now, these calls can come to your home number, too.

3. Make sure that your home Wi-Fi has a long and unobvious password (eight-plus characters with mixed cases, numerals, and symbols are best). It’s not uncommon for cybercriminals to troll Wi-Fi networks, looking for personal information to sell. A bad example of a password that follows the guidelines is “123 Elm St.” You can do better (unless that’s not actually your address). Modern Wi-Fi routers from broadband ISPs typically come with a unique and complicated password preconfigured and written on the router itself.

4. It’s always time to reevaluate the security of your accounts and passwords, but now, especially so. Take your company’s security guidelines with complete seriousness, and then take a good hard look at your home network, computers, and accounts, particularly the ones that, if compromised, could compromise your work. Consider your ISP account, which may enable remote management features.

5. The only proper way to maintain strong, unique passwords on all your accounts is to use a password manager. There are many good ones on the market, and Google offers a simple one associated with your Google account that works with Chrome and Android. The password manager will synchronize the login information for your accounts across all your devices. In this regard, you need to aware of company policy, which may forbid you to install such software on a company-owned device or require that you use only a company-issued one. Check to see if company policy allows you to use this or other software on home devices.

6. If an important account offers the ability to use two-factor authentication, use it. This will prevent almost all account hijacking attacks used in the real world.

7. It may be a lot to ask when your kids want to use the computer for school, but try to separate the computer you use for work from one used as a home computer. It is standard for companies to forbid persons other than the employee from using a company device, so check company policy carefully.

8. If you are connected to a company virtual private network or working with company data on a device, not on the VPN, do not surf the web randomly. This is both for security reasons and so as not to put any more traffic through the VPN than is necessary. Of course, you should always be careful about what you click on, but when company assets are involved, you must follow company rules.

9. Make sure you have an anti-malware package installed on your devices and that it is up to date.

10. Make sure that your operating system and applications are at their current versions. Most of these are set now, by default, to update themselves automatically, but it’s best to be sure.

11. Your company should be especially diligent about backing up data files, and maybe it’s time to consider backing up your personal files. Follow a backup best practice by using a cloud service for backing up and use a user ID and password you don’t use anywhere else. Your company may already provide you such storage, but if it doesn’t, you can get it on your own for free. If you don’t already use it, Google Drive, which gives you 15 GB of free storage, is a good candidate. Set the account to use two-factor authentication. Making the backup automatic and still secure is tricky, but doing it manually is not.

Leave a Reply

%d bloggers like this: