When COVID-19 traversed the world, the economy couldn't just grind to a halt — it had to adapt. Office workers in their millions created home working stations, and companies adopted new forms of communication and management to suit a workforce confined to their homes.
By the second quarter of 2020, around 557 million people worldwide were working from home, including 35% of workers in the USA. And even after the pandemic subsides, many of those people will continue to work at home. As Pew reports, around half of workers wish to continue home working, while McKinsey argues that at least 25% of US jobs are well-suited to remaining WFH.
Pre-2020, only about 5% of Americans worked from home — the pandemic brought significant changes to working life. But are workers and companies prepared for the cybersecurity implications of exchanging the workplace for home offices?
Working from home: understanding the core risks
Staying safe when working from home has become a vital part of cybersecurity for companies worldwide. And that means embracing hybrid work security practices that tackle the problem from every angle.
Remote working brings with it multiple hazards with serious implications. Millions of new connections and endpoints need to be checked and protected. Employees must have secure ways to remotely access corporate resources, requiring legacy infrastructure to be updated.
If these issues are left unresolved, exposure to potential threats remain:
Phishing – Sending emails or other communications to entice workers to download malware that harvests sensitive data.
Ransomware – Malicious software infects connected systems before demanding payment.
Spyware – Implantation of software designed to collect data, which fraudsters or competitors could use.
Zero-day attacks – Attacks specifically focused on unpatched operating systems and apps, which may be hard to monitor remotely.
Data theft – Stealing log-in details to access customer and employee databases or directly infiltrating them.
Sabotage – Unsupervised workers either deliberately or unwittingly damage corporate assets.
There are several approaches to these risks. If you approach security from the top and bottom simultaneously, you can achieve much better results than relying on individuals alone.
So how can businesses make working from home safer?
WFH security checklist: best practices for employees
1. Invest in a good VPN and antivirus tools
The first thing for all remote workers to do is lock down their connection securely. It's not enough to rely on Windows own security software when the stakes are so high. Instead, invest in a solid Virtual Private Network (VPN) and antivirus software that's regularly updated and provided by a reputable organization.
VPNs encrypt the data you send and receive. They also anonymize your online presence, making it very hard for attackers to identify, let alone target. Antivirus security software is the front line in battling malware. Some popular tools themselves carry crypto mining software, so be aware and choose apps that focus on security alone.
2. Make your password security watertight
Remote working is only as secure as the methods used to secure it. Choose almost impossible passwords to guess and change them regularly — never write down your credentials.
Alternatively, use a password manager like NordPass to keep your log-in details encrypted and safe at all times.
3. Don't forget WiFi security
The network you use to connect with work can also be a weak point, allowing attackers to gain complete control of your traffic or gain access to central servers. So locking down your wireless internet is just as important as using a VPN for your computer.
Choose a WiFi password that's secure and unique and a network ID that doesn't signify to attackers who you are. Enable WPA2 network encryption if that's available, specify authorized MAC addresses to govern who can gain access to your network, and always download the latest router firmware. Cover all of that, and your network security should be solid.
4. Shield your webcam when not in use
Some attacks have involved hijacking webcams in gathering information, recording meetings, and – on occasion – extorting money from targets. Using apps like Zoom is unavoidable, but there's no reason to expose your camera when discussions aren't taking place.
Malware can control your camera without your knowledge, but you can mitigate that risk by using sliding webcam covers or even pieces of tape. You may think about using external cameras that can be unplugged and disabling the camera on your computer. That way, you'll have a physical prompt to keep you focused on security.
5. Be savvy when using email
Many of the most damaging WFH cyberattacks come via regular emails. Phishers are skilled at disguising messages to look authentic, enticing unwitting users to click on download links before they realize what is happening.
Be ultra-cautious when opening emails. Check the address line to make sure it's legitimate. Don't open mail from unexpected sources, and don't open attachments unless you know exactly why they are there and what they contain.
If you want to add an extra layer of security, think about switching to an encrypted email provider. There may be some added inconvenience, but encrypted mails are much less likely to be intercepted and read by criminals.
6. Stay focused on physical security
Physical theft remains one of the most common problems associated with remote working. Thieves can steal your computer, smartphone, or authentication tools provided by third parties. And if the data contained on those devices isn't encrypted, the results can be catastrophic.
Take care when using your laptop in public spaces, and use complete system encryption services like NordLocker to freeze out thieves if the worst occurs. Lock away work laptops when not in use, and carry out a security check of your entrances and windows. If you need to, install extra cameras and alarms.
7. Use separate devices for work and leisure
Sometimes, security lapses occur when people forget to use their work computers. For instance, online shopping carries security risks, from insecure payment portals to fake Amazon web pages. And many people use the same computer to buy products that they do for 9 to 5 duties. That's a big mistake.
The more distance you can put between work and leisure, the better. Ask for a separate company device with the required security tools. And if that's not possible, think about investing in one of your own, and the same applies to smartphones. Using a personal device for work is hugely risky in a world where criminals prey on home workers.
8. Perfect your patching game
Criminals love out-of-date operating systems. So-called "zero-day" exploits are a significant source of phishing and malware attacks, with countless unpatched systems targeted. Don't let your operating system be one of them.
Delaying Windows updates can seem convenient, but be sure to do so as soon as you get the chance. If not, you open yourself up to attacks like WannaCry, which fed off a loophole in Windows operating systems and cost victims billions of dollars when it swept the world in 2017-2018.
9. Use two-factor authentication
Multi-factor authentication adds an extra barrier to deter would-be attackers. It generally involves using an additional piece of information stored externally, whether on specialist authentication dongles or texted to your phone when you log on.
Generally speaking, SMS isn't the best vector for authentication codes because it's not secure. But app or voice-based MFA solutions exist that can do the job just as well. Even if it adds a few seconds to your log-in procedure, the extra protection that authentication provides is more than worth it.
10. Stay in touch with your work and continually learn
The final tip for home workers is crucial. Whatever job you do and whoever you work for, it's essential to stay in touch with your company — especially the officers responsible for digital security.
Every company should have a team member delegated to lead on remote working, and they should communicate best practices, password protocols, and information about devices or authentication.
If you have any cybersecurity concerns, be sure to raise them. And if training is available for personal security, take advantage of it. Cybersecurity is a rapidly changing field, and your skills should change with it.
WFH security: best practices for businesses
1. Centralize your storage systems
Businesses need to lock down confidential data and police authorizations with maximum efficiency. If you're reliant on server-based storage, it is best to do this via centralized storage systems with clear access procedures for all employees. Tools like NordLayer can provide secure access options if you use the Cloud.
Also, make sure that minimizing local data storage is part of your staff security protocols, and communicate this to every network user.
2. Map every connection for total visibility
When you switch to wide-scale remote working, it's easy to lose control of network awareness. You could lose sight of edge points and interfaces with central servers, where users are connecting, and what devices they are using. This kind of fuzziness is a significant problem, so be sure to map out your network geography as your WFH program expands.
Identify weak points, monitor whether staff are using multiple devices or unsecured public WiFi, and remedy any vulnerabilities before they become the source of malware infections.
3. Put training at the center of your business
Working from home shouldn't be seen as simply a change of work venue. It also requires employees and managers to master a new set of cybersecurity skills (or to refresh their already existing skills). Home workers need to be more aware of potential threats than those working inside the perimeter of office networks, and best practices need constant reinforcement.
Because of this, it's a good idea to create enterprise-wide cybersecurity training courses. That includes executives often targeted by "whaling" attacks due to their lack of security expertise. Everyone needs reminding of their duties, and every worker needs to keep their knowledge up to date.
4. Make network-wide tools available to every employee
Many companies already have security tools like encryption, virus checkers, and VPNs. But not every company makes these services available to remote workers.
Don't hoard useful software at your central office or restrict it to specific staff members. Check the licenses and expand access if possible. If you need to add extra users, it's often cheaper to do so across large numbers of workers instead of relying on individuals to purchase vital tools for themselves.
Take a holistic approach and ensure that everyone is covered.
5. Have transparent processes to secure Zoom meetings
Your business probably relies on video meetings with staff and clients, but tools like Zoom are a common target for cyber-attackers.
Ensure that you log every meeting beforehand and that each event has a unique ID. Ensure that participants are legitimate and that every session is password secured. That way, you can minimize the risk of "Zoom bombing" and surveillance attacks while discussing business matters.
6. Notify staff about essential updates
Patching the tools your teams use is vital, so be sure to communicate with staff when updates become available. Every device or operating system you use will have regular updates to handle security flaws, but there's no guarantee that employees will apply these updates.
Send an email or in-app notifications to mobile devices about the need to update, and apply auto-updates if this is an option. And if staff routinely fail to patch their software, make sure you have disciplinary procedures in place to force compliance.
7. Distribute work devices to remote workers
If you provide a dedicated laptop to every remote worker, you can guard against data leakage or malware derived from activities like social media usage or online shopping.
Use multi-factor authentication tools with work devices, and you'll have much more control over how office resources are accessed. You can also make the edge of your network much more secure, adding peace of mind in the process.
8. Make your password protocols crystal clear
Weak passwords are an open invitation to cyber attackers, and most employees use them from time to time. When your teams are home-based, it's hard to reiterate the importance of having solid credentials.
Provide an explicit protocol with requirements about strong passwords, how regularly passwords need to be changed, what password managers to use, and the implications of lax password security.
9. Work from home doesn't mean working from anywhere
During the pandemic, most people limited themselves to home offices. But as the pandemic ebbs and a "new normal" stabilize, many workers will find other venues, from coffee shops to libraries. And not all of them will be secure enough to protect your networks.
Unsecured public WiFi networks open the door for hackers seeking access to sensitive data. Workers should use them sparingly and employ watertight VPN protection when they do.
Ensure teams know that public WiFi is to be avoided and provide WiFi encryption advice for their homes. It's a crucial part of locking down vulnerable network edges.
10. Encourage a productive, safe working environment
Finally, it's essential to ensure employees are healthy, alert, and keen to follow corporate security policies. Homeworking can result in longer hours, the lack of connection can be demotivating for some people, and it's easy to lose sight of core security priorities.
Try to connect with remote workers via social events, regular communications, and general check-ups. Monitor working hours and workloads, and try to be understanding when security errors occur.
People aren't perfect, and they will make mistakes. The challenge is to work with our imperfections to keep those mistakes to a minimum.
Getting to grips with work from home cyber attacks
We know that the following work from home best practices can enhance cybersecurity and minimize the risk of losing company data or incurring financial losses. But those risks can still appear abstract and distant until you encounter them in the wild.
With that in mind, it's important to assess some of the most pressing risks associated with working from home – especially those that have become more dangerous since the COVID pandemic began. Even as many return to offices, they remain urgent, and businesses need to be aware of them if remote working has become a standard part of their operations.
1. Zoom account insecurity
The pandemic sent video conferencing app Zoom into the stratosphere as businesses scrambled to connect with home workers. But this also led to some severe cyberattack risks and significant losses when those risks materialized.
Half a million Zoom account details appeared for sale on the Dark Web in one of the worst recorded incidents. These accounts could be hijacked for illegal use while meeting data associated with those accounts could also be accessed – a significant breach of corporate and personal security.
2. Malicious domains relating to COVID-19
As anxiety about COVID-19 rose, so did the number of social engineering scams using the pandemic as a front for criminal activity. Homeworkers were natural targets for malicious domains and social engineering emails posing as legitimate sources.
Some of these attacks can be very creative. For example, the University of British Columbia staff received a fake COVID-19 health survey in 2020. In other cases, malicious domains have spread agents like Trickbot, which harvests banking and other data. As a result, spotting fake domains has become a crucial part of WFH security, and many workers have failed that test.
3. Phishing emails to elicit confidential information
Many attackers didn't need to pose as COVID information sources to take advantage of the shift to working from home. The Twitter attack of April 2020 is a great example. In that case, attackers used basic phishing techniques to call simple customer service and tech support staff, convincing them to hand over sensitive data like passwords and authentication details. Before long, accounts like Elon Musk and Barack Obama were compromised, tweeting Bitcoin scams to millions of people.
Across the world, ordinary workers have encountered similar scams, often via innocent-looking emails. And when workers are away from the office, they tend to click on dangerous emails regularly.
4. Ransomware attacks on businesses via home workers
During the COVID-19 pandemic, ransomware has experienced a golden age. In the USA alone, ransomware victims paid out around $350m in 2020, a 311% rise in 2019. Experts point to home working as a critical factor in that rise.
The Colonial Pipeline ransomware attack in May 2021 which compromised 45% of the Eastern Seaboard fuel supply, was traced to remote workers' out-of-date VPN. Other attacks have used simple emails to hook remote workers. And the phenomenon has been spurred on by the rise of cryptocurrency, making payments to attackers far easier.
5. Fatigue and declining attention to cybersecurity
According to the UK's Office for National Statistics, those working from home add 5 hours to their working weeks. The Society for Human Resources Management has also found that 35% of homeworkers report feeling tired and lacking energy, probably due to their workload – although pandemic stress could have played a part.
Job insecurity can also compromise cybersecurity in ways that aren't always obvious to companies. For instance, according to a survey by Deloitte, 26% of respondents reported that they had considered making copies of sensitive corporate documents as a precaution. If they fear dismissal, employees can lose sight of core security practices.
Solve your home working cybersecurity issues with NordLayer
Remote working is fast becoming the new normal for millions of workers, and hybrid work security practices should become just as commonplace. We've covered a lot of suggestions for employees and companies, but what if you could bring most of those suggestions under one canopy, creating one secure environment?
NordLayer is a hybrid work security package that will make working remotely much more secure. Our tools let you lock down the interface between local networks and Cloud resources. Implement ironclad VPN protection, multi-factor authentication, and network awareness, with solutions that are simple to scale up as your remote working needs grow.
NordLayer's hardware-free, accessible solution for all businesses works for industry leaders like Allstate, Adobe, and Calendly. If you need to make homeworking secure, get in touch and explore what NordLayer can do.