In these unprecedented times of social distancing, more and more employees are working from home if they can. For those switching to a home office environment, it is important to keep privacy and security in mind. Hackers are taking advantage of the collective distraction of the COVID-19 virus situation and everything that comes with it—children home from school, pets demanding attention, a sudden new schedule, concern for loved ones near and far.
Working from home comes with added cyber risks, so make sure to keep these tips in mind.
1. Protect your home network.
Likely you are using your home WiFi with the password that’s printed on the router itself. At least it is password protected, but you should consider switching the given password to something unique and strong. This makes your router less vulnerable to be compromised and taken over. While you are at it, make sure your network is at the WPA2 level.
Allow only people that you trust to connect their devices to your home network. Make sure all devices that you do allow to your home network are secured. Everything from home printers to Xboxes and PlayStations, televisions, and streaming media devices have both wired and wireless capabilities. These not only can connect wirelessly, but also they often offer web interfaces for management.
For example, most printers offer web management, the majority of which have a default password. If an attacker or even your neighbor can see that wireless signal, then they can grab copies of everything you print, or use your printer’s management interface to bridge to your home WiFi network, even if you have WPA2 turned on for devices to connect. Disable remote management form the Internet on all your devices, and especially your modem and router.
2. Keep your work devices with you.
Working from home leads to a flexible work schedule. Since the line between time on and off the clock is blurred, it can be easy to put your laptop in your car while running errands or leaving your work cellphone unattended. If one of your work devices gets stolen, this could easily lead to a data breach.
“Physical access to devices that have access to a corporate information could cause irreparable damage to a modern corporation,” says a senior Peraton cybersecurity expert. “Everything from loss of customer confidence, to federal fines and class action lawsuits are just some of the actions that can be taken against a corporation just because an employee left a device unattended for a short period of time that allowed a malicious person to gain access to it.”
Work in a safe and secure space by locking your devices and keeping all work materials out of sight. Do not share your work computer with anyone else.
3. Check over your emails before you send them and before you click on anything sent to you.
For many, times of crisis means an added workload. This can make employees distracted, tired, and careless. Emails containing sensitive or classified information need to be encrypted before sending, as always. Also, despite not going into the office, the settings and protections on work and personal devices are not the same—you should never send your work documents to your personal computer even if they are physically next to each other.
Additionally, look at the email address of the sender before opening any attachments or clicking links, particularly if the email is related to helping you with COVID-19 related stress. Hover your mouse over the links too. Are they really what they say they are and from a reputable site? Hackers are using spear phishing tactics to capitalize on an obvious behavioral trait everyone has right now: the desire to stay safe and be well.
“Cyber actors are sending emails with malicious attachments or links to fraudulent websites related to COVID-19 to trick victims into revealing sensitive information, downloading malicious software, or donating to fraudulent charities or causes,” says Peraton’s Chief Information Security Officer (CISO). “Rely only on trusted sources for up-to-date, fact-based information about COVID-19 and do your research before acting on any requests.”
4. Take care with your conference calls.
Many video conferencing platforms do not have strong controls over who can join, which means that sensitive information discussed in your meeting could be overheard by others who you did not intend to share with. You can protect your meeting by locking it once all participants have joined, so that no one else can enter even if they have the meeting ID. You can also create a password that everyone must use to join and establish a “waiting room” so your next participant does not crash your current meeting if you have back-to-back calls. With these methods, you can control who enters your meeting and when. In any event, always make sure you check the participants list before you begin the meeting.
Turn off any listening device you have in your home before logging onto a conference call to prevent them from being detected and uploaded to any artificial intelligence (AI) system. Amazon’s Alexa and Google Home, for example, are designed to listen and transcribe all conversation so that the devices can be most useful to you when you speak to them. Along with algorithms, Amazon employs analysts to review the phrases that the AI engine does not understand, potentially exposing your conference calls to hundreds of people.
If you are having conversations about intellectual property, sensitive corporate information, or customers, then that information could be recorded and housed elsewhere outside of your company’s control.
5. Use Multi-Factor Authentication (MFA) instead of just passwords.
For anything involving passwords, use a Multi-Factor Authentication system. That way, even if your password is exposed in a data breach or guessed by someone, you can still approve or deny access requests through your phone or email to mitigate further damage. It is an easy proactive approach to keeping yourself safe and in control of your data. Ensure you do not use the same password for multiple log ins and do not use your corporate username for personal web sites.
“In today’s threat landscape passwords alone are no longer considered secure,” says the Peraton Chief Information Security Officer (CISO). “Multi-Factor Authentication should absolutely be required for logging into your corporate and personal accounts that have sensitive information, such as your banking and credits card accounts.” Be sure, however, to immediately report and deactivate the smartphone used for MFA if it is lost or stolen.
The greatest risk in working from home is a data breach from not keeping your company information and computer secure, which will be harmful to your company and its customers. Data breaches can also be harmful to you, since sensitive details such as passwords, contact information, your salary, social security number, and other related data could put you at risk. Stay safe while staying home.