10 things work-from-home employees can do now to help protect the network

WFH employees are now more susceptible to attacks that steal credentials or plant malware. Have them follow this advice to better protect themselves and the business.

Casual man with beard seated at home office with smart phone
Thinkstock

With the pandemic turning the business world upside down, offices look less like hives of activity and more like ghost towns. Employees have had to make do with working from home, a dangerous proposition from the perspective of any risk-averse IT administrator or security officer.

It’s a given that a modern corporation will provide security to protect its business, employees, and secrets. In addition to outfitting every computer with endpoint detection and response (EDR) software to thwart malware, there’s usually access to a virtual private network (VPN) to shield communications from prying eyes and automatic updates to its operating system and apps with the latest security patches.

Still, those who work from home (WFH) will have to forgo some of the defenses that are taken for granted in at the office, like the company’s robust firewall and in-person tech support. Even if they’re outside the office’s protective sphere, there are several extra defensive layers that, with a little effort, WFH employees can use to raise their (and the company’s) security profile. Together, they constitute a beefed-up defensive posture to help avoid the hackers, industrial spies and the malware purveyors out there waiting to steal the company’s secrets and burrow into its internal network.

These supplemental WFH security tips should be a part of any organization’s security awareness training for remote workers. Most can be done in less than a minute and don’t require any special knowledge. I’ve shown how to do it on one platform but the concept can be extended to the other popular operating systems.

1. Encrypt for safety

If your company is security conscious, there’s a good chance it encrypts computers it owns so even if one is lost or stolen, its data will remain hidden. On the downside, encrypting a full drive can seriously slow down a computer. A good compromise is to use an encryption program to scramble critical or confidential files. That way, if they fall into the wrong hands, they will be unreadable without the correct decryption key. There’s good news for phones and tablets, as well, because Samsung’s recent Galaxy products include the Secure Folder app that encrypts files using the company’s Knox technology. The best part is that the files can be opened with a password, fingerprint or facial scan.

cso security encrypt Brian Nadel

Samsung Knox security folder

2. Lock out flash drives

A large security hole is left wide open if WFH employees can move data onto and off systems using a flash drive. You can warn them of the danger, and Windows 10 lets you limit how data can enter and leave the computer. Start by typing “gpedit” in the search box to open the Group Policy Editor. Next, click on the System folder to get to the Administrative Templates folder. After you open the Removable Storage folder, there are ways to lock out the use of CDs, DVDs and even antediluvian floppy disks. There are two options: “Deny read access” to prevent incoming malware and “Deny write access” to prevent company data leaving the system. Use both for extra security.

cso security removable Brian Nadel

Deny read access on removable devices

 

3. Use home ISPs' security tools and services

Your computer and often phone and tablet will have your company’s EDR software to protect against malware outbreaks. The software not only monitors the system’s behavior to identify the early signs of an attack or intrusion but can safely roll back its set up to a state before the attack took place. This can happen without the user even knowing an attack took place.

Employees’ internet service providers (ISPs) can play a role as well, and you should encourage them to take advantage of the security tools and services they offer. For instance, my internet provider recently suggested uninstalling QuickTime for Windows, which is no longer supported and can be a hacker’s point of entry. Many ISP business packages include managed security with a focus on malware detection, proactive monitoring, and frequent reports on attempted break-ins.

4. Turn on the home router’s firewall

The company’s hardware firewall at its base of operations protects its network and clients from intrusion by monitoring activity at its ports and stopping any unexpected actions. Sure, the notebook the company issued you has a software firewall to prevent outsiders from getting in, but your WiFi router’s firewall can help as well.

Start by updating the router’s admin name, password and firmware because using generic log-in data or old firmware is like putting a big bullseye on it. While different routers activate their firewalls differently the process is similar. Using my Linksys WRT32X, I started at the “Advanced Settings” section of the menu and clicked on “Local Network Settings”. After I opened the “More Settings” section, I flicked the firewall software “On/Off” switch. Now, the system will have an extra layer of protection from hackers.

cso security firewall Brian Nadel

Setting up a home router firewall

5. Use only the company’s approved video platform

With most of the business world working from home, using video for personal interactions with colleagues, contractors, and suppliers has become the only game in town, but some platforms are more secure than others. For instance, if a contractor wants to chat about an upcoming project over Zoom or Whatsapp but your company uses Teams, employees should say no and suggest using the company-approved platform. There are too many things that can go wrong, like vulnerable file sharing and Zoom-bombers listening in.

6. Use a webcam cover

While we’re on the subject of video, employees should keep the system’s web camera covered when not in use. Leave it open and who knows who could be watching their work, or worse. Some notebooks, like HP’s Elitebook Dragonfly, have a physical webcam cover that blocks the camera from snoops. For other systems, cheap slide cover accessories or a piece of a Post-it note placed over the camera’s lens work just as well. 

7. Never connect with public WiFi

Most companies have this as policy but it’s worth repeating: Employees should always use a secure connection to the company’s servers so that there’s a lower chance someone is eavesdropping on the data flow, including avoiding public WiFi at airports, coffee shops, and hotels. If an employee’s home broadband can’t keep up, they can try using the hotspot ability of the company-issued phone or tablet. For iPhones and iPads with mobile data, this starts with tapping on “Personal Hotspot” on the device’s “Settings” page. Then, flick the switch to “Allow Others to Join”. The network’s password is listed along with connection instructions.

cso security hotspot blur Brian Nadel

8. Put data in its place

Every company has its own rules and policies on how data should be securely stored and working from home doesn’t change them. If your firm requires that little or nothing is saved locally or you have to use its online data storage system, continue to do so. Changing data habits at home by saving work files on a computer or sending them to a personal online storage account is just asking for trouble.

9. Use multi-factor authentication

One sure-fire method of increasing WFH security is to add multi-factor authentication (MFA). It can protect the iPhone, iPad, or Mac Apple ID account that the company set up for you from being hacked. To add two-factor authentication on a Mac, go to the “Systems Preferences” section of the main menu and open “Apple ID”. Then, go to “Password & Security” to open “Two-Factor Authentication”. Once it’s running, a six-digit code will be sent to a trusted device or phone via a text message or automated call. That code is required to open the Apple ID account.

cso security mfa blur Brian Nadel

10. Set household guidelines on web hygiene

Finally, it’s a good idea to give WFH employees good digital hygiene guidelines that they can share with the whole family. Attackers are targeting WFH employees with scams aimed at grabbing passwords or injecting rogue software onto their systems. Here are some examples of advice to pass on:

  • Avoid online dangerous places like porn sites or free movie or file-sharing sites, and if your browser can block questionable sites, do it.
  • Never tell anyone online your personal info or passwords. You don’t know who they actually are and where the data might end up.
  • Check the URL you’ve typed for accuracy because site squatters with malicious web pages are just a mistyped key away.
  • Above all, be skeptical about anything you read online; it might be a trap.
  • Similarly, be cautious with email. Emails at first glance can look legit, but could have an embedded link to a sophisticated identity theft scam or ransomware. If the sender’s address looks strange, has grammatical or typographical errors, lacks a company logo, or doesn’t have company identification details, pass on opening it. It could be the smartest thing you do all day.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)