As shelter-in-place orders were enacted and employees began working remotely, one of the top IT-related issues was connectivity—making sure that employees had access to the files and data they needed to work effectively. But it wasn’t long before another concern took hold—that of cybersecurity in work-from-home environments.
And with good cause: Over the past few months, fraud has proliferated. The Federal Trade Commission (FTC) reported more than 91,000 complaints of COVID-19-related scams between January 1 and June 8, 2020, leading to losses of more than $92 million.
Realizing the potential danger, companies are grappling with enforcing cybersecurity for work-from-home employees. Here are six cybersecurity tips and tips for working remotely that will help protect your company.
1. Use a Password Protocol with Multi-Factor Authentication
We’ve all heard jokes about passwords like “Password” or “123456.” Unfortunately, these easily hacked passwords are no joke when it comes to security, and weak or compromised passwords persist. Believe it or not, “123456” is still the “winner” (or loser, as it may be) of the most popular passwords, used by 23.2 million accounts.
That’s why you should share password best practices with your team. One tip to consider is using a “passphrase” as suggested by the FBI—and encourage employees to change the code frequently. But an even better solution is to enable “multi-factor authentication” (MFA), also known as two-factor authentication, which prompts the user to provide two log-ins, such as their password and then an additional code sent to their phone.
2. Walk Employees Through a Virtual Private Network (VPN)
As employees began working from home, most connected to the company’s systems with their own devices, using Windows’ “Remote Desktop Protocol” (RDP). This commonly-used Microsoft solution allows workers on remote computers to connect to the corporate network.
However, what employees may not realize is that if they are using this connection protocol on an unsecured WiFi connection, or a hacker otherwise gains access by guessing their password, it opens up their entire company's network.
That’s a key reason a strong password protocol is so crucial. Still another way to prevent these attacks is by making sure employees install and use a Virtual Private Network (VPN), which adds an extra layer of security by routing the connection through an encrypted server.
Employees should have clear instructions so they can access the VPN themselves—it only takes a few clicks to get to the setting. Employers should also offer help if employees experience trouble connecting or need a walkthrough.
3. Remind Employees About Potentially Suspicious Emails
This is one phish you don’t want your colleagues to catch. And, the hackers are definitely baiting the hook these days: A survey by Hiscox and Forrester found the most common types of breaches were virus or worm infestations (23%), business email compromise (21%) and ransomware (19%). It’s definitely causing consternation among IT professionals: A recent survey from WSJ Pro Research found that 80% were concerned about ransomware.
This is a good time to remind your team to be extra vigilant. Some specific warning signs to look out for:
- Always double-check the “from” line to ensure the message is coming from a real address.
- Hover over a link to verify the name of the site domain and make sure it’s legitimate before clicking.
- Never send personal or financial information in response to an unsolicited email.
- f a sender is asking you for money—even if the request appears to be from the boss or a vendor—confirm the amount by phone before sending it.
- Brush up on telltale signs that can indicate a scam email, like misspellings or strange phrasing.
- When in doubt, call the purported sender and ask if they sent a specific message.
- Always alert the IT department with any questions or concerns.
4. Communicate the Potential Risks of Social Media
Most of your team probably already know that broadcasting vacation plans can open the door to thieves targeting their empty house. But since we’re home all the time now, it can be easy to let down our guard and become freer with the details we post.
Let your colleagues know that criminals might use social media to glean important details that can help them guess passwords or assume an employee's identity. Here’s how it might work: An employee posts a picture and hashtags it #WorkFromHome or #WFH. Hackers then scour the picture and profile to learn more about them, using even the most seemingly mundane details to detect insight.
For example, intel about your kids or pets, your birth date, your favorite sports teams or your alma mater can be revealed through background artifacts in the photos which might help them unlock your password. Or, a computer that’s open in the picture can inadvertently reveal company information, or even display an ID tag that could allow a hacker to call IT and pose as the employee to gain access.
5. Beware of the Inside Job
Unfortunately, not all breaches come from outside the company; in fact, a survey from WSJ Pro Research found that nearly 70% of IT managers were concerned about malicious employees. And while you might be inclined to just lock everything down, this can be tricky when it’s vital for employees to have access to confidential information to do their jobs productively, especially when working remotely.
That’s why it’s important to create a balance between trusting and verifying. First, establish protocols for which individuals should have access to sensitive data. Then, keep your eye out for potentially dangerous behavior, such as someone accessing the corporate network outside of business hours (if it’s out of character for them) or repeated attempts to access restricted data.
6. Highlight These Tips Often
There’s no such thing as too many warnings; after all, these cybersecurity tips are only useful when they are used consistently. Fortunately, robust training can be a powerful ally, especially if you explain not just the “what,” but also the “why” behind your cybersecurity work from home tips, and emphasize how everyone has a role in enforcing these policies.
The more frequently you highlight tips for working remotely and invite feedback and questions, the more your team is liable to embrace and follow cybersecurity best practices.