Providing your employees with guidance on keeping their data secure while working from home is imperative for ensuring the security of your valuable business and customer data. Employees will most likely be using their home internet connections to carry out their work – including additional usage for video calls and online collaboration tools.
And if they are not mindful of security best practice while away from the relative protection of your office firewalls and security protocols, they could be exposing their data – and your organisations – to malicious threats and attacks.
Employers must educate their employees about how to work from home safely, including being aware and vigilant of these 3 key risks.
Working on a home device has heightened risks
Not every employee or business can afford to have entirely separate computers for home and work, so many people are now working remotely using their own PC or personal laptop. And it’s highly likely that and individual’s own device won’t be as secure as their workplace one. Company firewalls and antivirus software create barriers which prevent unauthorised access – but one very real risk is that a tracking virus infiltrates the less secure home computer. It then sees the login details being used to access work systems which then becomes a very easy way for hackers to simply walk in and steal confidential information or cause havoc.
Home computers are also often shared by other family members, however your employee has little control over the websites others visit or the links they click whilst online – again a heightened risk that malware is inadvertently downloaded onto the computer.
Bear in mind too that this prolonged period of home working means that employees don’t have the opportunity to ask a colleague at the next desk if they are unsure about the validity of an email or link they’ve received. And they’re probably less inclined to call the IT team or a manager to check as that feels rather formal and they may have concerns about bothering others with something seemingly trivial.
If at all possible, encourage your staff to err on the side of caution and check with IT if they’re not sure about the security of their home working environment; IT can also advise on the best antivirus software to download for up-to-date protection. And if employees are having issues with accessing systems, make sure they do get the right support otherwise they might be tempted to use their own ‘workarounds’ which can then lead to further risk.
The dangers lurking on social media
With so little opportunity to see others at the moment, it’s important for employees to continue to feel connected with others and avoid feeling too isolated. That is understandable, but it’s also vital that your staff understand the risks whilst using social media, and that they take active steps to ensure they protect their personal data.
Phishing scams are common on social media platforms whereby seemingly innocuous links and landing pages are used to lure in the unsuspecting user. It’s easy to feel safe and protected at home chatting online and it’s precisely then that we are all at our most relaxed and trusting.
Employees should beware of the information they reveal. A fun, friendly ‘quiz’ which includes questions about childhood pets, schools attended, favourite colours and maiden names might seem like a welcome diversion but it’s also sharing answers to common security questions for all kinds of online services such as bank accounts for example.
Good password management is everyone’s responsibility
Even before remote working became so widespread, large swathes of people were blurring the lines between personal logins and passwords and those used for work systems. It’s not uncommon for individuals to use the same passwords for multiple services which means it only takes one to be compromised and then every service is at risk.
Now is an ideal time to encourage employees (again) to set up different passwords for each application. These need to be ‘strong’ i.e. not recognisable words, 8 or more characters long, including a combination of letters, numbers and symbols. The ideal of course is an entirely random password, however these are impossible to remember. Some companies advise using a password manager service with a built-in password generator which can be helpful.
Remind your employees that everyone must be responsible online and that good password management is a necessity not a ‘nice to have’. Especially now.
Tips for your employees to keep them, and their data safe when working from home
There are several key areas where your remote workers should be particularly vigilant – and offers advice on best practice when it comes to keeping your data safe while working from home, including:
- Phishing – how to spot a malicious email
- Protecting home networks and WiFi
- Password best practice
- Using personal (non-work) PC, laptop or other device
- Keeping software and systems up to date
- Backdoors through other WiFi devices
- Storing business critical data
- File sharing
Read our tips and share them with your teams. It will help them stay safe – and keep your business data safe – while they are working from home.
Working away from your colleagues and your normal office location means many changes – the way you work, the way you communicate, and the resources you have available so you can carry out the tasks you need to keep productive. These tips will help you stay secure while you work remotely, and can also help you improve your family’s online security too.
You are your own best security
Regardless of your organisation’s IT policies, technology alone is not enough to protect you. Cyber attackers will be looking to take advantage of the increase in people working from home, and will target individuals more than networks and organisations.
COVID-19 has become an attractive proposition for cyber criminals, who are targeting our fears and emotional connection to this global issue. This increases the likelihood of people falling victim to phishing attacks, so it is essential that you are vigilant to anything that doesn’t look genuine.
The best approach is that if you’re not sure, check. If you can’t check, don’t click the links, download or open any attachments, or respond to the email in any way. Some things to look out for include:
- Fake phone calls from people claiming to be from your organisation, 3rd party providers, or even customers or suppliers, asking you to provide information that gives them access to your system, or asking for you to give them control of your computer so they can check or fix an “issue”.
- Phishing emails are designed to make you click links or open attachments, and have become more sophisticated in their appearance. See our tips for spotting malicious emails on the next page.
- Fearware preys on people’s fears over the current situation. For example, a site offering a “Coronavirus tracker” could potentially infect your device with malicious software that could steal data or lock you out of your systems. There has been an increase in the number of domains being registered with Coronavirus / COVID-19 names, so be wary of interacting with any sites using these terms.
How to spot a malicious email
- Always check the source of the email. The sender email address can be the easiest way to spot a phishing email if someone you know has been “impersonated” – double clicking on, or “hovering” the mouse over the address will reveal the actual email address.
- Check links before clicking. By again simply hovering your mouse over it, you’ll then see the destination URL - which gives you the opportunity to verify the domain legitimacy with internet search engines.
- Look for mistakes/ bad grammar. It can be common for phishing emails to contain spelling or grammatical errors, which can be a result of the attacker rushing to get their phishing emails sent quickly, or simply because the attacker has a poor understanding of the language being used.
- Be aware of the tactics used by attackers: the use of authority and urgency to scare you into taking action, or curiosity and desirability to lure you into seeking more information through actions within the email, or similarity and branding to make the email appear more trustworthy and believable.
Your home network
Many people will be working from home using a wireless network connected to the Internet. Your wireless connection broadcasts signals that allow multiple devices to connect to the internet (think laptops, phones, tablets, smart-home devices, smart-speakers). When you connect a device to your Wi-Fi, you see other networks that are “available”, for example your neighbours’ wireless networks. Yours will also be visible, so it’s critical that you protect your home network with good security:
- Your administration password allows you to control and configure the settings for your home internet and wireless network. Make sure that you have changed it from the default password your internet service provider gave you when you set up your internet, and make sure that your admin password is different to your other passwords used on the network, for example the password that allows devices to connect to your Wi-Fi.
- Use strong passwords that are harder to guess. Best practice is to use a passphrase instead of a password. A passphrase is a combination of 3 or more words – e.g. 'donut lollipop milkshake' – with a few added numbers and special characters. (Now we're hungry!)
Password Managers
Using a password manager, such as LastPass, removes the need to commit a multitude of passwords to memory. Your passwords and other account information is stored in an encrypted format, and will be accessible with a master password, so only one to remember. Some password managers have browser connections so they can remember your online accounts and automatically update when you change any details.
If you can, enable two-factor or multi-factor authentication on your devices and accounts. This method uses two or three of the following to confirm your identity – something you are (a fingerprint), something you have (a code sent to a mobile device registered to you) and something you know (a password). It’s easier to set up than you might think, and your IT team can recommend a service for you.
Using your own PC
Not everyone will be able to use or have devices provided by work. If you do have to use your own PC, laptop or mobile device, your IT department may have already asked for permission to check that your system, software and security are up to date. If not, here are a few steps you can take to make sure you stay secure while working from home:
- Make sure your devices are running the latest versions of their respective operating systems, and your software and applications are up to date. This will help ensure that you are protected about known security issues as developers will have released updates and patches in the most recent releases.
- Check your virus and malware protection is active and up to date.
- Check your other devices that are connected to your wireless network – including games consoles, smart-speakers, smart TVs, security cameras – anything that needs to connect to the Internet / WiFi to function. It’s not unheard of for hackers to find backdoors to networks through devices that might not be obvious at first thought.
- If you need to download software to carry out your work, make sure that you’re downloading from the correct and verified site. There are malicious sites that offer software downloads – for example if you need to download Microsoft Ofice, make sure you’re getting the genuine article. And don’t go for unknown alternatives.
Keep your data safe
Once you’ve sorted your devices and passwords, you need to think about how you’re going to share information with your customers, colleagues and suppliers. There are data protection considerations (don’t forget GDPR) as well as worst case scenario planning:
- Don’t store business critical data directly on your laptop or PC. Use a secure shared network drive if possible. This will not only protect your data if your laptop becomes damaged (spillages, drops and bumps) but will also allow your colleagues to access critical information should you fall ill or be unable to work for other reasons.
- Make sure that you can access the information you need to carry out your work. Your IT support team may be under pressure with additional requests from other remote workers during this time.
- File sharing should be done via a solution that’s approved by your organisation. Using 3rd party sites like Dropbox or WeTransfer to share data can be risky and security cannot be guaranteed. You may also fall foul of GDPR compliance if your data is transferred outside the EU. For guidance, speak to your IT or information security department.
- If you need to share large files, consider emailing the data in batches directly to whoever you need to share it with and password protect anything you can.
A few things you might not have thought about
- Don’t let your kids (or anyone else for that matter) use your work devices – they may accidentally infect them, or delete or edit data.
- Make sure your screen is not visible through windows – use a privacy screen if necessary to minimise indirect viewing or simply draw the curtains or pull down a blind – especially when you are not in your work area.
- Your workplace has health and safety policies for your desk, chair and computer use – try to stick to these as closely as possible while you’re working from home. Have your screen at arm’s length away from you and try to have your screen at the right eye level for optimum comfort.