Working Remotely – and Securely – During COVID-19

Working remotely comes with a unique set of cyber-security challenges.

Rob Peterson shares 7 tips for maintaining cyber-security best practices in a telework environment.

As more employers are recommending – or mandating – telework for their employees to keep safe and productive during the COVID-19 outbreak, we believe it’s important to share best practices for remote teams.

There are several tips that will improve the security of remote networks and combat concerns affecting network equipment meant for personal use.

Top Risks of Remote Work

Working remotely can be a convenient and productive alternative to being on-site – if you’re prepared, that is. For those who are working remotely for the first time, there are some risks to consider:

• Unsecured Wi-Fi. Most workers will be working out of their home where they can secure their Wi-Fi (see tips below), but some may be forced to use unsecured public Wi-Fi networks, which are prime spots for malicious parties to spy on internet traffic and collect confidential information.
• Personal Devices & Networks. Personal devices and home networks often lack security tools built-in to business networks, such as strong antivirus software, customized firewalls, and automatic online backup tools. This increases the risk of malware finding its way onto devices and information being leaked.
• Scams & Phishing. With more people working remotely, we are likely to see an uptick in malicious campaigns targeting those teleworking individuals.

Working Remotely – and Securely

Many companies are putting together work-from-home plans that include specific directions for how to handle certain aspects of cybersecurity and provide access to security tools. Make sure you protect yourself while working remote – and all the time – by aligning with the following basic security principles.

It’s as important as ever to ensure that all of your accounts are protected with strong passwords. Many people still use the same password across multiple accounts, which means one compromised password can allow a criminal to take over all of your accounts. “Credential stuffing” is a term used when ‘bad guys’ use leaked usernames/passwords to log into other online accounts. Passwords should be unique for every account and comprise a long string of upper- and lower-case letters, numbers, and special characters. It is essentially impossible to properly secure your accounts in this manner without the use of a password manager. We personally recommend looking into an option like LastPass or Dashlane.

Strong passwords, while necessary, are not enough to protect your online activity. Two-factor authentication (2FA) and multi-factor authentication (MFA) is an additional step that adds an extra layer of protection to your accounts by requiring a validation through email, text message, or biometrics.

Unsecured public Wi-Fi networks, like those at coffee shops and hotels, are prime spots for malicious parties to spy on internet traffic and collect confidential information. Make sure to always VPN software, either provided by your company or a COTS solution. CSO Online offers a list of several excellent VPN options.

While firewalls and other protections help mitigate risks, some threats will get through. Ensuring antivirus and malware protection is installed, running, and up-to-date on all devices acts as a next line of defense.

There are simple steps you can take to protect your home Wi-Fi network and prevent malicious parties from gaining access to your devices and information. This includes:

• Changing your router administrator account password. All come with a default password and many are never changed!
• Updating your router/modem firmware and enabling automatic updates, if available on your device’s administration page. Perform a Google search on your router’s make and model to find instructions on how to update firmware, if needed.
• Ensuring your encryption setting type is set to WPA2 or WPA3. Ensure WEP, WPS, and UPnP are switched off/disabled, as these legacy encryption protocols have been commonly hacked and deemed insecure many years ago.

6. Install Updates

While undoubtedly irritating, device updates and patching are extremely important (yes, they do always pop up at the most inopportune times). Vendors use these updates to implement patches for critical security vulnerabilities in their software. In most cases, devices can be set to run updates automatically. Do this!

Emails (phishing), voicemails (vishing), and test messages (smishing) are used by cybercriminals to “phish” for information. To spot a phishing email, check the sender’s email address for spelling error and look for poor grammar in the subject line and/or email body. Hover over links to see the source URL and never click links or open attachments unless you trust the sender 100%. If any doubt exists, contact your company’s IT department for validation.

Additional Resources

The above tips are a great starting point to protect yourself while working remotely. Here are a few additional resources to consider:

• CISA National Cyber Awareness — Enterprise VPN Security
• CIS Controls Telework and Small Office Network Security Guide
• 5 Network Security Remedies for Telework
• Remote access with Microsoft Office 365 Teams

Likewise, Concord is always here to help. Please don’t hesitate to reach out to us if you need support while establishing a new remote work routine or looking for capable teams to assist with important business initiatives. We are here to help throughout this crisis (and beyond) and support your information risk management needs.