Many more people are working from home (WFH) than ever before. Now that we know it can work for so many people, I expect it will remain popular even after the current crisis is over.
The bad guys know this, and they’re sharpening their focus to take advantage of folks working from home perhaps for the first time.
A recent episode of The CyberWire podcast listed five steps to improving your security when working from home. I want to visit those, elaborate on why they’re important in the WFH environment, and, in at least one case, disagree a little.
The steps will be familiar to most.
1. Stay up to date
If you’ve been putting off getting your system as up to date as possible, do it now. This applies not just to Windows (or whatever operating system you’re using), but to the applications you use as well — especially those you use at work.
Your workplace may have strict, even automated policies that keep your equipment up to date — you never have to think about it. At home, it’s easy to let things slide.
If you brought company equipment home, it’s even more important, since those automated systems may or may not work when disconnected from your company’s network.
You don’t want to be the employee that allows malware (like, say, ransomware1) onto company property when it could have been easily prevented by keeping things up to date.
2. Use two-factor authentication
For every account that offers it, including accounts you use while working from home, enable two-factor authentication.
Again, bad guys target the stressed and overbusy employees of high profile (or high value) companies working from home for the first time. While we’re all being told over and over to pay attention to our personal hygiene, it’s very easy to overlook password hygiene in times of chaos and stress.
Two factor (or multi-factor) authentication is a strong layer of additional protection. Even if someone gets your password, they won’t be able to sign in, because they won’t have the additional factor (typically your phone, but often as simple as an alternate email address) that proves you are who you say you are.
3. Don’t reuse passwords
Make certain that every account you have — especially work-related accounts — has a different password. Make it long and strong, and use a password vault to keep track of them all.
When those bad guys happen across a password — either by successfully hacking you, or because it’s been exposed in a data breach — they use what’s called “credential stuffing” to try that password, along with your email address, at a wide variety of other online services. If you used that same password at the other services, bingo, you’ve been hacked again.
If that happened to be an account related to your work — which of course hackers would love for it to be so they could perhaps gain access to your company’s network or data — the repercussions could be significant.
I know many people pooh-pooh credential stuffing, but it does happen (the fact it has its own term should be a clue), and it’s a common way hackers take advantage of those of us who get lazy.
4. Avoid getting phished
I expect successful phishing to increase. Particularly as we work from home, it’s easy to be fooled by an email that looks like it came from your company, or even your boss. It’s particularly dangerous since you may not have the quick and easy resources at hand to verify the message is legitimate, such as walking over to and asking your boss if they really sent it.
As forced WFH continues, phishing attacks will focus on impersonating business scenarios in order to gain access to sensitive corporate credentials and information. Sadly, we all too often hear of data breaches — and, as I mentioned earlier, ransomware — traced to a single employee falling for an email they shouldn’t have.
Don’t be that employee.
5. Use a VPN
This recommendation took me a little by surprise, for two reasons.
First, for many companies it’s a requirement, not a suggestion. In order to connect to your company’s resources, you are required to connect through your company’s VPN. Without it, all you can do is work on your local machine, without the resources you might need from your corporate network.
Second, a VPN from home doesn’t protect you from much. Sure, if you have reason to distrust your ISP, or if there are other machines on your home network that you might not be able to trust, it could protect you from them, but those are rarely huge issues. We tend to recommend VPNs when you’re travelling for use at the coffee shop’s open Wi-Fi, or from a random location like a hotel. Working from home doesn’t have the same issues.
There’s certainly no harm using a VPN from home, assuming the performance and functionality is acceptable; it’s just not something I’d put on my shortlist.