Even before the onset of the coronavirus (COVID-19) pandemic, a lot of people worked from home at least some of the time.
One study conducted by the International Workplace Group (IWG) found that approximately 70% of the global workforce worked from home at least once a week.
The IWG also found that more than half of the employees in the 2019 study telecommute for at least half of the work week. One in 10 people fully worked from home for the entire standard work week.
Now, COVID-19 has launched many more people into working from home more frequently, if not permanently.
While this improves flexibility and productivity, there is bad along with the good. Security is a one of the biggest concerns when employees work from home.
Couple the increased percentage of people working from home with the fact workplace infrastructure have been struggling to support to the surge, and security becomes an even bigger issue than it was before.
Here are solid, helpful, and actionable tips that will up your data security and privacy while you work from home.
Public Wi-Fi is convenient. If you don't have unlimited data on your smartphone or tablet, it helps conserve cellular usage.
It's frequently also free too, sweetening the deal.
All of that comes at a big cost to privacy and security, unfortunately.
What makes public Wi-Fi so convenient simultaneously contributes to its security risks. The fact that it requires no authentication for users to hop on the network is the cornerstone of what makes public Wi-Fi so unsecure; anyone can use the network.
Public Wi-Fi is risky by nature.
Since anyone can use the network, that naturally means that more shady characters can too.
(Even public Wi-Fi that utilizes a password isn't all that secure either; usually the password is easily accessible or crackable.)
A tech-savvy shady character has a lot of free reign to snoop on what you're doing, steal sensitive information such as passwords, and even covertly install malware on your personal or work device(s).
Some of these include...
These attacks play on the connection between you and the intended party.
When you make a connection to a website, your computer sends data to the intended party. The man-in-the-middle (a third party) inserts himself between you and the other party.
Let's use when you connect to your bank's website as an example.
In an uncompromised situation, your computer sends a request for the bank's website. The bank's server directs you to the website. You then type in your login details, which the bank authenticates on its end.
With a man-in-the-middle attack, the hacker puts himself between you and bank's servers and intercepts the connection.
He can then do one of two things.
- He can serve you a fake copy of your bank's website from his own server, which then captures your credentials when you attempt to log into your account.
- He can "eavesdrop" on your connection with the bank's server. He can analyze the requests (which can include login details) sent between you and your bank.
In both instances your data has been compromised.
The evil twin attack is where a hacker sets up a fake Wi-Fi network. This fake Wi-Fi network looks legitimate; it might even share the same name as a legit public Wi-Fi access point.
Typically, the hacker will pick a public spot where a lot of different Wi-Fi networks can be picked up. Sometimes the legitimate access points will even have the same name.
This makes it easier on our bad guy because he can just copy the name to use for his fake network, making it more likely someone will connect to it.
When you connect to this fake network, everything you do can be seen by the bad guy(s).
Everything includes the websites you visit and whatever information you share with those websites, up to and including sensitive data like account login credentials and financial information.
Evil twin attacks are often coupled with man-in-the-middle attacks.
Shady characters can take advantage of software vulnerabilities found in devices on public networks.
It's easier for them to gather intel on the devices (such as yours) connected to a public network because of the inherent security risks associated with public wi-fi.
For example, let's say you are not (yet) running the absolute latest version of your web browser.
The latest version of your web browser fixes a known security vulnerability. Since you don't have the latest patch, you're not protected against this specific threat.
The hacker can do a little bit of recon to find out the web browser and which build (version) of it you're using. The hacker can then take advantage of the unpatched vulnerability and inject some nasty programs that allow him free range on your device.
In addition to the digital threats, you must take into consideration that public wi-fi is... well, more than likely somewhere out in the public. This means you have more physical security concerns to worry about too.
These physical security issues can range from someone behind you watching your work screen to someone stealing your laptop or phone when you aren't looking.
There are probably some instances where using public wi-fi to do your work is unavoidable.
Thankfully, while not ideal, there are a few steps you can take to give yourself some security when out in the wild.
Your best option for encrypting your data and preventing hackers from snooping on what you're doing is to use a VPN.
VPN stands for Virtual Private Network. VPNs encrypt the data that you both send and receive from online sources, such as websites.
They're pretty handy for data security because even if the hackers still manage to intercept your data, they won't be able to tell what that data is.
Their ability to encrypt data doesn't just stop at hackers. VPNs also shield your traffic and information from your ISP (internet service provider - the one you pay the internet bill to) and in many circumstances, even the government.
VPNs also give you anonymity. They hide sensitive data that gets transmitted, and sometimes stored, when you're online. Once stored by another server or device, this information can be used for, well, anything.
For example, VPNs hide your IP (internet protocol) address. Your IP address can be used to pinpoint your location.
(That's part of the reason why you can type "restaurants near me," into search engines and they spit out restaurants near your location.)
While using a VPN improves the security of your data, it doesn't do a thing to defend against worms, viruses, or other malware.
Don't leave your devices unattended.
Be aware of who is around you; someone might be watching you and what you're doing.
All-in-all, when working remotely, you're better off working from your own home network. In addition to physically being in the privacy of your own home, you have more direct control over the security settings of your wi-fi network.
Can you imagine yourself trying to find out how to stop the money draining out of your bank account(s) while explaining to your boss that you don't know how your work email account sent out sketchy emails to the entire organization?
Not using public Wi-Fi probably means you'll be using your own home network. You'll want to make sure your network is secure when you're telecommuting.
Wireless encryption for your home network means that a password is required for any user or device to connect.
This password is what you and I commonly call the "Wi-Fi password."
Whether you regularly work from home or not, it's always a good idea to encrypt your network (read: put a password on your Wi-Fi).
When putting a password on your Wi-Fi, you'll want to make sure you choose the highest encryption level possible.
There are three (really four) Wi-Fi encryption levels. These include Wired Encryption Protocol (WEP), (Wireless Protected Access) WPA, WPA2, and the "fourth" WPA3. The least secure is WEP; the highest is WPA3.
WPA3 is a fairly new standard. Most modern routers can run WPA2, which is still a fairly secure standard for now.
Having a strong password helps keep unwanted people and devices off your home network. Running your network without a Wi-Fi password is like leaving your house unlocked 24/7.
Dealing with hackers stealing your information and neighbors mooching off your internet regularly is a headache you don't need, especially when working from home.
You should be using strong passwords. Strong passwords typically include upper and lowercase letters, numbers, symbols, and other special characters.
You also shouldn't reuse passwords for different accounts.
I'm sure this is advice that you've heard or read at least once before. There are many theories on how to create strong passwords, how to remember them, and where/if to store them.
For your Wi-Fi password, you should use a really good password that you don't use anywhere else, online or offline.
This is because once a device can successfully join your network, it can be pretty hard to restrict what kind of access it has. Additionally, kicking a device off a network completely usually involves changing the Wi-Fi password and hiding the network.
If that device belongs to someone who has more ill-intentions, then you have a double whammy if they crack your password and get on your network. They might only need a couple of minutes to create a mess so big that it takes you a while to clean it all up.
This issue compounds further the more devices you have on your home network, and when you work remotely; you have both work and personal devices/accounts/information to account for.
Having a strong password means that your Wi-Fi is harder to break into by password cracking.
Ideally, your router should already be in "good shape." At the least it should be regularly updated and the password to its admin control panel should be strong.
Firmware is software that is permanently programmed into hardware. The firmware of your home router is crucial for its operation.
No matter the router's manufacturer or its model, the firmware manages most of the functions and behaviors of the router itself.
It's critical to stay on top of firmware updates released by the manufacturer. Updates to the firmware protect you and your home network from known security vulnerabilities, fix bugs, and provide new features.
The best way to keep the router's firmware updated is to turn on automatic updates on the router itself. Thankfully, a decent portion of models and manufacturers have this enabled as a default setting.
If enabling automatic updates isn't an option for whatever reason, you can usually search for available updates from the router's admin panel.
Most router manufacturer's use the address 10.0. 0.1 for admin settings. Type it into any web browser and your router's admin settings should pop up.
There are quite a few things you can change in a router's admin settings. In fact, you have control over how the entire network is configured.
While you're at the router's admin settings, you should go ahead and change the password while you're there.
This is not the same password used to access your wireless network; it's not your Wi-Fi password.
Chances are that when setting up your home router, you only set up encryption and created the password for your Wi-Fi network. You probably didn't configure any settings on the router itself, and if you did, didn't change the router's admin password.
That's fine and dandy and all until I tell you that many manufacturers set the router's standard admin login details to the following:
I know, it's crazy to me too.
Did you know that the United Kingdom's National Cyber Security Centre (NCSC) found that
password was the 4th most common password used for online credentials in 2019?
We can all agree that based off this information alone, that's not very safe.
To top it off, manufacturers often use the same username and password across entire product model lines.
Some try to be better and use a password that's different from let's say,
password, but will still use that same password across the same models. You can look up the default password for your router online.
Keeping the default router admin credentials leaves a big back door open on your home network. Many malicious characters can easily scan for your router's admin panel, change the credentials, adjust settings on the router... and leave you very disconnected from your network.
Keep work and personal devices separate
As part of developing a good work-life balance, keeping your work and personal life separate will benefit you across many different areas of your life (mental health!) in the long run.
The same principle applies when it comes to securing your data and maintaining privacy.
You should avoid logging into work accounts on your personal device(s) and vice versa.
When you log into work accounts on personal devices, you open both yourself and your employer up to unnecessary risk.
At many organizations, the IT department works behind the scenes more often than you might think.
Many IT departments and teams install updates, monitor emerging threats, run virus scans, block suspicious or would be attackers, and much more. You don't get this type of protection as reliably when working from home, even less so when you use your personal devices for work.
Don't forget that both companies and government offices tend to have more access to robust security programs and services than you or I do.
Additionally, you stand the chance of potentially violating a security policy at your organization by logging into work accounts from personal devices. Depending on how much sensitive information you have access to, you could face some serious punishments from management.
Not everyone has access to a work device. Even though you might have work-related accounts and software logins, you might be forced to use your personal machine to get work done.
Privacy focused browsers go a huge step further than the "private" or "incognito" browsing of more mainstream ones such as Google Chrome, Microsoft Edge, and Safari.
While they won't necessarily protect you from malware or hackers breaking into your computer and/or home network, they do a better job of protecting your privacy online.
Most privacy-focused browsers disable cookies, trackers, and other identifying bits of code as defaults. They also restrict the information that more "normal" browsers leak out to web places that you visit with minimal configuring.
Some good privacy browsers to check out are Brave, DuckDuckGo, and many Tor based browsers.
The standard Firefox is also a good choice, but it does require installing add-ons and playing around with certain settings to be as up to snuff. I cover why you should use a privacy focused browser in a separate post.
I covered what a VPN does earlier. Due to how well it can encrypt your information you knowingly and unknowingly send out, it's a good way to maintain your digital security when working from home.
Before using a VPN, you'll want to be sure that it won't affect any services or software needed for you to work remotely. Some services flag or outright ban you if they detect that you're using a VPN service.
If you must use your personal devices to work remotely, and have specific security related questions, I highly suggest reaching out to your IT department.
Your IT department should be very familiar with workplace policy and procedure when it comes to working remotely.
Each organization is different, employing different strategies and policies. Your IT organization's IT department will be able to guide you in the right direction if you want to, say, use a VPN service while working.
I touched on the importance of software updates on and off in this guide.
Remember back to strengthening the security of the home network, where I harped on the importance of keeping the router's firmware up-to-date?
Understand that software isn't necessarily firmware, but it's very important to keep your software and firmware updated all the same.
Software includes the programs and apps on your device. Anti-virus programs, web browsers, word processors, music playback services, etc are all software. Software even includes the operating system of your computer (such as Windows) or smartphone (such as iOS).
Outdated software poses serious security risks.
Remember when I gave the example of the hacker injecting malicious code into an oudated web browser? That can happen to any piece of out-of-date software on your computer or smartphone.
Hackers can then use the software security vulnerability to do more nefarious activities. They can inject and run more malicious scripts, steal your personal information, or use your machine to attack other machines and networks.
The list is virtually endless.
Keeping the software on your machine updated mitigates the risk of attackers using known vulnerabilities to hack you.
I'm going to reiterate: you should be using strong passwords. You shouldn't be unsecurely storing your passwords. You shouldn't reuse passwords across different accounts.
You should utilize a password manager when possible.
In addition to using a password manager, you might want to consider remembering the passwords to key accounts.
This is different than enabling encryption on your home wireless network.
What exactly does device encryption do? It adds a solid layer of protection if your device is lost or stolen. Whoever stole your device will not be able to read the data on it; cracking it would take an exoirbant amount of time.
Enabling encryption on your devices is done from that device's settings.
For Windows, enable "device encryption" or BitLocker. Note that BitLocker is only available for machines that run Windows 10 Pro. Generic "device encryption" is available for Windows 10 Home.
For macOS, enable FileVault.
For Android-based smartphones running Android 6 and up, device encryption is enabled by default. The same is true for iOS devices running iOS 8 and newer.
Using a good anti-virus is a necessity when you're using a computer with Windows. Some will argue the same for those using macOS.
Anti-virus software is probably the most critical part of protecting your computer (or smartphone) from threats.
A good anti-virus will help protect you from the latest malware threats in the forms of virus, worms, trojan horses, spyware, and ransomware.
It's good practice to run your anti-virus software at least once a week.
Be aware of your immediate surroundings when working from home; you honestly never know just who is watching what you're doing.
This holds especially true if you're working remotely in a public area.
You'll want to pay special attention to what (or who) is directly behind you.
If you're sitting and working at a table in a coffee shop, keep mind that the table(s) directly behind you can see most of your screen.
Even if you're at home you should pay attention to your work area. For example, if your work desk is right by an accessible window, ensure that whoever is passing by outside can't see your screen from the other side of the glass.
Locking any device when you're away is a solid practice both inside the office and in your personal life.
It keeps eyes off your work data. It also minimizes the chances of someone accidentally deleting or tampering with any of your digital stuff, personal or work-related.
Keep the good habits going by locking your device(s) even when you're working remotely in the privacy of your own home.
Securing your home office means different things to different people because housing needs/situations vary tremendously.
However, as a general form of advice this can include locking exterior doors and windows, especially when you're not in the room or area.
If you live with roommates or family, you might have to take other precautions as well.
Again, it all depends on your personal housing situation.
Try to consider the possibilities of someone seeing your work information and how sensitive that information is. What do you think they will do with it? If it's something sensitive, will they tell other people what they saw or learned (accidentally or otherwise?)
You might even want to consider the possibility of things turning up missing or broken. Kids have a knack for doing the latter and then letting you find the broken pieces after the fact.
Making sure to lock your devices comes in under this point too.
Working from home provides many benefits for both employees and employers. While there are security risks associated with working remotely, you can mitigate them by following these actionable tips.
As always, stay safe out there!