8 Cybersecurity Best Practices for Working Remotely
The number of employees working remotely skyrocketed during the coronavirus pandemic of 2020, and for many companies, it’s here to stay. Hundreds of thousands of employees at Amazon, Capital One, Dropbox, Infosys, Microsoft, Salesforce, and dozens of smaller companies will be working from their own homes for the foreseeable future.
For IT security experts, the shift to remote work has made their jobs more complex. With employees working off-site, there’s no way to control the devices they’re using to access the company network, whether they’re doing so on personal or company-owned computers, whether they’re using secure wi-fi networks, which software they’re installing on their machines, and so on.
To keep your networks and company data as secure as possible with your employees working from home, there are a few precautions you should keep in mind.
1. Avoid Public Wi-Fi
When you work from home, it’s tempting to get out of the house and work from a library, coffee shop, or shared office space to add some variety to your environment. Unfortunately, public wi-fi poses a significant security threat.
It’s easy for hackers to set up a rogue hotspot — essentially a dummy hotspot that pretends to belong to Starbucks or the library — that allows them to intercept any data passing between your device and the internet or even inject malware into your system.
Even if you connect to a password-protected network, you’re susceptible to man-in-the-middle (MITM) attacks. If an attacker is logged into the same network as you and is able to gain access to the router itself (often by using the default password, which most people don’t change), they can capture any information that passes over the network from any machine connected to it. This includes passwords, browsing history, and purchase transactions, immediately compromising your entire work network.
2. Keep Work Data Separate
If at all possible, your company’s work and personal data should never overlap. Work accounts and data should live on company-owned computers and phones whose security you can guarantee, and personal data should be kept separate.
If you can’t afford separate hardware, you should at least ensure that separate email accounts, passwords, phone numbers, and any other accounts are kept for all your work-related software. Do not allow employees to forward their work email or phone number to another number or address, as it can open up new avenues of attack for interested hackers.
3. Encrypt Sensitive Data
It’s a trivial matter to encrypt all the data on a hard drive or a phone, so this should be one of the first precautions you take. We all like to picture hackers in front of computers, typing 100 words per minute to breach firewalls, but the far more likely scenario is that a hacker will simply steal an unattended laptop while you’re in the bathroom. If the data on that computer is encrypted, it will be much more difficult for them to get anything out of it.
4. Don’t Leave Your Devices
If you do decide to work remotely from a public place like a coffee shop or hotel, don’t ever leave your devices unattended. Don’t leave them to charge at the outlet in the airport, don’t set them down while you go to the bathroom, don’t even leave them while you go up to the register to order.
Today’s hacking devices are so sophisticated that a hacker can create a USB device using basic software that will install a web backdoor, steal cookies, and expose internal routers from your device. One such example, PoisonTap, takes as little as 13 seconds to compromise a system, even if it’s password-protected.
5. Don’t Use Random Thumb Drives
Another popular hack that takes advantage of your inattention is to leave free USB drives lying around the office or public places. These “USB drop attacks” can contain malicious code, social engineering hacks (like links to a fake website), or even software that simulates keystrokes to issue commands to the computer.
In some cases, a USB device that looks like a drive actually contains a capacitor designed to charge and discharge at 220 volts, multiple times per second, instantly destroying the internal circuitry of your computer.
Despite these risks, the average person seems unable to resist a free or abandoned USB drive. In one study at the University of Illinois, 300 USB drives were dropped in various parking lots. Users picked up, plugged in, and even opened files on 48 percent of those drives.
6. Use a USB Data Blocker
USB ports contain four active pins, two for data and two for power. When you plug into a public USB port to charge your device (at an airport, for example), you likely have no idea if there’s a computer at the other end of that cable that’s extracting data from your device. There are two easy ways to prevent this:
- Use a wall charger rather than plugging directly into a public USB port
- Use a USB data blocker. A data blocker is simply a USB adapter that disconnects the two data pins while allowing power to run freely. These only cost a few dollars and are portable enough to bring everywhere you go.
7. Standardize Software Tools
Supply chain attacks — wherein a hacker gains access to your network indirectly, through a third-party tool connected to your system — are becoming more common. Recently, a hack to the IT company SolarWinds exposed sensitive information in thousands of organizations, including US government agencies.
While you can’t completely mitigate the risk of supply chain attacks, you can minimize it by insisting that your company uses as few third-party tools as possible and that everyone is using the same ones. Modern companies use software-as-a-service utilities for everything from data backups to accounting to task management, and each one is a potential weak point in your security. Do your research, choose the most secure options, and don’t allow any others to connect to your machines or network.
8. Formalize All Remote Work Tech Policies
Finally, it’s crucial that you codify all of your tech policies into a clear, coherent document that applies to every single person in the company. You won’t be able to control every aspect of how people at your company interact with the web, your server, or the utilities you use, so it’s vital that you explain the risks and why you’ve implemented the policies you have.
Begin a Conversation
Have a question? Want to connect about a problem? Interested in getting started? Whatever it is, we’re here when you need us.