A government agency may provide the tools required for an employee to work from home, including a computer, a virtual private network or Remote Desktop Protocol for encrypted communication, and anti-virus/anti-malware solutions. But ensuring those tools remain secure is everyone’s responsibility.
Security is not a one-sided effort — efforts at home complement and enhance those of the organization as a whole. What are the steps that employees working remotely should take? Here are the ABCs (and the DEFs) to follow for maximum security.
Audits, Continuous Updates and Password Security Aid in Protection
Audit: The more applications being used (on a laptop, smartphone or tablet), the bigger the attack surface. The first thing to do is audit: Take a look at all those apps that are rarely (if ever) used, and remove them. This decreases a hacker’s ability to take over a device or steal credentials. It’s especially important for mobile devices, where some apps have excessive permissions that can increase vulnerability.
Baseline Security: Malicious actors always look for easy ways to attack remote workers; for example, through spam or malware delivered via email. Install and activate all baseline security solutions for all devices. This includes anti-spam, anti-malware and anti-virus. Check to be certain applications are configured for automatic updates.
If a device does not use a VPN, equip it with one. This will protect any data it sends and receives. A VPN creates a secure tunnel between a home office and a government network or internet site, preventing criminals from watching any online activity. This is especially relevant when accessing sites that contain sensitive information, such as online banking or brokerage sites. Cisco Firepower VPN, for instance, can help protect all private information.
Continuous Updating: Hackers are vigilant when it comes to learning about vulnerabilities in applications, browsers and operating systems, and they quickly exploit those vulnerabilities. Update devices with the latest patches for everything. Don’t ignore notifications for new versions or assume it will be done later — do it now.
Installing the latest updates will help patch recently detected security flaws and provide new capabilities. It’s especially important to update mobile devices, where notifications can be less obvious. Check all apps periodically, and install the latest updates to ensure the strongest protection.
Percentage of people who regularly update their applications
Source: Google, Online Security Survey, February 2019
Difficult-to-Guess Passwords: Attackers try to find credentials they can use to gain access to sensitive information. While passwords for government systems might be long, complex and hard to guess, that’s often not the case with personal social media accounts and frequently visited websites. Even worse, many people reuse the same passwords. A 2019 survey by Google found that 65 percent of people use the same password for multiple or all accounts. Hackers who discover one password may gain free access to many apps, including banking or healthcare.
Change any duplicate passwords, and then look to multifactor authentication to increase security. Take advantage of any MFA security measure offered by a healthcare or financial services site, in particular. This will entail an additional verification step when logging in — generally a one-time password sent via text to a mobile phone.
For other accounts, install an MFA solution such as Cisco Duo or RSA SecurID, which can be implemented as software. Don’t forget to check the router, which probably came configured with a long, complicated password. Revisit the password if it was changed to something simpler. (Read a product spotlight on RSA SecurID SID700.)
Embrace Anti-Phishing Tools, and Caution
Evade Phishing: Some agencies require employees to take security awareness training, such as SANS EndUser Training, often with phishing simulation exercises to help spot phishing emails. Don’t get comfortable when working remotely. Be on the lookout for phishing emails and social engineering attacks. Don’t click links in emails or open attachments — even if the email looks like it came from an official agency.
Double check: If anything looks suspicious, call or send a separate email to the person who supposedly sent the email or inform the IT department. Caution can pay off big-time, especially today with the multitude of coronavirus-themed emails that phish for credentials. A moment’s hesitation could save an organization from malware or ransomware.
Fear Is a Friend: Fear can benefit a teleworker — and the agency. Remember the quote from Catch-22: “Just because you’re paranoid doesn’t mean they aren’t after you.”
This is especially pertinent today, when incessantly creative hackers try to access agency networks via teleworkers. They try to implant malware on devices to steal credentials and gain access to organizational data with lures to a website that looks legitimate but in fact is malicious. Mimicking a well-known website, a bogus site instead downloads malware by design.
Be vigilant, and always take a minute to double-check the details. Right-click a link to see its true destination. Don’t click through if it doesn’t match the purported destination.
Olga_Z/Getty Images (texture); RapidEye/Getty Images (mouse trap); alexey_boldin/Getty Images (laptop); cyano66/Getty Images (other devices)