Home, Sweet Home — Cybersecurity Tips for Work-From-Home Employers and Employees
To minimize the spread of the coronavirus, many companies and state and local governments recently mandated that non-essential employees work from home rather than come into the office. While modern technology makes such “telecommuting” possible, working from home brings additional risk to every organization. Cyber criminals continue to run their traditional wire fraud, credential stuffing and email spoofing attacks. At the same time, they are using the pandemic to play on people’s fears and vulnerabilities. These tips for both employers and employees can help keep valuable data out of the hands of those who are preying on organizations during these vulnerable times.
Management
- Educate employees about secure procedures. Clearly define what devices and applications are supported and secure and how employees can use them. Otherwise, if left to their own whims, many employees will likely send, access or store data through unsecure means (e.g., via home computers, family email, personal WhatsApp chats and individual Dropbox accounts).
- Limit employee access to only what they need. If possible, require that employees only access their work network via a company-issued or approved device. Otherwise, supply some type of secure tunneling or “sandboxing” software (e.g., mobile device management (MDM) software for smart phones). Once employees enter the network, do not allow them access to everything — just what they need.
- Encrypt sensitive data and connections. If you have not done so already, implement encryption on both data at rest and in motion. This means turning on disk-level encryption for all devices that employees use at home and providing a secure gateway (e.g., an encrypted VPN) that employees can use to access their work files and applications.
- Turn on multifactor authentication (MFA). Where possible, only allow access to the company network when an employee has presented a username and password (something they “know”), plus a code they separately possess or receive (something they “have”). This is usually a code sent to the employee’s phone or a random number generated by a security app. The additional code can keep attackers at bay, even if they have already guessed or stolen an employee’s credentials.
- Provide frequent IT and cybersecurity updates. Alert employees to network maintenance windows as well as new potential scams and attacks. Clear communications are always important in an organization, but even more so when employees are working from home. Frequent communications will help build trust and rapport among employees, even as they remain apart and shelter at home.
- Create a central reporting number and email address. Provide an emergency line and email address that employees can contact to ask for help, report a network outage or disclose a potential data incident (e.g., if they believe they clicked on a suspicious link). This will allow IT to quickly identify and remediate issues or escalate them as needed.
- Establish appropriate levels of approval for financial transactions. Make sure you have a protocol stating the due diligence and approval needed for different levels or types of financial transactions (e.g., $5,000 check, or $50,000 to $1 million wire transfer). To counter common phishing schemes that seek to misdirect funds, make sure employees know when they should verify a payment request by phone or seek a supervisor’s pen-and-ink signature in person.
All Company Employees
- Use only company-approved systems and applications. Do not use your personal computer, tablets or home software unless specifically approved by IT. Your IT department likely protects and supports a limited set of devices and applications; therefore, you increase the risk of a data breach if you start using other equipment or programs.
- Avoid public WiFi. If possible, do not use public WiFi at a coffee shop or airport even just to surf the web. You should be at home anyway, so use your home network and a secure gateway like a VPN to do work. If you need to connect in public, use a trusted provider or your phone’s own “hotspot,” plus the company VPN.
- Use only company-approved email and communications. Do not use your personal email, chats, social media, video programs or storage accounts to do work. Instead, use the company email system and approved applications (e.g., Skype, WebEx, SharePoint). Learn how to set up a secure meeting and don’t share your moderator code. If a third party sends you an invite, verify the address and only install a new app with IT’s approval.
- Secure your home network. Start with your router and make sure you have changed the default password and have enabled strong encryption (WPA2 or WPA3). Establish a separate “guest” account and apply strong passwords across all WiFi accounts. Keep your operating system, antivirus software and other programs updated. Turn off your smart speakers during business calls.
- Secure your work laptop. Do not leave your work computer lying open in a public place or even at home. Avoid further snooping by enabling your screen lock. If you need to travel, lock your computer in a hotel safe when you are out of the room.
- Avoid online scams. Beware of hackers and fraudsters who will try to take advantage of the current crisis. Read ongoing alerts published by your IT department, private professionals and government officials.
- HOVER over email addresses and links. Most applications allow you to hover over an email address or a link with your mouse before opening and or clicking anything (try it below!). Make sure a sender’s email address precisely matches the address of your known contact (e.g., from @faegredrinker.com, not an unknown Gmail address). Watch out for extra or substituted characters in a link or email domain name (e.g., “c0mpany.com” instead of “company.com”).
- When in doubt, use a separate channel to contact a sender. If an email looks suspicious or simply asks for a large money transfer, call the sender and confirm they sent it. Do not simply call the number on the bottom of a signature block (this could be a hacker’s number). Use a contact number already known to you.
We hope this list helps minimize the risks companies may face in the coming months. For additional advice on remote computing, see the links below from different government authorities. If you have any questions or want to talk about remote working capabilities going forward, please feel free to reach out to any member of our team.
Other Resources
- U.S. Federal Trade Commission — Online security tips for working from home
- U.S. National Institute of Standards and Technology (NIST) — Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, NIST Special Publication 800-46, Revision 2
- U.S. Cyber and Infrastructure Security Agency (CISA) — Alert (AA20-073A) on Enterprise VPN Security
- European Union Agency for Cybersecurity (ENISA) — Top Tips for Cybersecurity When Working Remotely
Faegre Drinker’s Coronavirus Resource Center is available to help you understand and assess the legal, regulatory and commercial implications of COVID-19.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.