When COVID-19 traversed the world, the economy couldn't just grind to a halt — it had to adapt. Office workers in their millions created home working stations, and companies adopted new forms of communication and management to suit a workforce confined to their homes.
By the second quarter of 2020, around 557 million people worldwide were working from home, including 35% of workers in the USA. And even after the pandemic subsides, many will continue to work at home. As Pew reports, around half of workers wish to continue working from home, while McKinsey argues that at least 25% of US jobs are well-suited to remaining WFH.
Pre-2020, only about 5% of Americans worked from home — the pandemic significantly changed working life. But are workers and companies prepared for the cybersecurity implications of exchanging the workplace for home offices?
Working from home: understanding the core risks"
Staying safe when working from home has become a vital part of cybersecurity for companies worldwide. And that means embracing hybrid work security practices that tackle the problem from every angle.
Remote working brings with it multiple hazards with profound implications. Millions of new connections and endpoints need to be checked and protected. Employees must have secure ways to remotely access corporate resources, requiring legacy infrastructure to be updated.
If these issues are left unresolved, exposure to potential threats remains:
Phishing – Sending emails or other communications entices workers to download malware that harvests sensitive data.
Ransomware – Malicious software infects connected systems before demanding payment.
Spyware – Implantation of software designed to collect data, which fraudsters or competitors could use.
Zero-day attacks – Attacks focused on unpatched operating systems and apps, which may be hard to monitor remotely.
Data theft – Stealing login details to access or directly infiltrate customer and employee databases.
Sabotage – Unsupervised workers either deliberately or unwittingly damage corporate assets.
There are several approaches to these risks. If you approach security from the top and bottom simultaneously, you can achieve much better results than relying on individuals alone.
So, how can businesses make working from home safer?
WFH security checklist: best practices for employees
1. Invest in a good VPN and antivirus tools
The first thing for all remote workers to do is lock down their connection securely. It's not enough. It's on Windows's security when the stakes are high. Instead, invest in a solid Virtual Private Network (VPN) and antivirus software that a reputable organization regularly provides.
VPNs encrypt the data you send and receive. They also anonymize your online presence, making it difficult for attackers to identify and target. Antivirus security software is the front line in battling malware. Some popular tools themselves carry crypto mining software, so be aware and choose apps that focus on security alone.
2. Make your password security watertight
Remote working is only as secure as the methods used to secure it. Choose almost impossible passwords to guess and change them regularly — never write down your credentials.
Alternatively, always use a password manager like NordPass to keep your login details encrypted and safe.
3. Don't forget Wi-Fi to access corporate resources remotely
The network you use to connect with work can also be a weak point, allowing attackers to control your traffic completely or access central servers. So, locking down your wireless internet is as essential as using a VPN for your computer.
Choose a secure WiFi password, and that's a network ID that doesn't signify tdoesn'tkers who you are. Enable WPA2 network encryption, if available, that's authorized MAC addresses to govern who can access your network, and always download the latest router firmware. Cover all of that, and your network security should be solid.
4. Shield your webcam when not in use
Some attacks have involved hijacking webcams to gather information, recording meetings, and occasionally extorting money from targets. Using apps like Zoom is unavoidable, but there's no reason your camera can control your camera without your knowledge when discussions aren't taking place. But you can mitigate that risk using sliding webcam covers or even pieces of tape. You may think about using external cameras that can be unplugged and turning off the camera on your computer. That way, you'll have a physyou'llrompt to keep you focused on security.
5. Be savvy when using email
Many of the most damaging WFH cyberattacks come via regular emails. Phishers are skilled at disguising messages to look authentic, enticing unwitting users to click on download links before they realize what is happening.
Be ultra-cautious when opening emails. Check the address line to make sure it's legitimate. It's open mail. Do expect sources, and don't open attachments unless you know exactly why they are there and what they contain.
If you want to add an extra layer of security, think about switching to an encrypted email provider. There may be some added inconvenience, but criminals are much less likely to intercept and read encrypted mail.
6. Stay focused on physical security
Physical theft remains one of the most common problems associated with remote working. Thieves can steal your computer, smartphone, or authentication tools provided by third parties. And if the data on those devices isn't encrypted, the results can be catastrophic.
Take care when using your laptop in public spaces, and use complete system encryption services like NordLocker to freeze out thieves if the worst occurs. Lock away unused work laptops, and perform a security check of your entrances and windows. If you need to, install extra cameras and alarms.
7. Use separate devices for work and leisure
Sometimes, security lapses occur when people forget to use their work computers. For instance, online shopping carries security risks, from insecure payment portals to fake Amazon web pages. And many people use the same computer to buy products that they do for 9 to 5 duties. That's a big mistake. The more distance you can put between work and leisure, the better. Ask for a separate company device with the required security tools. And if that's not possible, invest in one of your own; the same applies to smartphones. Using a personal device for work is hugely risky in a world where criminals prey on home workers.
8. Perfect your patching game
Criminals love out-of-date operating systems. So-called "zero-day" exploits are a significant source of phishing and malware attacks, with countless unpatched systems targeted. Don't let your system be one of them.
Delaying Windows updates can seem convenient, but be sure to do so as soon as possible. If not, you open yourself up to attacks like WannaCry, which fed off a loophole in Windows operating systems and cost victims billions of dollars when it swept the world in 2017-2018.
9. Use two-factor authentication
Multi-factor authentication adds an extra barrier to deter would-be attackers. It generally involves using additional information stored externally on specialist authentication dongles or texted to your phone when you log on.
Generally speaking, SMS isn't the best vectoisn't authentication codes because it's not secure. But it's voice-based MFA solutions can do the job just as well. Even if it adds a few seconds to your login procedure, the extra protection authentication provides is more than worth it.
10. Stay in touch with your work and continually learn
The final tip for home workers is crucial. Whatever job you do and whoever you work for, staying in touch with your company — especially the officers responsible for digital security is essential.
Every company should have a team member delegated to lead remote working, and they should communicate best practices, password protocols, and information about devices or authentication.
If you have any cybersecurity concerns, be sure to raise them. And if training is available for personal security, take advantage of it. Cybersecurity is a rapidly changing field, and your skills should change.
WFH security: best practices for businesses
1. Centralize your storage systems
Businesses need to lock down confidential data and police authorizations with maximum efficiency. If you rely on seyou'reased storage, it is best to do this via centralized storage systems with clear access procedures for all employees. Tools like NordLayer can provide secure access options if you use the Cloud.
Also, ensure that minimizing local data storage is part of your staff security protocols, and communicate this to every network user.
2. Map every connection for total visibility
Switching to wide-scale remote working makes it easy to lose network awareness. You could lose sight of edge points and interfaces with central servers, where users connect, and what devices they use. This fuzziness is a significant problem, so map out your network geography as your WFH program expands.
Identify weak points, monitor whether staff use multiple devices or unsecured public WiFi, and remedy any vulnerabilities before they become the source of malware infections.
3. Integrate Workforce IAM into your security infrastructure
Integrating Workforce Identity and Access Management (IAM) ensures employees can access necessary resources when managing remote teams. This specialized IAM focuses on employee access, aligning with HR systems to manage permissions effectively from onboarding to offboarding.Â
It is vital in larger organizations where the complexity of employee roles and permissions is heightened. Including Workforce IAM in your WFH security protocol ensures secure, role-appropriate employee access, keeping your operations smooth and fast.
4. Put training at the center of your business
Working from home shouldn't be simply a change of work venue. It also requires employees and managers to master a new set of cybersecurity skills (or refresh their existing skills). Home workers need to be more aware of potential threats than those working inside the perimeter of office networks, and best practices need constant reinforcement.
Because of this, it's a good idea to create enterprise-wide cybersecurity training courses. That includes executives often targeted by "whaling" a"ta" ks due to their lack of security expertise. Everyone needs to be reminded of their duties, and every worker needs to keep their knowledge up to date.
5. Make network-wide tools available to every employee
Many companies already have security tools like encryption, virus checkers, and VPNs. However, not every company makes these services available to remote workers.
Don't hoard usefDon'tftware at your central office or restrict it to specific staff members. Check the licenses and expand access if possible. If you need to add extra users, it's often cheap to do so across large numbers of workers instead of relying on individuals to purchase vital tools for themselves.
Take a holistic approach and ensure that everyone is covered.
6. Have transparent processes to secure Zoom meetings
Your business probably relies on video meetings with staff and clients, but tools like Zoom are a common target for cyber-attackers.
Ensure you log every meeting beforehand, and each event has a unique ID. Ensure that participants are legitimate and that every session is password-secured. That way, you can minimize the risk of "Zoom bombing" or surveillance"e attacks while discussing business matters.
7. Notify staff about essential updates
Patching your teams' tools is vital, so communicate with staff when updates become available. Every device or operating system you use will have regular updates to handle security flaws, but there is no guarantee that employees will apply these updates.
Send an email or in-app notifications to mobile devices about the need to update, and apply auto-updates if this is an option. And if staff routinely fail to patch their software, make sure you have disciplinary procedures in place to force compliance.
8. Distribute work devices to remote workers
If you provide a dedicated laptop to every remote worker, you can guard against data leakage or malware from social media usage or online shopping.
Use multi-factor authentication tools with work devices, and you'll have much control over how office resources are accessed. You can also make the edge of your network much more secure, adding peace of mind in the process.
9. Make your password protocols crystal clear
Weak passwords are an open invitation to cyber attackers, and most employees use them occasionally. When your teams are home-based, it's hard to reiterate the importance of having solid credentials.
Provide an explicit protocol with requirements about strong passwords, how regularly passwords need to be changed, what password managers to use, and the implications of lax password security.
10. Working from home doesn't mean wordoesn'tom anywhere
During the pandemic, most people limited themselves to home offices. But as the pandemic ebbs and a "new normal" stabilizes, many workers will find other venues, from coffee shops to libraries. And not all of them will be secure enough to protect your networks.
Unsecured public WiFi networks open the door for hackers seeking access to sensitive data. Workers should use them sparingly and employ watertight VPN protection when they do.
Ensure teams know that public WiFi is to be avoided and provide WiFi encryption advice for their homes. It's a crucial part of locking down vulnerable network edges.
11. Encourage a productive, safe working environment
Finally, ensuring employees are healthy, alert, and keen to follow corporate security policies is essential. Homeworking can result in longer hours, the lack of connection can demotivate some people, and it's easy to lose sight of core security priorities.
Connect with remote workers via social events, regular communications, and general check-ups. Monitor working hours and workloads, and try to understand when security errors occur.
People aren't perfect, and they will make mistakes. The challenge is to work with our imperfections to keep those mistakes to a minimum.
Getting to grips with work-from-home cyber-attacks
We know that the following work-from-home best practices can enhance cybersecurity and minimize the risk of losing company data or financial losses. But those risks can still appear abstract and distant until you encounter them in the wild.
With that in mind, it's important to assess some of the most pressing risks associated with working from home – especially those that have become more dangerous since the COVID pandemic began. Even as many return to offices, they remain urgent, and businesses need to be aware of them if remote working has become a standard part of their operations.
1. Zoom account insecurity
The pandemic sent video conferencing app Zoom into the stratosphere as businesses scrambled to connect with home workers. But this also led to severe cyberattack risks and significant losses when those risks materialized.
Half a million Zoom account details appeared for sale on the Dark Web in one of the worst recorded incidents. These accounts could be hijacked for illegal use, while meeting data associated with those accounts could also be accessed – a significant breach of corporate and personal security.
2. Malicious domains relating to COVID-19
As anxiety about COVID-19 rose, so did the number of social engineering scams using the pandemic as a front for criminal activity. Homeworkers were natural targets for malicious domains and social engineering emails posing as legitimate sources.
Some of these attacks can be very creative. For example, the University of British Columbia staff received a fake COVID-19 health survey in 2020. In other cases, malicious domains have spread agents like Trickbot, which harvests banking and other data. As a result, spotting fake domains has become a crucial part of WFH security, and many workers have failed that test.
3. Integrate Workforce IAM into your security infrastructure
Integrating Workforce Identity and Access Management (IAM) ensures employees can access necessary resources when managing remote teams. This specialized IAM focuses on employee access, aligning with HR systems to manage permissions effectively from onboarding to offboarding.Â
It's essential in larger organizations where the complexity of employee roles and permissions is heightened. Including Workforce IAM in your WFH security protocol ensures secure, role-appropriate employee access, keeping your operations smooth and fast.
4. Phishing emails to elicit confidential information
Many attackers didn't need to pose as COVID information sources to take advantage of the shift to working from home. The Twitter attack of April 2020 is a great example. In that case, attackers used basic phishing techniques to call simple customer service and tech support staff, convincing them to hand over sensitive data like passwords and authentication details. Before long, accounts like Elon Musk and Barack Obama were compromised, tweeting Bitcoin scams to millions of people.
Across the world, ordinary workers have encountered similar scams, often via innocent-looking emails. And when workers are away from the office, they tend to click on dangerous emails regularly.
5. Ransomware attacks on businesses via home workers
During the COVID-19 pandemic, ransomware has experienced a golden age. In the USA alone, ransomware victims paid around $350m in 2020, a 311% rise in 2019. Experts point to home working as a critical factor in that rise.
The Colonial Pipeline ransomware attack in May 2021, which compromised 45% of the Eastern Seaboard fuel supply, was traced to remote workers' out-of-date VPN. Other attacks have used simple emails to hook remote workers. And the phenomenon has been spurred on by the rise of cryptocurrency, making payments to attackers far easier.
6. Fatigue and declining attention to cybersecurity
According to the UK's Office for National Statistics, those working from home add 5 hours to their working weeks. The Society for Human Resources Management has also found that 35% of homeworkers report feeling tired and lacking energy, probably due to their workload – although pandemic stress could have played a part.
Job insecurity can also compromise cybersecurity in ways that aren't always obvious to companies. For instance, according to a survey by Deloitte, 26% of respondents reported that they had considered making copies of sensitive corporate documents as a precaution. If they fear dismissal, employees can lose sight of core security practices.
Solve your home working cybersecurity issues with NordLayer
Remote working is fast becoming the new normal for millions of workers, and hybrid work security practices should become just as commonplace. We've covered a lot of suggestions for employees and companies, but what if you could bring most of those suggestions under one canopy, creating one secure environment?
NordLayer is a hybrid work security package that will make working remotely much more secure. Our tools let you lock down the interface between local networks and Cloud resources. Implement ironclad VPN protection, multi-factor authentication, and network awareness with simple solutions to scale up as your remote working needs grow.
NordLayer's hardware-free, accessible solution for all businesses works for industry leaders like Allstate, Adobe, and Calendly. If you need to make homeworking secure, get in touch and explore what NordLayer can do.
