Millions of people are working from home as employers are only asking essential workers to show up in offices and retail stores in an effort to stem the spread of coronavirus.
While some employees were already working from home either part time or full time and were set up to conduct remote work, other workers had to adapt very quickly to accessing company servers remotely and discussing projects via video calls or phone calls.
Maintaining privacy and being able to work effectively with your co-workers and clients, who are often in various time zones can be challenging.
Cybercriminals are always on the hunt for more unsuspecting victims through phishing, smishing and by infecting software with malware.
“As companies around the world had to quickly shift to remote work, cybercriminals have been just as adept at capitalizing on the world situation and new work arrangements to steal data, divert wire transfers to steal money, hold systems for ransom or simply to disrupt video conference calls,” said Randy Pargman, senior director of Binary Defense, a Hudson, Ohio-based cybersecurity and threat intelligence company, and former senior computer scientist for the FBI. “Fortunately, many of the proven methods for securing remote employees and working from the road that have been learned over the years can be applied to help protect the new remote workforce as well.”
Here are 12 tips on how to work from home efficiently and securely while you’re coping with constant distractions and concerns about COVID-19.
1. Buy New Equipment/Furniture
Jason Brooks, a financial reporter with KCBS Radio in San Francisco who covers the stock market, economy and Silicon Valley and is also a business reporter for CBS Radio News, started working from home on March 13. He had never broadcast live from his home aside from doing an occasional phone report on breaking news. Brooks needed some new gear and purchased a new Mac 27-inch desktop because his old HP was not reliable.
He also upgraded his home mic with a new Shure Beta 58A and an iRig Pro audio interface to connect through his work iPad that are used for a live connection on KCBS and for recorded pieces through Logic Pro X on the Mac.
“After working in radio and TV studios for about 30 years, it was quite the adjustment delivering live reports from home,” he said. “It took a couple of weeks to configure a setup that works and have quickly learned to be my own engineer.”
Brooks said he does enjoy working from home and skipping three hours of round-trip commuting into San Francisco, allowing him to spend more time with his wife and dog, Brinkley.
“But, I do miss the newsroom buzz and my colleagues,” he said.
“In those cases I need a ‘professional’ setting and use my home office,” he said. “When I don’t need to be on camera or when I want to get as far away from the family as possible, I retreat to my basement homemade standing desk."
During conference calls, standing gives Clagett, a director of strategic initiatives at StrategyCorps, a Brentwood, Tennessee-based banking consultancy firm that develops reward programs associated with checking accounts for banks and credit unions, an opportunity to pace a bit in the hopes that he is burning calories.
“Making sure my WiFi reaches that corner of the house was an important consideration before construction,” he said. “By the way, the standing desk is made from the top of an old entertainment console I found, so I’m recycling while staying healthier.”
Daren Blonski, managing principal of Sonoma Wealth Advisors in California, bought a standing desk in March to adapt to working at home.
“Between dogs, kids and partners, working from home can prove hazardous to one's health,” he said. In an effort to preserve my sanity, I have bought an Uplift standing desk. My rule is I can only sit when I talk to clients. So when I am doing the busy work I am standing. This forces me to do less busywork and allows me to help with managing the home.”
Like many other people, Blonski believes that working from home will become more commonplace and emerge as the new norm.
“Making sure I set up my workspace so that it’s more efficient has really helped - this meant getting better monitors, faster computers to trade on and having a direct line to my home office,” he said. “I don't believe work will get back to normal in the near future, so I planned and set up my space for the long haul.”
Maintaining balance and time away from computer screens is also vital.
“I also take time after the market closes each day to get some vitamin D and exercise,” Blonski said. “I found that working from home means I actually work longer hours, so I really have to create boundaries in order to make sure I am not doing 15 hour days everyday.”
2. Avoid Free Public WiFi
Employees should avoid connecting a work computer to any free public WiFi access point, especially a network with no password, said Pargman.
“Not only could malware on other people’s computers try to break into your computer, but people with malicious intent nearby could try to spy on your computer’s network traffic and steal sensitive information or redirect your web browsing to websites controlled by the attacker,” he said.
3. Use a Virtual Private Network (VPN)
Instead, use a VPN to encrypt all of your network traffic and keep it safe from interception or manipulation.
“When you’re using a VPN, all your network traffic is encrypted and can’t be seen by other computers on your local network,” Pargman said.
All VPNs are not created equally. The best practice is to ask your employer for advice about which one to use.
If the VPN is managed by your company, ask whether all of your network traffic goes through the VPN or if it is split, he said.
“Many companies have configured their corporate VPN to only send network traffic bound for the company’s internal servers through the VPN while leaving the rest of the connections to other websites unprotected,” Pargman said. “That helps lighten the load on the company’s VPN server, but it’s an important point to understand for remote employees.”
4. Determine the Security Features of Video Conferencing Platforms
Using the right security settings for your video conferencing software is critical. While Zoom has come under more scrutiny recently because of its rapid rise in popularity, the company has also been “quick to respond to recent criticism and offer software updates, changes to default settings and advice for protecting meetings from unwelcome attendees,” said Pargman.
Managers should set a password and use unique meeting IDs for employees to join video calls and limit the audience’s ability to share video or their screen for public meetings. This strategy goes a long way to keeping video conferences from becoming a source of problems.
“Keep a webcam cover over your computer’s camera when you’re not using it to prevent oversharing of images if you accidentally join a video call,” he said.
Protecting against software vulnerabilities requires vendor patching and due diligence on the user, said Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers.
“Restricting access to a video session is based on the quality of the user authentication controls such as strong passwords and user validation,” he said.
The simple fix, which Zoom has now made standard, is to enforce default passwords for all video conferences.
“How strong that password is will still impact the ability for someone to access a current session, but it is much better than no password at all,” Morales said.
Moderators can also by default enable mute on all participants and disable screen sharing features, he said.
“The biggest risk has been the ability for an outside party to join a session and disrupt or eavesdrop,” Morales said. “Eavesdropping allows listening in to what might be a valuable conversation with interesting data, depending on who is involved and the discussion taking place. The other risk is the disruption of a session with shared images and sounds. Think of it like digital graffiti.”
Companies can avoid being hacked during video meetings by identifying attendees, said Chris Hazelton, director of security solutions at Lookout, a provider of mobile phishing solutions based in San Francisco. Larger companies must use corporate directory integration where any user from the organization is identified by their real name.
“Allowing outsiders to attend means they can create false identities allowing them to behave or listen in or disrupt meetings with little risk or consequences,” he said.
Avoid using a waiting room because this allows anyone to join without giving the meeting host a chance to vet attendees before they join, Hazelton said.
“With the mass migration to working from home, any perimeter-based security goes out the window and with it comes a change in focus for cybercriminals,” he said. “Cybercriminals, who are also stuck at home, were quick to realize they have a large untrained target audience for malicious social engineering attacks through phishing, as well as targets of opportunity as users post meeting links online that include meeting IDs and passwords.”
A large number of traditional in-person meetings went online and while Zoom has security mechanisms in place, including support for single sign-on and multi-factor authentication, the company had to focus on the real problem - poorly trained users, Hazelton said.
“Zoombombing is caused by lack of cybersecurity awareness and insider threats,” he said. “Additionally, users are oversharing meeting details and some attendees want meetings to be overheard or disrupted.”
Zoom meetings can be encrypted "end-to-end" as long as all attendees are using a Zoom desktop or mobile client app, Hazelton said.
5. Assume You’re Being Recorded
Determine if your conversations and videos are being recorded. Since many employees may never know, they should “always assume the worst,” said Alex Hamerstone, GRC practice lead at TrustedSec, a cybersecurity and white hat hacking company headquartered in Strongsville, Ohio.
“Any technology can be recorded, so you should always assume that it is and act accordingly,” he said. “Any conferencing platform can be set to record calls.”
Remote workers also need to beware of fake Zoom invites, as well as other video conferencing or teleconferencing invitations that may be sent over email in order to hijack the work account or infect the employee’s device with malware, Hamerstone said.
“Researchers noticed a surge in Zoom-related domain name registrations in the month of March, which hackers are probably using to trick people into phony login pages.”
6. Use the Mute Button
Zoom is used constantly at Forward Networks, a Palo Alto, Calif.-based provider of network assurance and intent-based network verification, since it is the lifeline to outside vendors, job candidates and existing customers.
“It's not only critical for teamwork and collective decision making within and between internal teams and we have the Zoom app installed on our phones and even use Zoom Room video conferencing systems in our office meeting rooms,” said Charlie Elliott, digital marketing manager at Forward Networks.
Utilize best practices while you use Zoom or another video conferencing platform with your co-workers. Mute unless it is necessary not to mute, she said.
“This is key especially when working from home with a full house, even if you don't have chatty children in your house, dogs and birds will crash your conversation without warning,” Elliott said. “Keep a camera cover on your laptop's webcam that can slide open when you actually want to be seen. When you want to be seen, but you don't want your messy bookshelves, hand-me-down sofa or hamper full of laundry on camera, use a Zoom virtual background to digitally erase everything around you.”
Sheltering at home with working parents and school children using virtual classrooms can strain the physical space in a house, especially in the Bay Area where homes are small, she said.
“When one of our key technical team members needed to take a Zoom meeting, he was forced to occupy his garage as his home office,” Elliott said. “Thankfully, we had a library of virtual backgrounds loaded into our Zoom app so that when he had to conduct a webinar, he could be seen on camera, but his socket wrenches could not.”
7. Beware of Fake Emails
Beware of emails that appear to be important or urgent information about the COVID-19 situation, especially if the email contains a Zip file, Word document or Excel spreadsheet as an attachment or a link to download one of those files, Pargman said.
“I’ve seen a constant stream of malware over the last few weeks disguised as urgent information that supposedly needs a quick response,” he said. “If you do download one of these files and open them, stop and think twice about clicking on any security prompts. Many of these malicious documents require the recipient to click “enable content” or double-click an executable file inside a Zip file in order to run.”
If you’re not doubtful or suspicious about the sender, send the email to your company’s IT team.
“They would rather spend a few minutes checking out a suspicious email than have to spend hours restoring your computer and repairing damage caused by malware,” Pargman said.
Businesses need to promote a strong sense of security culture, said Alex Guirakhoo, strategy and research analyst at Digital Shadows, a San Francisco-based provider of digital risk protection. Companies should ensure their employees are aware of some of the more common phishing lures.
“Emails that claim to offer COVID-19 infection maps, contain important government alerts or offer deals on medical equipment that seem too good to be true should raise suspicions, especially when sent from unknown, external sources,” he said. “Individuals should never give away their personal or sensitive corporate information to an unsolicited email, and should always be wary of emails that contain suspicious documents or URLs.”
8. Malware Exists on Other Connected Devices
Remote workers should be aware of the potential dangers from other devices on the network that their work computer operates on. Many home computers and WiFi-connected security cameras or smart TVs can be infected with malware, Pargman said.
“When a work computer is joined to the same home network, those infected computers now have more opportunities to attempt to compromise the work computer because they are on the same local area network, which may be treated as more trustworthy,” he said.
Employees should set work laptops to treat the home network as untrusted. That means enabling a Windows firewall to block connections from other computers on the same network and not using the same password to log on to a work computer as you use on your home computer and other websites, Pargman said.
“Most malware includes the ability to steal passwords that are stored or typed into infected computers,” he said. “Some malware makes use of those stolen passwords to try logging on to all the other computers on the same network.”
9. Unplug Your Home Assistant Devices
Alexa and Echo, two popular home assistants, could be spying on you and everyone in your home. This is extremely problematic if your work includes sensitive information, such as financial, medical or legal data.
Some experts recommend unplugging your home assistant while you are conducting phone or video conference calls, especially during confidential calls.
“It’s not entirely clear how much of a risk it poses,” Hamerstone said. “For most people, especially those working for smaller businesses, this is probably not a risk you need to be concerned with beyond the normal privacy issues.”
Corporate and government workers should place a higher priority on whether these smart speakers are increasing their risk.
“It’s not entirely clear how much of what we say around these devices will actually be captured and recorded, so to be safe, you should assume the device is always ‘on,’” he said. “We know that these devices can be unintentionally turned on by the user, when saying the activation key word (such as “Alexa”). If you are sharing highly sensitive information, you may want to unplug the smart speaker.”
10. Update With Security Patches
Keep the software on your computer updated with official security patches that are provided through the software itself, Pargman said.
Avoid downloading updates from websites, especially if the link to download the software comes to you through an email message.
“Attackers love to disguise malware as an ‘important security update’ and try to trick people into installing it,” he said. “These fake updates usually come in the form of a pop-up from an unrelated website, or from an email message.”
11. Follow Your Company’s Guidelines
The most important thing for anyone working from home to understand is that they should follow corporate guidelines. If your company provides a VPN, use it and only install approved software, Hamerstone said.
“It is essential to follow any and all corporate directives,” Hamerstone said.
When you’re working from home, it is tempting to install things that look like they will increase productivity.
“Just last week, a friend asked me about how they could install their own remote access software to use on their work computer,” he said. “That kind of thing could easily compromise your security or create other problems.”
The security of remote connectivity is the responsibility of both IT departments and employees, said Heather Paunet, vice president of product management at Untangle, a San Jose, Calif.-based provider of comprehensive network security for small-medium sized businesses.
“IT departments need to thoroughly understand the programs used by each department, how it may vary from finance to sales and how effectively employees will be able to connect to these programs remotely,” she said. “The IT department should in coordination with department leaders train employees to connect remotely using a VPN. This training should be ongoing, with documentation, step-by-step guides and possibly video instruction to make sure that it is accessible offline as well as online for employees to follow.”
Companies are rapidly deploying VPNs and authentication technologies, such as multi-factor authentication, while enabling employees to be able to connect to mission critical assets from their remote workstations, said Arun Kothanath, chief security strategist at Clango, an independent IAM/cybersecurity advisory firm.
The result is that often employees will end up with either “too much access” or “too little access,” which could lead to a significant security breach or loss of productivity.
“We like to advise cybersecurity directors to focus on methods to increase visibility and accountability by increasing audit frequency and access certification activities to ensure that the organization is not harmed by an employee having ‘inappropriate access,’” he said.
12. Use Virtual Coffee Breaks
Technology has enabled many people to stay connected and stay secure in light of the current situation, said Joseph Carson, chief security scientist and advisory CISO at Thycotic, a Washington D.C.-based provider of privileged access management (PAM) solutions:
“Technologies that can help make life somewhat normal have seen a rebirth,” he said.
“Video conferencing solutions that enable employees to stay connected and have virtual coffee breaks with colleagues are back in fashion. Facebook Live has seen entertainers find new ways to keep citizens at home entertained with digital concerts, comedy shows and theatre.”
Suzanne Hero, a public relations executive at Gensler in San Francisco, said that department-wide and office-wide social hours help make sure employees feel supported and connected.
Many employees are working from home, albeit some are in smaller apartments and cramped quarters.
"I’m sitting at my kitchen counter in my tiny San Francisco apartment working on a laptop," she said. "It’s the only flat top we have, other than a coffee table, so my husband works from the bed."
Hero conducts daily video calls with her team. Her company always had Microsoft Teams available and installed on every computer, but her team wasn’t actively using it until now.
"It’s actually proven very handy," Hero said.