Working From Home in 2021

The pandemic changed many industries and the workforce connected to them, but working from home is likely to stay for a while. As more companies help employees create home offices, businesses must figure out how to maintain strong cybersecurity for remote workers. Previously, most employees would go to the office and work in their assigned spaces. The cybersecurity measures in place at the office took care of all security needs for the staff.

The short answer is practicing good cybersecurity habits. Putting in an effort to educate and practice daily cybersecurity activities will pay dividends in the long run. We’ve compiled a list of 20 work from home security tips to help combat bad actors & educate work from home users.

1. Secure Your Home Office

The thought of securing a home office doesn’t come to mind readily for home PC security. Generally speaking a home office will be set up in a spare bedroom, an open space area that becomes a makeshift office, or sitting on a comfy couch. With that said, how are you securing your home office? For starters, we recommend designating an area strictly for work related activities. If possible, convert a spare bedroom or area into an office to help maintain a secure area.

A lock on the home office door prevents unwelcome guests from accessing the room that has workstations and other work related hardware. In addition if you use a laptop and relocate outside of the house, be sure to bring the device in with you so no one gets any ideas of grabbing the laptop. Maintaining a consistent awareness of security is key to any proper cybersecurity hygiene.

Lastly, lock up the home office when you finish your work day. You would never leave an office without locking up behind you. Securing a home office may sound like overkill, but implementing these solutions will help keep devices secure while working from home.

2. Secure Your Home Modem / Router

Implementing a secure home office internet connection has exponentially increased within the last year. Before the pandemic most individuals didn’t think twice about their home security. You would use home WiFi and the internet mostly for streaming, catching up on news, social media, and other personal activities.

Fast forward to present time, lots of folks are using their home internet connection for work purposes. What can you do to secure your home network? Glad you (virtually) asked. First, change the WiFi Service Set IDentifier (SSID), the name that broadcasts throughout the home, to a name of your choosing. Most Internet Service Providers (ISPs) configure modems/routers with default settings. Changing the default name will prevent outside forces of knowing what type of ISP your home uses.

Second, change the WiFi password to something more complex. Using a minimum of 12 – 14 characters (the more the better) to help fight malicious actors from accessing the network. While you’re updating passwords be sure to update the router password. Again these devices come pre-configured with the exact same settings. If you and your neighbor have the same ISP and modem/router, chances are high both your modem/router have the same exact password.

Lastly, confirm with the ISP the WiFi connection remains secure and closed to the household. On occasion the modem/router the ISP provides may be non-secure and using an old WiFi technology named Wired Equivalent Privacy (WEP).

We won’t dive too deep into WiFi security protocols, but in short all WiFi connections should be using WPA2. Call the ISP that provides internet to find out more.

3. Don’t Delay Software Updates

Software updates are one of the most overlooked security measures for businesses and employees. A software update patches various bugs, security holes, and provides additional software features. For instance, when a Microsoft Office update becomes available, chances are the update is plugging up security vulnerabilities as well as adding new features to the suite. Any time a software prompt displays to perform an update, we highly recommend pushing the update through. Similarly if a business partners with a managed IT service provider the system administrators schedule a time to push these updates to the entire network.

Delaying software updates can become troublesome if not performed in a timely manner. Eventually the software will need to be updated. Don’t delay and either perform the software update yourself or the manage IT service provider will set a plan to push the update during non-business hours.

4. Watch Out For Phishing Scams

The new normal of working from home became a reality during the early months of the pandemic. More and more businesses are helping employees settle into this new normal. However, because most people are working from home doesn’t mean being more relaxed with company assets. For example, email phishing is a consistent hacking method bad actors use to obtain an individual’s email password.

Email security awareness is a continued practice no matter where you’re working. In other words remain vigilant when reading emails. Calling an individual who emailed you with a strange looking email is a good idea to receive secondary confirmation. Especially if the email doesn’t look quite right. Never click on any links within an email if you’re unsure of the source.

Scammers are looking for ways to target home workers now more than ever. Remain alert and always check with the sender if the email is legitimate.

5. Implement A Virtual Private Network (VPN)

A virtual private network (VPN) is by far an excellent security protocol to implement for any sized business. We discussed the benefits of implementing a VPN protocol in a separate blog post and provided a great overview.

A VPN provides an encrypted internet connection. To demonstrate how a VPN would work in the real world let’s discuss an example. If you were to work in a Starbucks or other public area with a WiFi connection, chances are high the connection is not secure. Most free WiFi connections are far from secure and leave you open to malicious individuals who know how to infiltrate the wireless connection.

Say you have a VPN protocol set up for your business. When you connect to your VPN the connection becomes encrypted. In other words the connection to the Internet is unreadable by humans or computers. The encrypted connection keeps your data safe and secure. While this example is an oversimplification of VPN, understanding the importance of a VPN connection can help you make better technology decisions when away from your home network.

6. Increase Password Complexity

Passwords are one of the highest security vulnerabilities when it involves cybersecurity. Too many individuals use short or simple passwords that can be easily guessed. For example, using “password” as your password is never a good idea. Similarly, avoid using pet names, relatives, or any other closely related trait that are easily guessable associations with you or your family. We strive to enforce strong complex passwords to help mitigate potential issues down the road.

Use a minimum of 14 characters with a combination of upper and lowercase letters, special characters, and numbers. Additionally, implement and practice using complex passwords throughout other login touch points. In fact, if passwords for software, web logins, etc. remain easy to guess or don’t have a password at all, we highly recommend adding and updating the password with more complex characters.

It is important to realize that passwords are the gatekeepers to access specific devices and services. The more complex the password, the harder to guess and prevent a brute force entry into said device or service. Collaborate with IT to keep all accounts secure with complex passwords.

7. Incorporate MFA For All Web Services

In addition to increasing password complexity, incorporating an extra layer of security when signing into a website is a great idea. Multi factor authentication (MFA), sometimes referred to as two-factor authentication (2FA), is defined as a security enhancement that allows you to present two pieces of evidence when logging in to an account. For instance, when logging into an email account like Gmail or Yahoo, you receive a notification to confirm it is you logging in. You will receive a code or prompt on your mobile device, which you can use to confirm your login.

Any time company employees are accessing sensitive data, implementing MFA would be an ideal security protocol. Single sign on would be easily accessible if the password were to become public knowledge. Without the second layer of security the malicious individual would be able to sign in without a second verification step. Using a smartphone, email, or other secondary device, will become the second verification method for accessing the email account, thus adding an extra layer of security to your sensitive material.

Installing an additional layer of cybersecurity will help prevent hijacking of sensitive account data. Work with your IT provider to activate MFA if you don’t have the protocol implemented already.

8. Keep Personal & Work Devices Separate

The temptation of combining both a work and personal device into one is intriguing and convenient. However, work devices should be that; only related to work. To clarify, no work device should be tied to any personal information. First, all personal data will need to live on their own devices. You don’t want personal data mixing with business data. Second, business data is sensitive. You have customer information, credit card numbers, and other highly classified data that will need to be separate from a personal device. Lastly, keep the company provided device in a separate location from the personal device. In fact, lock the room or store the device somewhere only you have access to.

Mixing devices can hinder security for employees, especially if data has been shared between devices. Personal and work data need to remain on their own devices. For example, you don’t want a virus attacking a personal device that contains an important report or document. Imagine if that virus wiped away all of your personal and work data.

Keep personal and work devices separate at all times. You’ll be happy you did.

9. Avoid Working At A Public WiFi Location

Free WiFi is a convenient connection to have when in a pinch. Did you know that most free WiFi locations have insecure connections? In fact, the reason free WiFi is readily available in coffee shops, airports, or other lounge areas is how easy it is to install a free WiFi hotspot. Although free, these connections are not safe by any stretch of the imagination. You’ll be happy to know there are methods to help avoid free WiFi and insecure connections.

For starters, we recommend using a smartphone as a hotspot to tether the connection from phone to laptop. A smartphone is a more secure method in a variety of ways. First, you’re the only person with the connection credentials. Second, the phone is using a cellular connection instead of an insecure WiFi connection. And lastly, that cellular connection is much more difficult to infiltrate than a free, non-secure WiFi connection.

Most smartphone service providers are offering unlimited data, which you as a traveler can take advantage of. Always use personal devices like a smartphone for internet access. Use the free WiFi sparingly for finishing time sensitive tasks if no other option is available.

10. Encrypt Data As Much As Possible

Encryption became a buzzword around the time the Internet was leaning into increased security. Encryption is a way of scrambling data so that only authorized parties can understand the information. In other words encryption takes readable data and changes it so that it appears unreadable by humans or computers.

Discussing the type of data that should be encrypted can vary. For instance, email is always a good topic when discussing what data needs to be encrypted. Modern email clients like Microsoft Outlook can provide encryption. In addition, other 3rd party tools like Hightail and ShareFile are solid options when sharing sensitive data.

Encrypting data is a must for specific industries. Financial sectors need higher data integrity standards which requires encryption of specific data. For example, any social security numbers or other personally identifiable information are encryption data candidates to deter any espionage. Similarly while performing encryption, you’re also protecting the business from any liability. The more secure protocols implemented the higher the difficultly to obtain shared data.

11. Backing Up Data

The first rule of backing up is talking about actually backing up data. For example, setting a continuous schedule to back up data will be a win for any business. Similarly a backup strategy is more than simply backing up data on a computer. In fact, implementing a backup strategy entails discussing numerous topics about the company data. For instance, what data needs to be backed up? How often do we need to keep backups? How quickly do you need to retrieve lost data?

While backing up all important data will be relevant to the discussion, determining what data is crucial is another task in itself. A business will determine what data is relevant to keep the company moving forward. Take a moment to think about the impact the business would incur if a certain set of documents or data were gone. What data would paralyze the business if said data would go missing forever?

Work with IT on setting up a backup strategy. A typical backup strategy will cover all important network devices, such as servers, desktops, and network attached storage (NAS). A managed IT service provider can work with you on a plan that fits the company budget and on how fast data will need to be recovered in case of an emergency. Don’t wait too long to get a backup strategy in place. The sooner the backups are running the better sleep you can get at night.

12. Use Company Provided Thumb Drives

Small flash or thumb drives are hardware devices that allow users to store data. If you’re anything like me you have a handful of these lying around the house in a junk drawer. We’re here to champion using company provided thumb drives to improve your overall cybersecurity. A managed IT service provider can set specific parameters on thumb drives unique to you. For example, adding a password to the thumb drive will prevent easily accessing the data on the drive. A home used thumb drive may have personal data and work data.

We highly recommend that you not use any personal or random thumb drives found at the home office or a friend’s house. Unknowingly using a thumb drive can cause disaster to a computer. First, an unmanaged thumb drive may be storing personal information. This is information that you do not want on your company provided laptop. Second the thumb drive may have old, outdated software that potentially leaves the drive vulnerable and cause further damage to the computer. Lastly, using a random thumb drive without knowing what’s on the drive is another cybersecurity mistake.

Work with the IT team to secure the thumb drive as much as possible. One last tip, if sending a thumb drive via mail, be sure to password protect the drive. You can call the recipient with the password once the thumb drive arrives. You can never be too careful when sending data via mail or email for that matter. Always err on the side of caution to prevent any major cyber issues down the road.

13. Keep Your Operating System Up To Date

The operating system runs the entire computer’s internal system. Windows 10 and macOS Big Sur are two examples of an operating system. Stressing the point of how important updating the PC’s operating system cannot be said enough. For instance, when an operating system update is available, we highly recommend installing the update towards the end of day. In fact, installing the updates at the end of the work day will prevent any stoppage. Similarly, a second option is to install the updates over the weekend, which will allow the PC to reboot as many times as needed to install the new operating system.

Lastly, partnering with a MSP will free you up of any updates moving forward. When you partner with a MSP, you can work with the provider to install updates during non-business hours and on your behalf. The MSP accommodates the company’s work schedule and installs the patches during off hours. Installing operating system updates remains a smart and sound decision. While not the most exciting task to perform on a PC, running operating system updates is critical to the health of the PC and squashing any security vulnerabilities.

14. Set A Schedule With IT To Run Company Device Updates

One of the many perks of partnering with a managed IT service provider is a service called remote monitoring & management. Numerous tasks are performed remotely and running device updates is one of them. In the previous section we discussed how an entrepreneur will be able to perform security updates on their own. However, most users will ignore the prompts to update the software or OS update and instead push off at a later time. Here’s how a MSP can help save you time & clicks.

For starters, a MSP will perform the updates on your behalf. In other words, the IT team will have remote support agents on company devices and will be able to perform the security updates on behalf of the end users. In addition, IT will work with the company’s point of contact to determine what times are optimal for security updates. For example, when the MSP performs security patches on the second weekend of the month, the IT team downloads the updates, and installs them during non-business hours. The goal is to prevent any disruption, while maintaining full cybersecurity protocols for the entire business.

Instead of ignoring or determining the optimal time to run security updates, farm out the security updates to a MSP. You’ll save time, energy, and resources.

15. Ensure Automatic Locking Is Enabled

Automatic locking will lock your device after a certain amount of time of inactivity. System administrators have come to an agreement that a device should automatically lock after 15 minutes of inactivity. In fact, implementing a device’s automatic lock policy can help maintain a secure network. Many company policies require that PC lock settings are in place to meet financial or investment guidelines. In addition implementing an automatic locking policy helps keep computers from being accessed by uninvited internal guests. This allows company data to remain secure and locked away.

We encourage all businesses, no matter how big or small, to lock devices on a regular basis. Here’s a fun tip: For Windows users, if you hit the Windows Key + L keys simultaneously, the screen will lock. For macOS users, tap on the keys CTRL + CMD + Q.

16. Confirm Antivirus Is Running On Device

Every workstation will need to have an antivirus (AV) software running. This point bears repeating: Every workstation will need to have an AV software running. The importance of installing and maintaining an AV app cannot be overstated. While other security tools live on the network and firewall, an AV app runs locally on the PC. A solid AV will run on a continual basis and schedule full scans outside of peak business hours. The AV does not take breaks and will run 24/7/365.

Smart AV software is able to detect whether a threat is viable and can quarantine said virus. Look for AV software that will automate and look for nefarious files or unwelcome digital guests. Confirm with your managed IT service provider and determine if an AV is installed on all business devices. The more devices with AV installed the more secure a PC will be.

17. Enable Find My Device & Remote Wipe

All Windows and macOS computers come with a “find my device” feature. The feature allows end users to wipe the computer if stolen, lost, or unrecoverable; therefore preventing data from being accessed by malicious entities. Most managed IT service providers incorporate remote wipe type features to safeguard a mobile workstation. For instance, BitLocker is an encryption feature built into computers running Windows 10 Pro. In short, BitLocker encrypts the computer’s hard drive and secures your data by scrambling it so it can’t be read without authenticated decrypting using a recovery key.

For macOS users, Find My Mac is a similar solution to Windows BitLocker. For instance, if a MacBook become stolen, you’re able to lock your Mac or erase the Mac from another Apple device. In addition, you’ll be able to pinpoint the device using an Apple iPhone and determine where the device is. In the event that the Mac device remains powered off or offline, you can still use Find My Mac to request a notification when it’s located, or lock or erase it remotely.

Travel will soon be opening up and individuals will be carrying laptops, smartphones, and tablets with them for work. Make sure each device has a remote wipe capability to protect sensitive company data.

18. Work With IT On Wiping Any Non-used Devices

Data sanitization refers to wiping a hard drive once the computer no longer needs to be commissioned. A MSP works with a customer to ensure all data and personally identifiable information (PII) remains off the hard drive. Ensuring data is erased from a hard drive helps protect sensitive and company data. With that said, what is your business’ protocols to wipe hard drives?

The first step requires working with the IT staff to prioritize wiping and erasing the hard drive’s data. A solid method to wipe the hard drive uses the DoD 3-pass standard. In short, using the DoD data sanitization method will prevent all software-based file recovery methods — as well as hardware-based recovery methods — from recovering meaningful data from the drive. The second step signals a successful hard drive wipe. The last step determines whether the hard drive is an e-waste candidate or can be used again for another end user.

Erasing the hard drive’s data practices good cybersecurity hygiene. Work with your managed IT service provider to determine the best course of action for your business.

19. Increase Cybersecurity Awareness Training

Cybersecurity awareness training became an essential part of businesses prior to the pandemic. Fast forward to 2021 and more businesses have become targets for phishing attacks under the guise of COVID-19 topics. Now is a crucial time to implement or update your cybersecurity training. Maintaining a consistent training regimen not only provides solid PC education, but the program will also help to keep employees up to date on the latest threats. For instance, running a faux phishing campaign can help increase awareness of who’s paying attention to email and who needs additional cybersecurity awareness training.

The objective isn’t to call someone out or publicly shame an individual, but rather the goal is to teach and coach the individual on what they missed on the phishing training session. Work with IT on providing cybersecurity training to all end users. The more educated the company on digital threats, the better off the business will be.

20. User Access Control

The philosophical IT discussion of allowing end users to have admin rights has been pontificated on numerous occasions. Although allowing individuals to have admin rights is a slippery slope we do not recommend. For example, when a user has admin rights enabled for their profile, the chances that the end user may end up accidentally downloading or installing a malicious application increase. In addition, the computer may become infected and you may be unable to access company data. We highly encourage businesses to restrict any user from having administrative rights.

The system administrators recommend limiting or completely removing admin rights from all users. If administrator rights are a must for a business, we create and assign a separate account to act as an admin for software installations or other PC needs. Keeping end users away from admin rights helps prevent ransomware, data breaches, and other catastrophic events that can lead to malicious digital guests. While it may be convenient to have admin rights, cybersecurity for the entire company should always outweigh convenience.

Read More: