Security when working from home

Moving with little notice from a trusted office environment to working from home or a remote location has the potential to create cybersecurity risks. In a rush to comply with the unprecedented Level 4 lockdown New Zealand currently faces, many organisations and staff may not yet have had the opportunity to think about, or implement, basic cybersecurity hygiene in their home office set up.

In addition, there are widespread reports of an increase in cybersecurity risk due to opportunistic criminals seeking to profit from the current coronavirus pandemic. In particular, phishing scams that prey on scared or distracted individuals appear to be prolific.

Working from Home – Cyber Risks
While the home network can present many vulnerabilities, the top cybersecurity risks faced by users working at home usually fall into the following categories:

  • Social engineering attacks

Social engineering attackers target victims in times of uncertainty or stress (such as the current climate) and attempt to trick users into performing an action that ultimately causes harm. They may encourage you to click an email link that directs you to a phoney website or fool you into transferring funds to a fraudulent account.

  • Weak passwords

Weak passwords and poor authentication practices continue to be a leading cause of system and data breaches today.  Home PC’s that may have once only been used for personal browsing may now be used to access or store sensitive company information. While company policies often force strong password policies, the same may not be in place at home. Vigilance is required to keep these home systems secure.

  • Out of date systems

Not updating applications, anti-virus tools and operating systems to the latest version leaves them exposed to known vulnerabilities.

Considerations for Employers
If your business has employees working from home, we recommend you consider the following:

  1. UPDATE YOUR INCIDENT RESPONSE PLAN: Along with your Business Continuity plans, you should review and update your Incident Response Plan to ensure your Incident Response Team can expertly manage any cyber event from home. Consider what your primary communication and online collaboration tools might be, update your phone trees and procedures to accommodate employees working remotely.
  • PROMOTE AWARENESS: Now is a great time to lift the knowledge and awareness of your team. Information on the cyber risks they may face when working from home is an excellent place to start. Additionally, let your team know whom to contact should they think they have been targeted by a scam or are suspicious of any online activity.
  • COMMUNICATE EXPECTATIONS: Ensure your team are aware of their responsibilities to protect sensitive data and that the use of insecure systems is not acceptable. Educate everyone on the types of information that must be protected. Consider activities such as conducting a password audit if applicable.
  • HARDEN YOUR DEFENCES: Ensure Multifactor authentication is a requirement for all remote login or cloud-based applications. Concentrate on securing your VPN, firewalls and endpoint protection by applying the latest patches and checking the configuration.
  • CONDUCT A FORMAL SECURITY ASSESSMENT: When possible, ensure your newly configured information systems are secure in line with best practices.

10 Cyber Security Tips for Working from Home
Below are out tips for IT professionals, and the staff who will be using IT systems while working from home. We outline ways to secure your home network and stay safe online while working-from-home.

  1. BE AWARE: Use common sense and increase your knowledge of currently active scams. If an email or other communication seems suspicious, assume it could be fraudulent and proceed with caution. Key signs include the message appearing to be urgent, poorly constructed, or too good to be true. Regularly check the NCSC, CERTNZ and our Alerts for cyber threat information.
  • UPDATE YOUR SYSTEMS: Make sure your operating system and all applications are up to date with the latest version and patches installed. Turn on automatic updates wherever available. Don’t forget to update firmware (router) and other equipment on your home networks such as your smart tv, or baby monitor if possible. Updating may require rebooting your PC at times – try to regularly find time for this or schedule it to occur overnight.
  • RETHINK YOUR PASSWORDS: Create secure and unique passwords for each account. Change these regularly. Try using passphrases rather than creating longer passwords that are hard to remember or start to use a password manager such as KeePass or LastPass. Password managers create, remember and autofill passwords for you.
  • ENABLE MULTIFACTOR AUTHENTICATION: Multifactor or 2-step authentication requires that you use both a password and a code to access your account. Services such as Dropbox, Twitter, and Gmail all support this. Your workplace may also require you to enable this to access Office 365 and other business systems. Multifactor authentication ensures that your account is still secure even if your password has been compromised.
  • BACKUP YOUR DATA: Ensure all critical files are backed up regularly.
  • SECURE YOUR HOME NETWORK: This includes securing your router by changing the default router/admin password and ensuring WPA2 or WPA3 encryption is enabled. Turn off WPS if your router still supports this as it is no longer secure. Make sure your WiFi password is strong.
  • USE ANTI-VIRUS SOFTWARE: Make sure you have effective anti-virus software in place, and that is up to date.
  • ENABLE FIREWALLS: Firewalls can defend your home device from external threats by creating a barrier between your PC and the Internet. Your operating system will usually have a firewall built-in, so it should be just a case of ensuring it is enabled.
  • USE A VPN: Consider using a Virtual Private Network (VPN). A VPN will encrypt all of your internet traffic, ensuring no one else can read it.
  1. ONLY USE REPUTABLE APPLICATIONS AND COLLABORATION TOOLS: It is tempting to download and install new software or collaboration applications when trying to replicate the functionalities you usually have in the office, at home. Be cautious and install only trusted apps and those approved by your organisation for use. Additionally, ensure file sharing is performed securely. Be wary of remote access applications.

Free Advice and Resources
Many organisations are uniting to ensure businesses and individuals have the information they need to safely and securely work from home. The following links are reputable free resources that you can use and share with your team to promote safe home working practices.

This resource is a simple, sensible bullet point list for both employers and employees working remotely.

CERT’s page offers links to various advice for individuals and businesses and includes a printable checklist guide for setting up remote working.

This kit contains advice for businesses and individuals now working predominately from home. It provides further links to information on several relevant topics such as securely working from home, social engineering scams and hardening the home network. It also contains a cyber-secure video and a communications template you can distribute and use to talk to employees about working from home securely.

The NIST guide covers a broader area than just at-home working and includes teleworking and BYOD advice for employers and employees.

This is a slightly more technical guide focussed on the purchase and secure setup of network devices created for the small office or home office situation.

While we find ourselves forced to operate our businesses in a new, and for some, unfamiliar way; practising basic security hygiene such as the steps outlined above will assist in addressing any new cyber risks.

Follow these steps to increase your home security and ensure that you remain extra vigilant in your daily online interactions.