Telecommuting — also known as working from home (WFH), remote working, and a number of other names — has been around for about 50 years, having made its appearance in the early 1970s.
WFH has become an increasingly significant part of our work lives for many reasons, including the need to link distributed workforces, reduce commute times, cut fuel consumption, limit pollution, enable people to live in affordable housing — and chief in our minds today — achieve social distancing.
With each decade — as improvements and innovations in technology have come about and as the need for telecommuting has increased — WFH has become a bigger part of our lives. Clearly, it produces a number of benefits, and just as clearly it produces a number of challenges. One challenge that has grown over the years is security — both physical and cyber.
In “normal” times, security and productivity were important, of course, but they weren’t always “mission critical.” You could always reach out to your IT resource, figure out a short-term solution on your own, or, at worst, lose a day’s productivity, which, in the overall scheme, probably didn’t have a large negative impact on your job or your company. If a security issue came up, it probably wasn’t the end of the world.
But today, when large segments of the workforce have become remote workers overnight, having and following best practices for WFH has become a great deal more important, and many organizations have been caught without a comprehensive plan to guide their workers.
To help remedy this, we’re using this blog post to cover some of the fundamentals of secure and productive WFH, both from the organization’s point of view and the individual’s. We’ve also included tips on how to make your social networking habits more secure. The following guidance isn’t complete, but it should give you a foundation to build good security on, and as you get the basics down, you can add measures to improve security and efficiency.
Company Security Policy
All companies should have a security policy regardless of their size to ensure that systems and data are secure and to ensure that there is a plan for business continuity. If they don’t have a plan, they need to create one. It doesn’t have to be super detailed, but it should address the items discussed below.
- Physical Office Access – In many cases, if employees have been ordered to work from home during a crisis, then most likely the offices that most employees would normally commute into are closed and only key personnel have access. You’ll have equipment stored in these facilities, including monitors, computers, headsets, chargers, etc. that you might need to access during your office closure. Given that employee key cards or FOBs will have been intentionally deactivated for the time being, and since employees typically can’t help themselves to equipment in any event, what is your policy for managing a process for who, when, and how you can distribute equipment to employees if they need it? Clarify these issues and make sure there’s a clear process that includes contact information.
- Network Access – People staying home are no longer working on the office network and may not have internet access at home that is as reliable as the one in the office. In some cases, company private networks cannot be accessed from home without special software such as a VPN. Make sure employees have a reliable broadband connection or offer assistance on upgrading to one, or provide hotspot devices. Advising workers how to make sure personal hotspots are working on cell phones can be a good backup plan if they lose their home internet connection. If the VPN configuration requires physical authentication devices like smart cards, make sure there is a plan for replacing them if one breaks and for determining how IT can remotely configure them for an employee.
- Company Devices vs Personal Devices – It is even more important to remind employees to use company devices for company use only and not for personal use. Personal devices most likely do not have the same strong security controls that corporate devices have, which puts company data, and possibly customer data, at risk when personal devices are used. If a personal device is used for business purposes and is shared among family members, there might even be games, browser plugins, and other apps that are at higher risk of carrying malware with them. This puts that device at higher risk of exploits from cyber attacks. If personal devices are used for company purposes, and if backups are done on these devices, they might then have company or customer data on them that gets backed up along with the other data on the hard drive. This should be against any company policy, and violating it could get the company and the employee in trouble down the road, especially if any terms of compliance are violated.
- Contacting IT Support – Make sure you have a policy and procedure — and have distributed it to each and every employee — to give detailed instructions on how they can communicate with your security or IT team if an issue arises. Make sure it includes standard procedures and backup plans. For example, if Slack or Jira are the primary means of such communication and they go down, what are your alternate channels of communication? This could be critical for security and business continuity. Maybe Slack is the primary means, but email is the backup or vice versa. Whatever the plan is, make sure it is documented and communicated to everyone who is working from home.
- Device Screen Locking – Employees might think the typical practice of locking their desktop or laptop when they walk away from it is no longer important when working from home, but it is still just as important, especially if the employee has other family members or roommates that live with them. If they are not employees of your company, then they don’t have permission to see or access company or customer data on those devices. And in some cases, children or pets have been known to accidentally do mouse clicks or keyboard strikes, and suddenly weird or destructive things are happening.
Tips for Remote Workers
- Beware of Phishing – Email phishing scams have always been a threat, but with the COVID-19 crisis, scams are on the rise. It’s almost certain that you’re going to receive emails from fake charities and organizations that are trying to con you out of your money or who are trying to gain access to your computer. Some basic rules for handling links in these types of emails are to stop, think, and then click (or not). Whatever you do, when you’re checking email, resist the all-too-common instinctive reaction of clicking before you even think. Stop to read the entire email, and use other sources to determine whether the email is coming from a legitimate source. Going to a browser and navigating to their website instead of clicking the link in the email can be much safer. Email links can have malicious payloads or bring you to a different site than you are expecting. (If you know what to look for, you can even copy/paste the link into a text editor so you can examine its format and its domain name.) If you have high confidence that the link is safe, then and only then, go ahead and click it.
- Use Strong Passwords – More than ever, it is important to have strong passwords, especially with phishing on the rise and people using their personal devices more frequently (instead of company devices which might have better security controls on them). Strong passwords are ones that are difficult for other humans or machines to guess. Use long passphrases or a password manager, such as LastPass or 1Password, to generate and remember random long passwords. Enable Multi-Factor Authentication (MFA) wherever it is available, especially on your Single Sign On and email accounts. Those services will be the biggest targets along with online shopping and bank accounts where you might have large sums of money.
- Keep Devices Patched – OS and app software that is not patched or kept up to date can have security vulnerabilities that put you at higher risk of cyber attacks. Make sure auto updates are turned on for your OS and for your web browsers and other apps.
- Pay Attention to Your Social Networking Habits – Be careful about what you share on social networks. Information is not only available to the people in your “friend” network but might also be available to anyone on the internet based on how well the social network protects your privacy online. Motivated criminals are looking for any information that might help them gain access to your online accounts. Maybe you took one of those fun quizzes a friend posts and before you know it, you have given away the answer to one of the security questions for one or more of your online accounts, or maybe you have given an accidental hint to part of your password. And it can be even darker than that. Predators can be looking for family photos or information that might lead them to where you live or work. So be sure to give extra thought about what you are posting online.
- Beware of Evil Websites – If you browse to a website by following a link in an email or by navigating directly to it based on an ad you see or some other source, verify a few things before you enter your user id and password to sign in to that site. Does the content look legitimate? Does the domain name in the browser URL address line look right? Is it using HTTPS so your information is encrypted going to and from the website? If you have a saved password for this website in your password manager, is it populating automatically on the login form? If the answer to any of these questions is No, this could be a website that mimics a legitimate website you normally use and is trying to get you to enter your user id and password. In some cases, evil websites do this to thousands of people before taking all those stolen passwords and then trying them on other online accounts you might have in the hope that you have used the same password there. So never use the same password on different websites.
Wrapping up . . .
Well, that’s a start. If you’re responsible for your company’s security, make sure you have a clear policy for all employees. In addition, make sure your employees have access to and understand your security policy, and also have unambiguous directions for getting hold of you if they have problems or need assistance.
If you’re an employee, be sure to follow your company’s policy to the letter, and make sure you carry security best practices over into your personal online life. That way you’ll not only be doing your part to ensure the safety and security of your company, you’ll also be doing your best to protect your privacy, your finances, your family, and your social network.