If you’re like many white-collar American workers right now, you may find yourself unexpectedly working from home. And if you’re new to working from home, you’re likely making adjustments as you face challenges such as learning remote work software, staying in touch with colleagues, and finding ways to remain productive in spite of children, pets, and other distractions. We discussed some of these challenges in last week’s post “Working From Home: Tips For Productivity And Communication.”
But one challenge you might not be considering is the cybersecurity risks working from home can pose. When you work on your company’s network, there are layers of security in place protecting the company’s sensitive data. You might encounter this security on occasion when you have to request permissions from IT or have to log in a second time to certain systems, but otherwise, we non-IT folks tend to take this security for granted.
When you work at home on your personal network, you work without some of those layers of security, which means your company’s data becomes more vulnerable to theft. Your own home network, your personal PC (if you don’t have one issued from work), and the tools you use to communicate with coworkers are all vulnerable to certain threats.
But don’t panic! The team at TracSoft has compiled a list of possible threats and measures you can take to stay safe.
Prevent Phishing Attacks Against Remote Workers
A phishing attack is an attempt to gain information. Typically, these attacks come in the form of emails that ask you to verify your credentials, check transactions on an account, or make a charitable contribution. Often a link will be included where this information can be entered. The goal is to get you to share information with the hacker so they can use that information to access secure systems.
To protect against phishing…
- Always look carefully at the email address a message was sent from, not just the name of the sender. Make sure the email address is completely correct because often fake email accounts will look very authentic except for one or two letters being different.
- If a sender seems familiar (maybe they appear to be a coworker) and asks you to share information, call and verify that that person did indeed request the information
- Exchange personal information by phone. No bank, doctor’s office, or credit card company should ever ask you to exchange personal information through email because it’s not a very secure form of communication. These institutions will call you, verify your identity, and then exchange information on the phone.
- Have employees complete cybersecurity training. Some free trainings are available online from National Cyber Security Alliance (or NCSA), The Office of the Director of National Intelligence, and the website Stay Safe Online, but there are paid options available, too, that can be tailored to your industry.
Educate Remote Workers About Domain Spoofing
A domain is the address of a website; it’s what you type into the search bar to reach a specific website. Domain spoofing is when an attacker includes a link that looks like it leads to a legitimate website, but it actually leads somewhere else. This kind of attack is very simple. The links in this blog post, for instance, contain phrases that may or may not indicate the website they lead to, and domain spoofing attacks work the same way.
A more sophisticated type of domain spoofing attack occurs when attackers actually build a website that looks legitimate and uses a very similar URL. (We recently explained this type of attack in more detail here.) Victims visit the site and enter their credentials, thinking they are entering the correct site, only to have their credentials stolen.
According to Alexander Urbelis, a hacker-turned-information-security lawyer and now the head of the Blackstone Law Group, this type of attack is on the rise. With many more people working from home, bad actors are replicating authentic employee portals using domain spoofing. In an interview with NPR, he explains, “People are very used to seeing these portals that are asking for their usernames and passwords. And if you look at the Web address or the URL that’s associated with this particular type of attack, it was very, very convincing.”
To protect your employees from domain spoofing…
- Email employees the correct links to important systems they will be using while working remotely. Have employees bookmark these URLs so they are not searching for them online. If they are not searching for your systems, then they are much less likely to stumble onto a fake replica site.
- Implement tools like a Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) that will check servers and domains to make sure they are authentic. If emails are found with inauthentic links, they will be blocked or rerouted to a special email folder. You can learn more from HackSplaining.com’s article on protecting your email.
To protect yourself from domain spoofing…
- Hover your mouse over links before clicking on them. In many web browsers, a box will pop up showing youthe actual URL contained in the link. If the link says safewebsite.com, but the text in the box says something different, then you know this site is suspicious.
- Pay close attention to the spelling of URLs. If even one letter is off, be suspicious.
- If you are suspicious of a link, use one of these free link checking tools to make sure it is actually the link you think it is.
Use Encrypted Video Conferencing
On Monday, the website Bleeping Computer reported that popular video conferencing website Zoom is seeing an increased number of attacks since the implementation of quarantine for COVID-19. These range from “Zoombomb” attacks like the one Dennis Johnson faced during a virtual defense of his dissertation, wherein attackers called him racial slurs and shared pornographic images, all the way to more sophisticated attacks that allow bad actors to “sit in” on presentations to gather sensitive data.
Another challenge to video conferencing software are fake sites (domain spoofing like mentioned above). Researchers have found an increasing number of malicious files using a zoom-us-zoom_##########.exe naming scheme that install malicious code on users’ computers. Similar malicious files target Microsoft Teams users with a microsoft-teams_V#mu#D_##########.exe naming scheme.
To protect your privacy during video conferencing…
- Make sure you check your privacy settings for your account and for the specific meeting you set up. Check these well before users begin logging in for the meeting.
- Use a paid video conferencing site. Free is nice, but security tools like encryption take time and money to develop, implement, and maintain. And remember, data loss is a hugely expensive problem that can destroy your business. Security is not a place to cut corners. Windows Report offers an updated list of simple video conferencing options that offer encryption.
Check Your Home Security Measures
Beyond these specific attacks, there are general security measures you can take to make your personal computer and network more secure.
- Install and update antivirus protection. If you need antivirus software, PC Mag has compiled a list of the ten best free antivirus software tools of 2020.
- Activate your firewall. If you’re using a Windows-based PC, then Microsoft provides detailed instructions for turning on its Defender Firewall.
- Make sure your router password is complicated and long. The longer your password, the longer it takes to crack. Stephen Cooper of Comparitech suggests an ideal password is between 12 and 20 characters long.
- Change your router’s admin settings. On many routers, the default settings give admin privileges to any device connected to the network, and unless you change the admin login manually, often your settings can be changed by anyone who knows what kind of router you use because manufacturers set all their devices with the same admin credentials. You can change your admin settings using this handy article from Lifewire.
- Enable your router’s firewall. This will provide one more layer of protection for your home network.
- Use your work email for work. It might be tempting to use your personal email for work-related tasks. If you’re like many people, everything on your computer is already setup for your personal email. But odds are that your work email has extra protections that your personal email does not, such as spam and antivirus filters, that help block many phishing emails. Operating without those protections leaves you more vulnerable.
- Keep work communications on work-approved communication systems. Just like with email, if your company uses chat tools like Microsoft Teams or Slack, don’t venture out to other tools without company approval. Odds are that IT has reviewed those communication tools and made sure their security features meet with the company’s security guidelines. Using tools like Facebook Messenger or WhatsApp instead might leave you open to hacking or data leaks.
- Back up files regularly using safe methods. Dumping files in the same cloud storage you use to store pictures of your cat in a cupcake costume doesn’t cut it. If you have cloud storage provided by your employer, use that. Otherwise, use an external hard drive or thumb drive. You may want to even set reminders to save your work at regular intervals.
Even if you don’t work in IT, there are a number of steps you can take to help protect yourself and your employer. In this hyper-digital world, security has become the responsibility of each member of a company, and with a few small changes, you can work securely when working from home.
Having trouble being productive at home? Feeling disconnected from your usual coworkers and routine? Check out our post Working From Home: Tips For Productivity And Communication to learn how to make the most of your remote work experience.
Managing security for remote workers is a big job. That’s why so many businesses turn to network security and managed IT services from TracSoft. With over twenty years of experience, industry-leading software, and highly-rated remote support, TracSoft delivers reliable, effective 24/7 protection for your company’s most important data. Find out how TracSoft can begin securing your data today.