The sudden rush to remote working can create additional cybersecurity threats to employees and their employer. This includes vulnerability to identity theft, phishing, malware and ransomware. Employers may be exposed to data breaches, privacy breaches, unauthorised access by hackers, as well as other types of threats.
Thankfully, there are a few simple ways employees and employers can protect themselves with no IT degree or background required.
Checklist 1: Ensure a cyber-safe computer
Regardless of whether the computer is company-provided or a personal laptop, it is strongly advised to take the following precautionary measures:
- Ensure the latest versions of all relevant application software are installed and operational. This is especially critical for email and office type applications as well as any project management, financial and other applications required daily.
- Remote login software including VPN (Virtual Private Network) is installed and operational to safely connect to any employer infrastructure or cloud applications and systems.
- Antivirus or End Point Security or Internet Security software such as Norton (from Symantec), TrendMicro, McAfee, TotalAV, Bitdefender, Malwarebytes, Avast, AVG or other are installed fully up-to-date and working properly according to the organisation’s Cyber Security policies and procedures.
- Enable MFA (Multifactor Authentication) for access to key or important systems and/or applications. Meaning a code is sent to a separate device such as a mobile phone. This code then needs to be entered to access work applications.
If an employee has never used their laptop or device remotely or from home, they should ideally take the laptop home beforehand and test all the above measures are working properly. It’s much easier to come back into the office and have problems resolved than finding out on the first day of working from home that most applications are not working remotely.
If an employee is connecting to the company infrastructure, then it’s the employer’s responsibility to ensure there is enough bandwidth available to access all applications and systems. If your employees are connecting through a mobile network using a wireless modem, mobile phone hotspot or NBN connection, it’s important to be aware of the following:
- Availability of bandwidth – mobile networks including NBN may not be able to cope with the volume of internet traffic if students, people working from home, the general population and business are all using the same local infrastructure.
- Any data restrictions or volume limits on mobile data (typically 15 – 60Gb of data) and NBN connection data (100Gb) after which connection may be terminated or severely limited (slowed down).
- Check home connection plans data limits to ensure if there are any additional fees and charges associated with a greater volume of data downloads.
Checklist 2: Creating a safe network
If employees are connecting to work via a home wireless network and NBN connection or any other way not provided or specified by the employer, it is the employee's responsibility for securing:
- the machine or laptop and making sure it is compliant with the checklist above
- the wireless network
- any mobile phones
- any other devices such as Smart Speakers, cameras, TV, and entertainment systems that are connected to the same wireless network.
There are vulnerabilities when it comes to home wireless networks and NBN connections. Here’s what they are and the actions to take:
1. Default passwords in use, including guest passwords.
Action to take: Change default and guest passwords.
2. Higher levels of security and encryption not switched on.
Action to take: Turn on WPA2 encryption. This is more secure than WPA or WEP (Wired Equivalent Privacy) because it uses a stronger AES encryption algorithm (Advanced Encryption Standard).
Action to take: Disable WPS (Wi-Fi Protected Setup) – this is an insecure feature that makes any wireless network more vulnerable to attack.
3. Wireless network visible to any passers-by.
Action to take: Switch off broadcasting of network SSID (Service Set Identifier). Change the SSID – do not continue to use the default vendor name for the wireless network.
4. Make sure the wireless network is safe – has not been accessed by any neighbours, passers-by or any other third party.
Action to take: Enable router logs and check them on a regular basis.
5. Children accessing the home wireless network using school laptops, most of which are infected from school, other friends’ wireless networks, and/or directly from the internet.
Action to take: All machines connecting to the home wireless network must have an up-to-date Antivirus or Internet Security software installed and operational (signatures up-to-date) monitoring connection in real-time. If possible, make sure the wireless router comes with a specialised built-in firewall that adds an extra layer of protection. Moreover, switch off the wireless network if not using it for extended periods of time.
Checklist 3: Operational guidelines
The following is a checklist to safely work from home.
1. Make sure the laptop is set to print at home rather than the usual place of work.
2. Keep any work and personal documents that contain sensitive or confidential information in a safe place and have a lockable secure mailbox at home. Destroy/shred all paper documents containing any sensitive personal, work or financial information – do not just discard in the bin.
3. Don’t post personal, private and confidential information online including details that may seem harmless but could be used to guess the password. Use strong passwords for everything meaning a short phrase that contains alphanumeric characters like %, $, # or @.
4. Store passwords securely – if it’s on a mobile device or in the cloud – they are hackable. Change passwords regularly (every 3 – 6 months)
5. Limit the use of USB’s – almost certainly never use any USB that is not scanned or unknown.
6. For all home devices (laptops, tablets, mobile phones and computers) connected to the same wireless network, especially children’s school laptops:
- Make sure all the operating system software is up-to-date.
- Use an Internet Security Protection Software Suite such as Norton from Symantec including a firewall, anti-virus, anti-spyware and anti-phishing tools to protect from direct and indirect attacks.
- Beware that if kids are running YouTube or playing movies from the internet, this will slow down the Internet connection.
7. Use encryption but before encrypting anything, keep data backed-up on an external Hard Disk Drive in a secure location to avoid the pain of losing anything.
8. Whenever using a browser for transactions, use the HTTPS secure protocol.
9. Enable browser extensions from the Internet Security Suite. Browsing history can be disabled from being stored. Use the In-Private/Incognito mode for all browsers for privacy protection.
10. Be smart when travelling in public wi-fi zones. It is surprisingly easy to set-up a rogue wi-fi hot spot to steal any user’s password credentials. Within minutes a reasonably skilled hacker will obtain many passwords in a busy facility.
11. Never login to work or financial accounts using public wi-fi. Use a password-protected hotspot from the mobile phone instead.
12. Do not click on any links in emails that are suspicious and beware of phishing emails. Even emails forwarded by a trusted colleague may be a phishing email. Never click on any attachments in suspicious and unverified emails. Also never respond to any unsolicited emails or click on any links in such emails.
13. Only install apps on the mobile phone from the official vendor app-store (Apple, Google, etc.). Most importantly always check online first to make sure the app is safe.
14. Any files, documents and/or software downloaded or installed from the internet should be done only if it comes from verified reputable sources or providers, should be scanned by the Internet Security Suite and verified as safe before installation and/or use. The default browser may also scan downloads however it is best to set the Internet Security Suite to scan downloads.
15. If using the cloud, most cloud providers provide additional security features for an additional fee. The likelihood is that if it’s in the cloud, it can be hacked – not always because of cloud providers, but because of how the individual connects directly to the cloud that creates a vulnerability.
If making any payments on behalf of the employer or an employee has access to sensitive financial information, the guideline is to:
1. Keep credit cards safe at all times.
2. Check bank and credit accounts regularly and look out for any suspicious or unusual transactions with vendors or organisations.
3. Put alerts on the accounts where text messages or emails are sent in case of major transactions going through the account, any password changes, or any other changes such as an address, email address and mobile phone number changes.
4. For all banking, enable multi-factor authentication where the bank sends a one-time use code via text message.
5. For mobile phones – protect access using a PIN.
Checklist 4: Ensure proper HR policies and procedures in place
Having proper policies and procedures in place helps employees understand their rights and responsibilities including technical support and other facilities available when working from home.
To help ensure you have the right policies and procedures in place, download helpful resources like:
- Business Australia’s Employer Toolkit which includes:
- Working from home checklist
- Working from home policy
- Ergonomics checklist
- Mental Health Policy
- HR Advance’s
Over to you
Working from home exposes a significant transfer of liability from employer to employee depending on company facilities and how an individual is connecting to applications and systems. Surveys indicate home-based staff spend between 10 to 22% of their time overcoming technology issues and problems.
Working from home may be liberating at times or in some cases unavoidable (e.g. given Pandemics such as COVID-19). It also comes with its own challenges and responsibilities.
The views expressed in this article are those of the author and do not necessarily represent the views of Business Australia.