With more companies encouraging their employees to work from home to mitigate the spread and effects of COVID-19, cyber hygiene is as important as ever. When working remotely, we frequently access potentially sensitive and confidential information, and, without our organization’s IT department standing guard as the first line of defense, this can be a precarious situation. Clifford Neuman, cybersecurity expert at USC’s Information Sciences Institute and faculty in the Department of Computer Science at the USC Viterbi School of Engineering, has five key tips to ensure that we all stay alert online.
“When working on-site, the organization’s IT practices provide a first line of defense against attacks,” Neuman explained. “If employees work from home on their own computers, this information ends up accessed from the same computers used for personal computing activities such as playing online games, or worse. This makes these systems more vulnerable to attacks, and a large number of home systems are already compromised by viruses and other malware, and are just waiting for access to corporate data that can be sent to the dark web. Working from home provides that access.”
So if we’re working remotely, what can we do to protect ourselves online?
1. Use a VPN.
A Virtual Private Network (VPN) gives users the ability to securely connect to another network over the internet anonymously, protecting your browsing data from potential lurkers. Many companies can provide access through a VPN – this option is much better than using a random VPN found online.
“If you’re working from home and connecting to your organization’s systems, be sure to use the VPN provided by the organization,” Neuman said. “Don’t use third party VPN’s for this purpose – you want your data protected all the way to your organization’s boundary (firewall).”
According to Neuman, third party VPNs only protect your data as far as their system, which means that the third party VPN provider would be able to see all your sensitive data. “Fortunately, in most corporate environments, policies may already prevent you from accessing their systems unless you use their VPN,” he said.
Contact your organization’s IT staff if you need help setting up their VPN.
2. Use company-provided equipment.
So you have access to your organization’s VPN – great. But reconsider setting it up on your family personal computer.
“When working from home, it’s better to use a computer that’s designated for work, possibly provided by your company,” said Neuman. “If you connect using a VPN from the home computer that others in your family use for entertainment, gaming, or file sharing, you’re creating an opportunity for malicious code that may already be running on your home machine to jump into your corporate network.”
Check with your organization if you can bring the essential work equipment you need back home.
3. Be conscious of where you’re storing data.
On that note, Neuman recommends not storing sensitive or organization-related data to your personal computer. “Your company probably has polices saying you can’t do this,” he said. “It’s all too convenient to download documents and work on them locally, but you’d probably leave the data lying around on your home computer where it’s an easy target for hackers.” This also goes for personal email accounts.
Avoid using your personal email for anything work-related; always use your email account(s) provided by your organization.
4. Be vigilant when opening and downloading attachments.
Concerns about COVID-19 are justifiably mounting, and some hackers can take advantage of these concerns by sending malware through emails. “We’re all doing things differently and criminals know that we might be more likely to follow links or instructions in emails without thinking things through,” Neuman noted.
We know to stay safe from viruses offline, but we need to protect ourselves from viruses online, as well. “If you receive email from a colleague using an unfamiliar address, don’t engage,” advised Neuman. “Criminals know that you’re making exceptions to your normal business practices and this gives them an opportunity to pretend to be your coworkers that want you to help them work remotely by sending documents to their non-corporate email address.”
In some cases, you may receive emails that claim to be an organization’s official communications, but, upon closer inspection, are actually using similar-but-fake email addresses. These emails may request information from you, asking that you send data to accounts outside your organization. “Often a criminal might pretend to be your boss and ask you to send them files as a way to steal sensitive data,” Neuman said. “In a common scam, some corporate accounting departments have sent W2 forms including employee social security numbers to accounts that they thought were the CEO.”
There are countless email messages circulating that claim to be COVID-19 updates from organizations, the CDC or other government agencies, but some of them may be phishing schemes or contain malware as attachments, and clicking on them can infect your computer system or worse. “In general, you shouldn’t click on links or open attachments in messages that you’re not expecting,” stated Neuman. “This applies even if the message appears to be from someone within your company or from a company you do business with. The ‘From’ address of emails are very easily forged by criminals.”
This goes for software links especially. “Don’t download software by following links in emails,” he continued. “Such software may contain viruses or other malware that will steal data from your systems in install ransomware.”
If ever in doubt, visit the organization’s site directly by typing in their web address (including the “https:”) to verify the message you received.
5. Use company systems whenever possible.
It’s important to do your work through organization-provided applications that run on the organization’s own systems. “[It’s far better] for your company to provide applications running on their own system to handle the processing that you need to do from home,” Neuman said. “Some companies support various remote desktop protocols, where your home machine is simply a user interface to a ‘virtual machine’ running within your companies IT boundaries.”
Double check with your organization’s IT staff regarding the capabilities they provide for this kind of access.
By following these tips, you can rest assured that you’re doing your part to be secure online when working remotely. If something here isn’t accessible for you, contact the appropriate representatives at your organization and let them know what you require for more protection online. Stay cyber safe, everyone!