One month ago, we examined the significance of using end-to-end encryption for web conferences, which have become a staple of telework (or “remote work”). Teleworking is the practice of working from any location other than the office building of one’s organization. As a result of the COVID-19 pandemic, working from home is the new normal for some businesses. However, telework is not without problems, including risks to security. Jeff Greene of the NIST, Lisa Weintraub Schifferle of the FTC, Steve Ranger of ZDNet, and Carrie Rubinstein of Forbes all mention a variety of security risks and advice for working from home. In general, there are three areas of concern for teleworking: phishing, wireless encryption, and basic security.
Rubinstein notes that phishing scams are “widely recognized as the top cause of data breaches.” Phishing scammers try to fool unsuspecting employees into downloading malware or providing their passwords, and they usually accomplish this goal by sending emails that are typically disguised as emails from tech support or employers. Other authority figures can be impersonated as well; there has been a rise in Coronavirus-related phishing scams orchestrated by bad actors impersonating the CDC and the WHO.
In addition to identifying email-based threats, remote workers should also ensure that communications are protected from eavesdroppers. Rubinstein notes that Sivan Tehila, the founder of Cyber Ladies NYC, lists Wi-Fi security as an area of concern because “employees’ home networks probably have weaker protocols” compared to office environments. Greene notes that employees using Wi-Fi at home should ensure that the type of encryption is Wi-Fi Protected Access 2 (WPA2) or WPA3. Wired Equivalent Privacy (WEP) encryption is outdated and insecure, which means that bad actors could decrypt and read information sent over home networks.
In addition to safeguarding networks, basic security measures are also recommended. Common tips include the following: use strong passwords, as opposed to simple passwords like “12345” or “password”; use anti-virus software and keep it up to date; and regularly update other types of software as well. According to Ranger, the European Union Agency for Cybersecurity (ENISA) also recommends making regular backups of important files in case the main copies are made inaccessible by ransomware. Schifferle recommends securely storing physical copies of sensitive files in locked file cabinets or rooms, and destroying them by using shredders. Some of these security practices are no different from what would be followed in an office environment.
When it comes to teleworking, Schifferle and Greene recommend following the telework and security practices of one’s organization. According to Schifferle, if you are a teleworker, “[y]our home is now an extension of your office.” Working from within the safety of your home doesn’t make you safer in cyberspace; threats such as phishing scams can affect anyone with internet access. Ultimately, teleworking requires as much cybersecurity awareness as when working in an office.