- The recent COVID-19 pandemic has forced many to work from home, raising cybersecurity concerns.
- Remote workers are especially vulnerable to data security risks.
- There are many ways to prevent cyberattacks, from using multifactor authentication to encrypting your data.
The ability to work from home is a prized employee perk that offers workers the chance to free themselves from the daily commute and complete their tasks. It's an especially effective and convenient arrangement during the COVID-19 pandemic. Employees can help prevent the spread of the virus simply by staying home, without compromising or sacrificing their performance.
Along with the freedom and flexibility of working from home comes the risk of cybersecurity issues that occur outside of a protected corporate network. Even if your company provides virtual private network (VPN) access, your computer (and the data it stores) – could be compromised if someone hacks into your home Wi-Fi network. [See related story: Technology and Inclusion Will Shape the Future of Remote Work]
"Making sure that sensitive documents and files remain confidential is definitely an issue remote employees need to tackle right from the outset," said Brian Stark, general manager of North America at smanos, a smart home and DIY security systems company. "Of course, ensuring that there is a secure connection to the server is extremely important, but this is ultimately placed in the hands of the homeowner."
Andrew Hay, chief information security officer at LARES, warned that other connected devices in your home may have far fewer security controls than your work laptop, which may give cybercriminals easy access to your device.
"Home-based workers must be diligent about what types of systems are on their home network that might also provide additional attack vectors," Hay said. "I once spoke with an NCIS agent who conducted an investigation where a naval officer's laptop was compromised by way of infiltrating his daughter's laptop."
Security risks of remote work
For remote employees especially, there are many security risks – three in particular – that pose a threat.
Many scammers send phishing emails with the intent to steal sensitive information from the recipient or the company. Especially in complicated times – like the novel coronavirus pandemic – phishers are hoping to take advantage of trusting victims. They'll often pretend they're someone within the company, like the CEO or a manager, to establish false trust. Remote workers are easy targets because they're not in the office and, therefore, hackers are hoping they won't check to see if the email is legitimate.
During this time, many remote employees are using their private home network, which can increase the risk of leaked data. Third parties might be able to intercept and access sensitive emails, passwords and messages. There is also the risk that others who live the employee's home (who use the same internet connection) may see valuable company data.
Many remote workers admit to using their personal devices rather than their designated work tech. According to Cisco, 46% of employees report transferring files between their work and personal computers. If employees obtain sensitive data and store it on their personal devices, that puts many companies at risk – especially if said employee ends leaves the company.
Another source of vulnerability is that if you, as a remote employee, are using your personal computer and are not downloading the latest updates, you could be more vulnerable to cyberattacks.
Best practices for remote workers
What steps can employees take to protect themselves – and their employers – when working from home? Our expert sources recommend taking the following steps.
Implement multifactor authentication.
Does your company-issued laptop require multifactor authentication? Multifactor authentication grants access to the device and all software after the employee provides more than one form of identification.
Anyone can memorize a password or steal a physical device and unlock a computer. Multifactor authentication can prevent hackers from physically accessing your company device. If your company laptop doesn't currently have multifactor authentication enabled, ask your employer about implementing one.
Use strong passwords.
Physical devices aren't your only concern. If a hacker tries to access any sensitive accounts, you want to make it as difficult as possible for them to log in. Using a password manager is a great precaution, as it ensures you are only using strong passwords, like those with special characters, numbers, upper and lowercase letters, etc.
Encrypt your messages.
Data encryption helps protect sensitive information by translating it into a code that only people within your company can access through a secret key or password. Even if scammers intercept your data, they won't be able to interpret it properly. This goes for any messages or information you send, receive or store on your devices.
Invest in antivirus software.
Your employer may provide a recommended application for a company-issued device, but if you use your personal laptop for work, you need to keep your system protected.
"Since many internet providers [offer] free antivirus software, we recommend that our employees use them on their personal laptops," said Venu Gooty, founder of MyBusinessGenie, a provider of small business software solutions.
Don't allow family members to use your work devices.
Gavin Silver, director of operations at Blue Fountain Media, reminded remote workers that the computer they do their work on is for employee use only – it's not the family computer.
"Treat your work-issued laptop, mobile device and sensitive data as if you were sitting in a physical office location," Hay added. "This will help you continuously associate your actions with a security-first and data-aware mentality in mind. For example, in a physical office location … your child [couldn't] use your work-issued mobile device for games or movies. If you think of your laptop and mobile devices as work-only assets, it makes it far easier to control access to sensitive data and remain data-aware."
Keep your physical workspace secure.
While virtual security is important, it's equally important to make sure that your home office is physically secure, said Stark.
"Home offices often contain expensive equipment or even physical files or documents that contain sensitive information, so it's imperative to explore security options," Stark told Business News Daily. "While it's not possible for all home offices to have a scan-to-enter system or a security guard, it's important to add whatever elements of traditional physical security you can."
Depending on your needs, you can look into a DIY home security system or read our recommendations for business video surveillance systems.
Follow company policies to the letter.
Your company likely has clear policies for accessing the company network outside the office. Those guidelines and rules should always be followed, but it's especially important when you're working remotely, said Silver.
"Report any suspicious behavior to IT immediately and follow basic 'computer hygiene' standards such as up-to-date operating systems, antivirus/malware and regular scanning," Silver added.
Use a centralized, company-approved storage solution.
Adhering to company policies also includes using only the designated programs that your employer wants you to use, even if you prefer a different program.
"This is so the IT administrator doesn't have various security configurations that may or may not comply with the company's security requirements," Stark said. "[It] establishes a set standard, which is much easier for the IT officer to support remotely in the field."
This becomes especially important when you're saving and backing up files. You should store all your work data in a secure location that's both approved by and accessible to your company, like a cloud-based storage option.
"Ensuring that sensitive data is stored and protected centrally is always a good course of action," Hay said. "This allows central management and control of all aspects of the data, such as ownership, access, availability, security, etc., with a reduced chance of duplicate copies residing in places beyond the reach of the organization, such as on a personal laptop, mobile device or cloud environment."
Gooty said his company was able to accomplish this after switching to an Office 365 subscription.
"Not only does OneDrive for Business allow us to collaborate better with one another, but it also securely saves the files in the cloud. All employees can access files on different types of devices," he said.
Best practices for employers
For small business owners, regardless of whether your company employs part- or full-time remote employees, Silver advised taking the following precautions to limit security risks while employees work from home. [Read our review of Teramind, our choice for the best employee monitoring software for security threat protection.]
- Require that employees use a non-stored password to connect to the network, especially for VPN access.
- Enforce reasonable session timeouts for sensitive programs or apps. A user should not have to reconnect after walking to the kitchen to pour a cup of coffee, but at the same time, you cannot trust that every employee will always log out when they are done for the day.
- Limit program/file access to only those areas that are absolutely needed by that employee.
- Reserve the right to terminate employee access at any moment.
- Provide services for remote file storage and other tasks; don't rely on individuals to use their personal programs and accounts to store your company's data.
"Users will always take the easiest method when it comes to technology, and you can't always enforce what software people use when they are remote, so it is better to give them the best software in the first place," said Silver.
Above all, Hay reminded employers to outline policies, procedures and guidelines for workers who use company resources outside the office.
"This includes, but is not limited to, access to corporate data, acceptable use of websites, approved applications, etc.," he said. "The best thing an employee can do is ensure that they adhere to the guidance."
For more tips to help workers keep their company or client data safe, visit our cybersecurity guide for freelancers.
Additional reporting by Nicole Fallon. Source interviews were conducted for a previous version of this article.