Industry data confirms that the COVID-19 pandemic has had a negative impact on businesses’ cybersecurity when employees are working from home. We know it affected the community; we all had to adjust to a completely changed work environment and significantly limited socializing. People were understandably distracted and overly stressed … and home cybersecurity was just not a top concern. But it’s not too late to learn how to do a better job of securing at-home work environments.
In fact, a survey by Unisys found that 70% of Americans were not concerned about the cybersecurity implications when they work from home, and Tessian software company found that 48% of employees agreed with the statement, “I’m less likely to follow safe security practices when working from home.”
The problem is that cybercriminals stepped up their games during any crisis, and especially in response to the pandemic. The FBI’s Internet Crime Complaint Centre (IC3) reported that by June 2020 daily digital crime had risen by 75% since the start of stay-at-home restrictions and the number of complaints received by then had almost surpassed the total for all of 2019. More recently, in November 2020, the Department of Homeland Security announced a warning to watch for new scams related to the release of newly-approved COVID-19 vaccines. Clearly, criminals thrive when people are distracted.
While it might feel like a herculean effort, paying attention to home cybersecurity is an important step in protecting your personal accounts, your job and your company. Secure systems and devices will help maintain the small remaining semblance we have of a “normal life.”
What are the risks associated with home cybersecurity?
Recent research found that 35% of severe cybersecurity incidents over the last 12 months were attributable to work from home (WFH) through actions like accidental disclosure, social engineering scams and inadvertent ransomware infection.
Stress, distraction and lack of knowledge can all contribute to these types of behavior, but the more aware we are, the less likely we are to make mistakes. And there are a number of cyber risks in WFH of which we should be aware.
Increasing attacks
Since COVID-19’s arrival in the U.S. was announced, headlines have clamored not only about a human pandemic but also its effect on the digital world. The “cyber pandemic” began with phishing emails and online advertisements designed to steal online shopping credentials or collect donations to fake charities. Then the attacks shifted to ransomware, data breaches and unemployment fraud. Even now, new attacks appear regularly, targeting people seeking vaccinations or additional stimulus checks.
According to a report by Microsoft, the first half of 2020 saw an approximately 35% increase in total attack volume on IoT devices compared to the second half of 2019. And security company Crowdstrike’s threat-hunting team blocked some 41,000 potential intrusions just between Jan. 1 and June 30 of 2020 compared with 35,000 for all of 2019, indicating a 234% increase in attacks in the first six months of 2020. Although different platforms have found varying percentages of increase, IT security experts agree that 2020 saw an unprecedented increase in cyber attacks targeting all types of accounts and every type of digital user.
Many more people on less secure home networks
According to the December 2020 study by Upwork, about 57 million people are still fully remote. This is up from about 5 million people who worked remotely in 2018. So millions more people are now working from behind a residential Internet infrastructure instead of the enterprise-grade infrastructure that previously protected their data. And not only is it residential-grade, but it’s also used for virtual school, streaming TV, shopping online and more. From an IT perspective, it’s a change and a mix from better-secured and controlled environments to chaos with no control, leaving devices open to browser-based attacks, malware downloads, and an increase in the likelihood of phishing messages not getting blocked by security software.
Mixing work and personal
Considering the drastic increase in time spent both at home and online during the pandemic, the lines between work and personal time have blurred. Many people found that it was quicker and easier to use one device for all activities rather than constantly switching back and forth. This means personal activities like shopping, socializing by video or watching TV may be happening on the same device that handles corporate data. Cybercriminals can exploit these gaps in home cybersecurity in a few ways:
- Phishing messages used to gain access to personal accounts are more likely to provide access to business devices.
- Malware embedded into a personal app (games, wellness, shopping, etc.) may allow tracking of a business device or account.
- Devices brought home for work can be stolen from a residence.
More challenging for IT to identify and remediate incidents
With employees spread out by remote working – and in many cases, working irregular hours to fit work around home responsibilities – it can be harder for information security teams to identify unusual or suspicious activity by intruders on the network.
More distractions make it difficult to concentrate
Distractions at home increase the likelihood of making quick decisions without thinking things through or considering all the details. A busy life can also cause a disjointed schedule where tasks sometimes get squeezed into tight timeframes, possibly causing people to overlook security. But details are important. Remember that something as simple as sending an email to the wrong person can be a security risk if the message contains sensitive data that the unintended recipient is not authorized to see.
Reduced contact with coworkers
For many employees, the pandemic was their first time working remotely for an extended period. Being isolated from the corporate environment – a place where we regularly see or hear warnings about cybersecurity and staying safe online, as well as being able to quickly and easily get a second opinion – makes it harder to make good decisions about home cybersecurity.
Best practices for home cybersecurity
Cyber secure work from home is not just about technology. It’s about technology and humans working together. Companies should strive to empower employees to secure their systems by offering strong tools, services and awareness training to protect their home network, company network and company data.
Configure your behavior
Since many are not in the mindset of going to the office every day and are feeling a lot more comfortable in their home environments, it can be easy to fall out of the habit of working with a security mindset. Beware of this complacency. It can be damaging.
Communication is critical – Working from home should not affect your ability to rely on tech support resources and colleagues. Keep in touch with your IT and security experts to ensure you are implementing the best practices they recommend. Also alert those teams immediately if you think your data or devices have been compromised. Time is of the essence when it comes to warding off or resolving a potential breach.
Do your best to limit distraction – Making a schedule can keep you on track as long as you follow it. Scheduling time for breaks is also important since many built-in workday breaks for office workers (stretching, getting up to get coffee, going out for lunch, etc.) occur in different rhythms while working remotely. If physical discomfort is a problem, consider upgrading your WFH setup. There are many styles of furniture and external monitors that are ergonomically correct and reasonably priced.
Follow All Applicable Policies
Employees are still responsible for following all organizational security and privacy policies. These generally fall into four categories:
Common organizational policies – Does your office have an Appropriate Use Policy? Usually, these policies cover many guidelines, commonly including that company devices should not be used for business unrelated to work and that all information created, stored, sent or retrieved using a company system, including email messages and files, even if they are personal in nature, is owned by the company.
State and federal policies – Government privacy legislation varies by laws in most states and by the federal government through acts like HIPAA, FERPA and the California CCPA. The industry in which your company operates will determine which privacy legislation applies to your work.
PCI DSS compliance – PCI DSS refers to the standards required by the Payment Card Industry Security Standards Council for any organization that accepts payment by credit, debit or other payment cards. Financial employees learn how to comply with our PCI requirements when taking the annual PCI DSS training. No annual training? Contact a Global Learning Systems representative to review annual security awareness or PCI DSS training options if you do not recall, or aren’t sure of the proper way to handle payment card data to keep it private and secure.
Incident reporting – Employees are to alert IT staff to issues that others may not notice. If you are having a problem or see something suspicious, continue to follow the standard incident reporting process implemented by your organization and report it. Don’t use workarounds – especially if they require unsafe behavior. Contact your tech support directly if you need a resolution quickly.
Take extra responsibility for home cyber security
With everyone working offsite, IT control is limited; thus it’s important to remain vigilant about keeping your home network security up-to-date, using caution while browsing the Internet and clicking links and following secure processes to access business data. Without the safety net of our organizational network to catch missteps, our everyday choices require more caution than ever.
Follow basic device security – Ensure that patches and updates get installed when they’re available. VPN is usually required, so connect with it at least once a week. If you rarely turn it on, your updates will be delayed, which could put your data and your company’s systems at risk.
- Use a strong password and protect it carefully – especially if using Single Sign-On. If someone tricks you into sharing your main password, they would have access to all your accounts, which they could use to access an entire network.
- Follow your company’s Appropriate Use Policy
- Prevent friends and family from using your work device
- Don’t install unapproved applications or browser extensions
- Maintain the security of confidential company information
Set up routers and Wi-Fi networks securely – Follow the manufacturer’s instructions to ensure that your Internet router and firewall are properly configured, including changing default names and passwords for the router and SSID (Wi-Fi) network, choosing WPA2 encryption, turning off remote management/ administration and ingress ports or port triggering (unless you know you need it), and setting proper outbound filtering. Many newer routers have firewalls that automatically run with the most secure options for remote management, ingress ports and outbound filtering. Read your user manual to determine if your router does this.
Limit network access – Create a separate guest network for your guests and smart devices to use so they are separated from your sensitive data.
Consider hiding your SSID – Many wireless attacks are simply done against the easiest targets in crowded areas. By not broadcasting your SSID, you can minimize your wireless footprint so that only those people who know your SSID can connect to you.
Protect and update your personal devices – Install anti-virus/anti-malware protection and regularly update the firmware (operating system software) that runs on each of your devices to make sure you are using the most recent security protocols.
What else can you do to ensure robust home cybersecurity?
Ask your employer if your company offers annual cybersecurity training. An important step for office security, these courses matter more than ever and can be tailored to what your team looks like in 2021. Ensure your training meets all the needs of your shifting workforce, and if not, contact us. Global Learning Systems offers complete training packages, managed services and many more solutions to protect your company data, your wallet and most importantly, your customer information.
