Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home.
And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has.
At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article.
As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.
We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts.
Why? Read point #5 to find out.
Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls.
While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.
Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting.
If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join.
Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them.
But – importantly – these warnings are useless unless employees heed the advice.
Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.
While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.
Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices.
Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.
For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.
Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.
If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.
If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department.
Communication – especially during periods of transition and disruption- is key.
If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.
Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.
The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network.
With that said, you should only use networks you’re absolutely confident are secure.
IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion.
Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.
Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.
Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.
Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously.
When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.
Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.
When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place.
IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.
While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.
Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics.
Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.
If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key!
While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office.