Remote Work

How to Work From Home Without Becoming a Security Risk

It is key that remote workers separate their work/personal digital environments, and take protective measures to avoid an attack results in a chaotic domino effect that puts company and personal data at risk.

There are a lot of things to consider when your team is switching from on-site work to remote work. First of all, yes, you do need a good chair, or else your back will abandon all hope from becoming nothing but a spiral of pain.

Secondly, it’s not the same to work from home, than working at the office… Security-wise. Yes, some of this work will fall on the DevOps of your company, who will set up VPNs for you to access your company’s resources, and implement tougher security policies for access management.

However, it doesn’t matter if the DevOps builds a bomb bunker around your company’s virtual infrastructure. If anyone doesn’t follow basic security etiquette, your bunker will be as easily breachable as a piece of paper.

Becoming a Safe Remote Worker.

In reality, most security breaches happen because of mistakes usually made by an insider. This is the cause of  60% of all incidents in the UK alone and, most of the time, it’s really silly stuff. Like a bad password, or a security setting misconfiguration.

It’s true. All it takes is for a little trust, and a little carelessness for someone to open the doors to the fortress and make the defenses worthless. So, how do we go about being more conscious about our workspace’s security?

Isolate Your Work Environment.

This means that, if you have a work laptop, take it home with you and use it for work only; and if you don’t, create a different session in your computer for working. Separating your personal computer or environment from your work is the first step towards lowering your risk.

The first reason behind this is simple. Your work environment will see less non-work related usage, so if anything goes wrong during this time, only your personal environment will be affected. That’s still bad, but it works both ways! If you fall for corporate phishing and get struck by ransomware, your personal computer and files won’t be affected.

On a more technical note, and using Windows as an example, if your work/personal environments coexist on the same computer do not use the local/administrator user as your work environment. This account, in a nutshell, has rein over your system with all permissions at hand and that can generate quite a few vulnerabilities. According to BeyondTrust in 2019, 81 percent of all critical Microsoft vulnerabilities are mitigated by removing admin rights.

The ideal-scenario checklist:

  • If possible, use a different device for work
  • Have a non-admin session for work
  • Give your work session storage quota or separate disk partition
  • Activate encryption on all drives (BitLocker on Windows, FileVault on Mac)
  • Avoid using the work session for personal things, and vice versa.
  • Don’t repeat passwords across your personal/work accounts.

Prepare a Safety Net of Basic Security Practices

With a separate work environment, it is now time to ensure your day-to-day usage is protected. Like we said before, it doesn’t matter how much you isolate and defend your device, if your password is “hello123” for all of your accounts, you are wide-open for attack.

Password Management and 2FA

Step one is to have different passwords for each one of your accounts, and even then, activate 2-factor authentication on all services that provide it. At first, it might seem a bit cumbersome, but this is the easiest way to eliminate the risk of phishing attacks.

2FA ensures that, aside from your password, you need a second validation code to login into your account. This could be a USB physical key, an SMS message, a prompt on your phone, or a random code generated in an app like Google’s Authenticator. With this, an exposed password becomes… pretty much useless.

A password manager will help you keep all of your different credentials organized, and smoothen out the login process without compromising your passwords. There are many free, paid, online/offline solutions available. Take your organization’s recommendation to ensure you stay aligned with their security policies. Dashlane, Lastpass, and KeePass are some of the options out there.

VPNs and Public Networks

If your company uses a VPN to access certain services, be sure to not forget using it! Plus, if you’re working in a shared or public network, do use a VPN to protect your encrypt your network data from third-parties.

Backups and Cloud Storage

If your company doesn’t have a cloud storage solution in place, put it on the table. Firstly, it’s one way of protecting your work and data so that it is resilient in case your drive or computer is faulty or attacked. Secondly, storage tools allow for live collaboration, like Google’s GSuite, Amazon WorkDocs, Github/Gitlab, or Dropbox. This also comes in handy to ensure your work is accessible even if you’re not there to share the latest version of it.

Once again, take the habit of thinking and drafting on these platforms, avoid local storage if possible, but don’t use personal cloud services. All important information, whether it is confidential, or a presentation, should stay inside the company’s protection umbrella.

Takeaways

We know that these security habits might sound a bit overwhelming from time to time. However, both your personal and work environments will benefit from them.

Protecting your data, information, and digital property is not a light subject and should be treated with the seriousness it deserves. Reality is, an attacker or hacker only needs one slip, like a duplicated password, to cause mayhem in your company or personal life. Make the effort, and stay safe!

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.