Authored by: Aaron Zander, Head of IT at HackerOne
Use a good password manager. Don’t share logins and passwords unless you absolutely have to. If you have to, then it’s time to invest in a password manager for your team or company. Tools like 1Password make sharing large amounts of secure data easy, and help secure your teams even more.
Use Multi-Factor Authentication (MFA). Authentication is the process by which a computer validates the identity of a user (i.e. username and password). Two-factor authentication (2FA) commonly combines a password with a phone-based authentication factor. However, there are shortcomings with 2FA, as hackers can bypass wireless carriers, intercept or redirect SMS codes, and easily compromise credentials. Multi-factor authentication is more secure as it adds an additional layer of protection. Instead of just asking for a username and password, MFA requires additional credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition.
Stay at home. If you can, work from home, not from a coffee shop, to reduce the chances of (corporate) espionage. It’s preferable to leave the laptop at home (locked) and go out for a break and then return. If you really need to go to the coffee shop, then use a private VPN for any untrusted network or location, like encrypt.me. VPNs aren’t the end-all-be-all for security though.
Disconnect from the company’s VPN when not in use. Leaving your connections open can increase the likelihood that if you’re breached, that extends past your machine and into your corporate network. Also in a time where many more people are connecting via these services, it’ll give your infrastructure team a little more room to breath.
Secure your home router. It is essential to ensure your home wifi router has a strong password and is up to date. Search the name of your router, and the words “breach” or “security issue” and see if yours is on the list. Most of these can be fixed by doing a simple software update. If your network equipment is no longer being updated by the manufacturer, chances of vulnerabilities increase over time. It is also important to use a strong password. Make sure you've modified the default administrator password on your router and other network equipment. Ensure your wireless networks are using WPA2 security or higher. And, separate guest devices onto a separate wireless network isolated from your personal devices if you can.
Don’t share your online meeting IDs or meeting URLs on social media. Online meetings are increasingly productive tools that allow people to work from anywhere, not just the office. But they come with a caveat: Sharing the meeting ID or URL can allow people to drop in and listen to sensitive conversations, record your voice or video, and infiltrate your new virtual workplace. Some meeting tools allow you to limit meetings to only people in your organisation or add a password, but not all do.
Be even more paranoid of phishing and other scams. If something looks suspicious, don’t click or act on it. Email scams related to COVID-19 are already on the rise, and the U.S. The Department of Health and Human Services recently announced that they have fallen victim to a cyber attack that involved a COVID-19 misinformation campaign that quickly spread via text, email and social media. In general, never share personal or financial information via email if you weren’t expecting it. If you get such a request, it’s best to call or video conference the individual directly to confirm.
Expect criminals to try and take advantage of the increased distances in our workplaces. Often a lot of the checks and balances around things like financial requests and last minute invites to meetings or other services are done in person. Now that they might happen via email be extra diligent about checking who is sending them. Phishers are going to take advantage of the lack of processes that are in place. If you get a request via email or messaging services, always try and verify outside of the initiated chain of request. For example if you get a request from your CEO to refund a customer to a new bank account, instead of replying to that thread to confirm, message them in a new email, or via a different medium (call/instant messaging etc) to verify the request. For large transactions, always have another person on your team double check the request and your work as well for safety. It’s rare that an extra hour will make a difference in the case of a wetransfer, but the consequences of moving too quickly can be felt for a long time.
Don’t use your personal laptop or desktop. Don’t fall prey to the habit of using your personal machine for work. It’s inherently less secure than your work machine. Also, if you install extra tools for work to your home laptop, who knows what access you’re giving to your company. It’s safer to keep them separate.
Avoid installing new apps without permission from IT. Some apps may be harmless, but inviting more apps to your device can raise cause for concern. Employees working from home may create or take into use new software tools and services that won’t be as thoroughly tested and protected as the tools they normally use, posing great risk for the corporate network.
Don’t mix personal and work-related internet browsing. If you use Chrome, use a personal profile for personal browsing, and a work profile for work browsing. At home, it’s a lot easier to sink into mixing work and personal browning.
Lock your laptop. When we’re at work, oftentimes we get really good at locking our laptops when we walk away from them, but at home we leave them unlocked, and it’s a bad habit to get into, as it makes it more likely when you’re out and about that you won’t do this.
Stay connected online. Connect with your co-workers often to help feel like you’re still connected to each other. Security is often tied to visibility, staying connected helps keep you and them visible.