19 Cyber Security Tips for Working From Home in 2020

Work From Home Cyber Security Tips - CurrentWare

Working from home presents unique security challenges. If you’re working from home you can improve the security of sensitive data and protect yourself against cyber security threats by following these work from home security tips for employees.

Authentication Security Tips

1) Never reuse passwords

CurrentWare client settings console with the change password option shown.

Two thirds of people in the LastPass Psychology of Passwords Report admitted to reusing passwords. Whether you are working from home or in the office you must make sure the passwords you use are unique to you and not easy to guess.

Reusing passwords increases the potential damage that a data breach could cause. If an attacker manages to gain unauthorized access to your password on one account they would then have access to all of your accounts that use the same credentials.

2) Create strong passwords

A comic by XKCD showcasing how strong passwords can be made by combining a series of words — Source: “Password Strength” from XKCD.com

All of the passwords you use should be unique for each account and difficult for a potential attacker to guess. You should also never share your passwords with anyone.

Use Passphrases. A strong password doesn’t have to be hard for you to remember. Simply memorize a series of unrelated words and combine them together into a passphrase.
Easy to remember, hard to guess. If you have an easy to remember password you will not have to write it down, reducing the opportunity that someone will find your written password. Ideally the password you make should not contain any personal details about you such as birthdays or the names of children/pets.

3) Use a single sign-on tool

Single sign-on (SSO) is a valuable tool for businesses that manage multiple users. These tools allow end-users to log in to all of their corporate applications with a single set of credentials. This is far more convenient for the end-users and reduces the cyber security risks of password insecurity.

4) Lock your workstation when you are not using it

When you’re working in the comfort of your own home it’s easy to let your guard down. This is especially true if you live with trusted loved ones.

To prevent accidental data loss or leakage you should still maintain the habit of locking your computer when you are not using it. All it takes is a moment of carelessness for a trusted family member to accidentally cause damage or see sensitive information they are not privy to.

The fastest way to lock your computer

Windows: Press the Windows Key and L.
New Macs: Press Control-Shift-Power
Old Macs: Press Control-Shift-Eject

5) Avoid sharing your accounts with coworkers

You should have your own unique company accounts that are exclusive to you. This reduces opportunities for passwords to be leaked and makes it easier to investigate security incidents. Sharing passwords is also a liability issue as insider threats can use social engineering to gain unauthorized access to company resources they should not have access to.

6) Beware of eavesdropping and shoulder surfing

Working remotely comes with its fair share of freedoms. The ability to work from anywhere is a great perk but it’s also a significant security risk. If you decide to leave home to work in a public space you should be mindful of who has a line-of-sight towards your laptop. You should also refrain from openly discussing sensitive company topics when working in public.

Phishing Awareness Tips

Personal data phishing concept background. Cartoon illustration of personal data phishing vector

Phishing is a pervasive security issue. No matter where you work you will need to be vigilant about phishing, spear phishing, and social engineering. While system administrators do their best to filter out spam and phishing emails the end-user also needs to know how to spot a phishing attempt so they can report it and avoid falling victim to the attack.

Threat actors have been taking advantage of the uncertainty and stress surrounding COVID-19 to trick employees into divulging sensitive information and sending company funds to fraudsters. In fact, it has been reported that a staggering 9 out of 10 coronavirus-related domains are scams. They’ve also impersonated being representatives of the World Health Organization and Greta Thunberg to convince their victims to visit malicious links and download malware disguised as legitimate files.

7) Be wary of links and attachments in emails

A screenshot of an email. It has a link that says "Hey Dale, here's the link to our free white paper that you asked for!". The link it leads to is seen at the bottom with a note that says "Real Link". — This is a legitimate link – the domain of the email address and the link both go to CurrentWare.com & the user was expecting to receive this email.

Phishers will do everything they can to impersonate legitimate people and organizations. You should never open an attachment unless you are completely confident that the message is from a legitimate party. Even if everything in an email appears legitimate you should do everything you can to avoid clicking links and opening attachments wherever possible.

If you must click a link, first hover over the link and check the bottom-left corner of your browser to see where the link is actually trying to send you. Read the domain carefully to make sure that it’s not a misspelled domain trying to impersonate the legitimate website.

As a further precaution you can use a URL inspector tool such as VirusTotal to analyze suspicious files and URLs to detect malware

8) Do not send sensitive information over email or text

Yellow email letters flying out of a laptop computer.

Email, team chat, and text are all convenient for day-to-day communication but they may not be suitably secure for sensitive data such as personally identifiable information (PII). These communication platforms typically store copies of their messages on both the senders and recipients computers, leaving the sensitive data vulnerable to exposure if those messages are later leaked. A better alternative for sending sensitive data are encrypted file sharing tools that are a part of the organization’s official tech stack.

9) Verify that the sender is legitimate

Phishers will try to make their requests appear more legitimate by spoofing the email addresses of trusted senders. Watch for typos, the use of zeros in place of Os, added punctuation that’s not supposed to be there, and email addresses that use the correct username with the wrong domain. Some phishers may even simply set their display name to be the trusted sender they’re trying to spoof while using a generic email address.

Example: If the trusted sender is JohnDoe@CompanyTech.com, a Phisher could use JohnDoe@CompanyTtech.com to pretend to be them.

Note: Even if an email appears to be coming from a legitimate email address, attackers can still spoof an email address or compromise an account. Not every email received from (what appears to be) a trusted sender is guaranteed to be safe.

10) If a request sent to you by email sounds suspicious, call the sender directly to verify its legitimacy

This tip may sound like overkill, but it’s far better to be overly cautious than to leak sensitive information or send company funds to a fraudulent account. Taking a brief moment to verify the legitimacy of a suspicious email can very well make a significant difference if it prevents you from falling for a phishing attempt.

What is considered suspicious will depend on the context of your organization. Your workplace should have policies and procedures in place that dictate how requests are to be made, how data is to be transferred, and how processes should be undertaken. An email that asks you to do anything that falls outside of that framework should be treated with high suspicion.

Here are some general warning signs you should look out for.

The message attempts to create a sense of urgency
The email is poorly written
The message is sent from an unknown email address
It includes suspicious attachments or links

Internet Security Tips

11) Beware of public Wi-Fi

If you’re working while on the road you may be tempted to use one of many publicly available Wi-Fi hotspots. These connections may be fine for low-risk personal browsing but there are dangers you should be aware of.

Honeypots. Attackers could make a “honeypot” where they spoof an existing hotspot. Once you connect to their hotspot they can perform a man-in-the-middle (MITM) attack to intercept your connection with a fake domain that looks like the one you were trying to visit. Once you login to the fake domain they now have your login credentials.
Traffic Sniffing. Other users of the hotspot could potentially see your traffic on unencrypted websites if the provider of the public Wi-Fi does not have adequate security controls in place.

Ideally you will have access to your own private mobile hotspot that you can use to connect to the internet while working remotely. If this is not the case, using a VPN can reduce, but not eliminate, the security risks of public Wi-Fi.

12) Use an internet connection that is separate from internet-of-things (IoT) devices

A photo of a computer screen. The cursor is pointing to the word "security"

Your home network is likely nowhere secure as the purpose-built networks provided by your employer. If your home network includes consumer-grade IoT devices such as Smart TVs, fridges, or security cameras, you should place these devices on a separate network. Refer to your ISP’s directions for making a guest network via your router.

The reason for this tip is that IoT devices are not equally secure. If an unsecured IoT device is compromised by an attacker they can use that device as an entry point to the rest of your network; this is precisely why endpoint security is so critical for protecting your network as a whole.

13) Do not use your home router’s default credentials

A shocking amount of routers do not force their users to reset the default admin credentials on setup. Attackers can use a list of manufacturers, devices, and known default credentials to brute force their way into your network. Changing the default credentials to a secure password helps prevent this attack.

Data Loss Prevention Tips

14) Keep sensitive data within pre-approved channels

A man types on his laptop keyboard. A bright light with a lock icon shines in front of the screen.

If you are given access to sensitive data as part of your role you need to do everything you can to keep it safe. All sensitive data should be kept within pre-approved channels where it can be adequately monitored and managed. You should never save sensitive data to your desktop or unauthorized cloud storage accounts. You should also avoid sending this data over email, team chat, or personal devices.

15) Avoid mixing personal and corporate devices

Some workplaces let their employees use their personal devices for work. This practice is known as “Bring Your Own Device” or “BYOD”. This poses unique security risks as personal device usage is inherently more risky than work-only usage. There are also limitations to monitoring the personal devices of remote workers, which leaves a significant visibility gap.

If your workplace is BYOD-friendly you should refrain from storing sensitive data on your personal devices. You should also avoid accessing that data without a corporate-secured device unless absolutely necessary.

16) Be mindful of the physical security risks of working remotely

A man using a laptop to browse the internet

The portability of laptops makes them incredibly easy to steal. Whenever you work in a public location you should always have the laptop within arms reach and carry it with you. If you will be traveling you should keep your devices in your carry-on rather than storing it in your checked baggage.

This tip also applies to data storage devices such as USB flash drives and external hard drives. These devices are easy to lose or have stolen and it’s often difficult to know for certain what potentially sensitive information was on that device before it went missing.

17) Do not use unauthorized USB devices

A photo of a USB thumb drive on top of a laptop keyboard

Do not plug in USB devices that are not pre-approved by your IT department. Rogue USB devices may actually be a cleverly disguised data theft device. Even your own personal USB devices may be insufficiently secure, especially if you do not have encryption enabled.

If you are not required to use USB devices for your role you can disable data transfers through USB ports using data loss prevention software.

Removable Media
Policy Template

Set data security standards for portable storage
Define the acceptable use of removable media
Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

18) Only used company-approved software and hardware

A man sits at his desk working on a computer. The shadowy figure of a colleague looms behind him.

It can be tempting to use software, processes, and hardware that you’re already familiar with. Even if you have a tool that will improve your productivity you should refrain from using it without the knowledge and approval of your IT department. This “shadow IT” is not being adequately monitored and managed for potential security threats and could be potentially exploited by attackers.

19) Make sure everyone is aware of their cyber security responsibilities

Cyber security is not solely managed by IT personnel, it is everyone’s responsibility. Organizations must implement cyber security training for their staff to make sure that they are aware of the risks and responsibilities that correspond with their role.

Conclusion

If you’re working from home you need to do everything you can to reduce your cyber security risks. These work from home security tips will help you to protect sensitive data from the most common cybersecurity threats of a remote workforce.

Stay Secure While Working From Home With CurrentWare

Dale Strickland

Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmp	session	Zoho sets this cookie for the login function on the website.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gaexp	2 months 11 days 7 hours 3 minutes	Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_GY6RPLBZG0	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_dc_gtm_UA-6494714-6	1 minute	No description
_gaexp_rc	past	No description available.
34f6831605	session	No description
383aeadb58	session	No description available.
663a60c55d	session	No description available.
6e4b8efee4	session	No description available.
c72887300d	session	No description available.
cookielawinfo-checkbox-tracking	1 year	No description
crmcsr	session	No description available.
currentware-_zldp	2 years	No description
currentware-_zldt	1 day	No description
et_pb_ab_view_page_26104	session	No description
gaclientid	1 month	No description
gclid	1 month	No description
handl_ip	1 month	No description available.
handl_landing_page	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_ref_domain	1 month	No description
handl_url	1 month	No description available.
handl_url_base	1 month	No description
handlID	1 month	No description
HandLtestDomainName	session	No description
HandLtestDomainNameServer	1 day	No description
isiframeenabled	1 day	No description available.
m	2 years	No description available.
nitroCachedPage	session	No description
organic_source	1 month	No description
organic_source_str	1 month	No description
traffic_source	1 month	No description available.
uesign	1 month	No description
user_agent	1 month	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.
zld685336000000002056state	5 minutes	No description