cyber security best practices for work from home offices

Are you one of the millions of workers who’ve suddenly gone from days at the office to working at home because of the coronavirus outbreak? Working from home takes some adjustment, especially on short notice. And one of the most important adjustments is thinking differently about cybersecurity at home. 

When you work in an office, your company’s IT people focus on keeping hackers out of the system. When you work at home, it’s your responsibility, too. 

That’s because hackers are exploiting the rapid shift to remote work by targeting employees with malware and phishing attacks. Often, they’re doing it by impersonating health officials and setting up fake websites that say they provide news about covid-19. Ugh.

It’s a lot to deal with all at once. But taking these four steps can protect your company—and your livelihood—while everyone hunkers down at home.

1. Got a company-issued laptop or phone? Keep it safe

If you’re lucky enough to have tech tools provided by your employer, protect them from data thieves. Here are three keys to locking hackers out of your company-issued gear.

Store your company laptop and phone securely when you’re not using them. Thieves will break into cars to steal electronics, and sometimes those robberies lead to data breaches that cost companies their reputation, customers and fines or settlements.

Use your company tech only for work. Save the social media and personal emails for your own phone and computer. Why? There’s a world of phishing websites, social media scams and email phishing fraud related to the covid-19 pandemic. 

If you accidentally click on one of those traps, you could end up with malware on your company device—and in your company’s network. Worst case scenario, ransomware locks up your company’s databases until your employer pays up or shuts down. 

Don’t install any new software or apps on work devices without company approval. Every new application comes with vulnerabilities, a responsibility to keep them updated and the risk of installing something corrupted. Stick with what your company wants you to use.  

2. Connect to work securely

Ideally, your company will have a virtual private network (VPN) that you must use to log in to your work email and files. If so, you’ve got a secure, encrypted connection to work, and no one can see the data you’re sending and receiving. 

If your company has a VPN but you don’t have to use it to log in, use it anyway. Yes, it will likely slow down your connection, but it will cover any gaps in your home internet security (which we’ll look at in a bit). If you’re using a public Wi-Fi network for work, yikes. You’re putting your company’s data at risk—including things like your email ID and password—unless you use a VPN. 

Check your cybersecurity setup at home. Many of us are relaxed about cybersecurity at home because we don’t think cyberthieves go for small targets. However, thanks to the magic of the internet, hackers can search online for vulnerable IP addresses and go after them from anywhere. 

Stepping up your home internet security makes your personal information safer. And when you work from home, it protects your company, too. Here’s what to check:

1. Do you have malware protection on your devices?

This is important whether you’re using a company-issued computer or your own. Regular scans and firewall protection can keep viruses and other crud off your computer and phone, where they could otherwise find their way into your employer’s system.

2. Do you keep your operating systems, apps and programs up to date?

It’s true—Windows and Android updates can take longer than you’d like when you’re busy with work. But when a security update announces itself, the time to install it is now. 

That’s because by the time the company sends that security update out, hackers know about it, too—and they’re busy looking for machines that aren’t updated yet so they can break into them. (Unpatched software is how the Equifax hack happened.)

3. Is your home Wi-Fi network password strong and unique?

A strong, unique password will keep snoops and opportunists out of your home network—and out of your work at home. Especially if you live in a crowded area where plenty of people nearby can see your network when they search for Wi-Fi, you need a good password. 

Strong means your password is at least 8 characters long, with a random mix of letters, numbers and characters. Unique means you only use that password for your home Wi-Fi network, not for any other accounts like email and social media. That’s because if someone guesses your Wi-Fi password, they could then also get into those other accounts.

4. Can anyone with an internet connection log in to your home internet gateway?

You might be surprised. Even if you’ve created a strong home Wi-Fi password, you should still check your internet hardware. 

That’s because your router may have arrived with default login credentials of “admin/admin.” Those are weak, but who’s going to get close enough to your router to mess with it? Anybody who cares to look it up. Hackers can search for IP addresses with default router login credentials, log in and take over—all from the comfort of wherever they happen to be. 

If that happens, attackers can see everything that happens on your network. That means they can easily steal your work email login information and then go on to hack your employer. Here’s a basic walk-through of how to change the password on your router and other network hardware.

3. Step up your password security

Strong and unique passwords aren’t just for your home Wi-Fi network. Ideally, you would use a unique password for every single account you have and use a password manager to keep track of them all.

But at the very least, you need strong, unique passwords for your work email and other work-related accounts, plus your personal email, social media, banking and utility accounts. 

When you use a different password for each account, it prevents hackers from using a stolen password of yours like a skeleton key to unlock your other accounts. And that can keep criminals out of your company data as well as your personal information.

4. Watch out for phishing 

There’s so much malware out there right now related to the coronavirus. Scammers are going after people in their inbox with fake cures and offers of “new information” designed to trick victims into giving up their email or Office365 login information. 

Other coronavirus scams are dumping ransomware into health care providers’ systems at the worst possible time. And still others are tricking workers into paying fake invoices related in some way to the coronavirus outbreak.

What can you do? Practice good email hygiene. 

  • Check the sender’s email address (not just the sender’s name) before clicking on links or attachments in an email, especially if you didn’t expect to receive it. Scammers often impersonate company owners or executives to trick employees into making funds transfers.
  • Verify unusual or urgent email requests from others in the company by phone, video or chat before you act. Scammers know that creating a sense of urgency can cause people to rush into actions they wouldn’t otherwise take. 
  • Don’t click on any links, attachments or pop-up boxes if you’re not certain who sent them and why. You could end up with malware or stolen login credentials.
  • Be careful about visiting unfamiliar websites, especially if you’re looking for covid-19 information. A lot of malicious websites with “coronavirus” in the domain name have cropped up in recent weeks, designed to steal visitor information or spread malware.
  • Report suspected phishing emails to your company’s IT people. You may not be the only employee who’s getting them.

So that’s the basics of cybersecurity for the new remote worker: Protect your company-issued devices, connect securely, use strong and unique passwords and watch out for phishing. By following these steps, you can protect your company and everyone who works for it. 

Run a small business? Read our checklist for securing your employees’ remote workspaces.