Settling in to a new normal.
Many more people are working from home (WFH) than ever before. Now that we know it can work for so many people, I expect it will remain popular even after the current crisis is over.
The bad guys know this, and they’re sharpening their focus to take advantage of folks working from home.
A recent episode of The CyberWire podcast listed five steps to improving your security when working from home. I want to visit those, elaborate on why they’re important in the WFH environment, and, in at least one case, disagree a little.
The steps will be familiar to most.
Become a Patron of Ask Leo! and go ad-free!
When working from home, it’s important that you:
- Keep all software up to date.
- Use two-factor authentication to secure all accounts for which it’s offered.
- Never reuse passwords.
- Stay alert for phishing attempts — the #1 way that companies are being compromised.
- Use a VPN. Your company may already provide you with one.
1. Stay up to date
If you’ve been putting off getting your system as up to date as possible, do it now. This applies not just to Windows (or whatever operating system you’re using), but to the applications you use as well — especially those you use at work.
Your workplace may have strict (even automated) policies that keep your equipment up to date — you never have to think about it. At home, it’s easy to let things slide.
If you brought company equipment home, it’s even more important, since those automated systems may or may not work when disconnected from your company’s network.
You don’t want to be the employee that allows malware (like, say, ransomware1) onto company property when it could have been easily prevented by keeping things up to date.
2. Use two-factor authentication
For every account that offers it, including accounts you use while working from home, enable two-factor authentication.
Bad guys target the stressed and overbusy employees of high profile (or high value) companies working from home for the first time. While we’re all being told over and over to pay attention to our personal hygiene, it’s very easy to overlook password hygiene in times of chaos and stress.
Two-factor (or multi-factor) authentication is a strong layer of additional protection. Even if someone gets your password, they won’t be able to sign in because they won’t have the additional factor (typically your phone, but often as simple as an alternate email address) that proves you are who you say you are.
3. Don’t reuse passwords
Make certain that every account you have — especially work-related accounts — has a different password. Make it long and strong, and use a password vault to keep track of them all.
When those bad guys happen across a password — either by successfully hacking you, or because it’s been exposed in a data breach — they use what’s called “credential stuffing” to try that password, along with your email address, at a wide variety of other online services. If you used that same password at the other services, bingo, you’ve been hacked again.
If that happened to be an account related to your work — which of course hackers would love for it to be, so they could attempt to gain access to your company’s network or data — the repercussions could be significant.
I know many people pooh-pooh credential stuffing, but it does happen (the fact that it has its own term should be a clue), and it’s a common way hackers take advantage of those of us who get lazy.
4. Avoid getting phished
I expect successful phishing to increase. Particularly as we work from home, it’s easy to be fooled by an email that looks like it came from your company, or even your boss. It’s particularly dangerous since you may not have the quick and easy resources at hand to verify the message is legitimate, such as walking over to and asking your boss if they really sent it.
As forced WFH continues, phishing attacks will focus on impersonating business scenarios in order to gain access to sensitive corporate credentials and information. Sadly, we all too often hear of data breaches — and, as I mentioned earlier, ransomware — traced to a single employee falling for an email they shouldn’t have.
Don’t be that employee.
5. Use a VPN
This recommendation took me a little by surprise for two reasons.
First, for many companies it’s a requirement, not a suggestion. In order to connect to your company’s resources, you are required to connect through your company’s VPN. Without it, all you can do is work on your local machine, without the resources you might need from your corporate network.
Second, a VPN from home doesn’t protect you from much. Sure, if you have reason to distrust your ISP, or if there are other machines on your home network that you might not be able to trust, it could protect you from them, but those are rarely huge issues. We tend to recommend VPNs when you’re travelling, for use at the coffee shop’s open Wi-Fi or from random locations like a hotel. Working from home doesn’t have the same issues.
There’s certainly no harm using a VPN from home, assuming the performance and functionality is acceptable; it’s just not something I’d put on my shortlist.
Related Video
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: I’ve read that medical facilities are being targeted because the encrypted information is time-sensitive and needed immediately. Paying the ransom is likely to be seen as the quickest way out of the problem.
Photo by Djurdjica Boskovic on Unsplash
Just a brief thought/question. I recently came across a search engine, correct term I hope, called Opera. I cannot say its any better than IE or Google but it does have a “FREE” VPN. Has anybody looked at this or tried it? The bigger question may be is it safe!
Thanks
Ray
Opera is a browser, like Edge, Firefox, and Chrome. A search engine is a websites which helps you locate websites by searching key words, such as Google, Bing, Duck Duck Go, and Yahoo Search.
I’ve used it mostly to access YouTube and other sites which are block in the country where I am. Otherwise for serious stuff, I use Tunnel Bear based on Leo’s recommendation.
VPN is a requirement for my work. Pandemic or no pandemic. If you are not in the office, the only way to get on the office network is through the VPN. I think the VPN makes sense from the corporate stand point. While you can encourage your employees to make sure their personal devices are up to date, you can’t guarantee it. All you (corporate) can do is guarantee that work computers are kept up to date. All it takes is one employee’s personal device to be compromised and the risk of infiltrating corporate devices goes way up.
Thank you for a really good article, I have used RoboForm for many years to keep my PW’s safe, and I do use a VPN on my home network, I am retired 75 years old, but I am Commander of my American Legion Post, as well as doing genealogy for TXGenWeb. I also use PCMatic on all my machines. Have not had a problem for years, I bought a life subscription when PCMatic was fairly new.