How to Prevent Security Breaches When Working from Home

Sign up to receive our blog posts in your inbox.
 

When you work at the office, you take security and many other things for granted. When you work at home, things are different. In addition to doing the regular job, all of a sudden, you’ve got a new side gig as Chief Security Officer, Facilities Manager, and Corporate Canteen Chef, too.

Now that millions of people around the world are learning to keep their jobs while keeping their social distance, the importance of preventing security breaches when working from home has never been greater. In this blog, we provide eight proven ways to improve your digital safety and protect your privacy.

1. Understand that conferencing/remote work platforms aren’t secure by default

As we shift towards more remote work, many of us have started relying on platforms such as Zoom, WebEx, GoToMeeting, Skype, Teams, and Slack. In some cases, these platforms were already part of our workflow. In other cases, they’re brand new additions.

It’s easy to assume that because your company or clients recommended (or enforced) the use of a specific platform that it’s safe. In the case of Zoom, we have already seen numerous privacy and safety issues pop up. For example, Zoom can track your ‘attention’ by alerting call hosts when participants do not have the Zoom app (whether on desktop or mobile) focused for more than 30 seconds. Zoom also harvests a noticeable amount of data—ranging from your IP address, physical address, real name, phone number, employer, and more. While the company states it does not sell data to third parties, it does have a lot of data and sells some of it to third parties. Finally, newly released vulnerabilities make it possible for unwanted users to bypass security measures and access other users’ webcams. See also a thoughtful blog on Zoom by Dave Tyson.

This isn’t meant to target Zoom in particular. Just as many, if not more risks could be listed when it comes to other platforms. We simply want to encourage managers, employees, and clients to be aware of the issues involved, and make sure they are mindful of privacy issues related with different platforms. Every company (and freelancer) should have processes in place to minimize data gathering, implement secure and unique passwords for all meetings, and make sure employees—at the very least—keep their apps up to date.

2. Don’t trust microphones and webcams

For years, we’ve known that malicious agents can hijack microphones and cams and spy on users who have failed to secure their devices. Here are two things you can do to mitigate these risks. 

First: keep your devices updated. Operating systems, security patches, apps, and drivers should always all be up to date. Make sure Windows Update, the Windows Store, Google Play, and the Mac/iOS stores are set to auto-update. If needed, head to your webcam manufacturer’s website and grab the latest driver. 

 

Second: physically disable your microphone and webcam when they’re not being used. If they’re peripherals, simply unplug them. If you’re using a laptop or another device with built-in mic and cam, you can use covers to block them. Assuming this is a work device, just stash it away when you’re done using it for the day.

3. Beware the internet of things

You may be comfortable letting your smart devices listen in on every word spoken in your place, even though they can be abused by third-party apps that do some phishing in addition to their purported function, and that’s your choice. However, you’re working from home now. Are you certain you’re not going to mention sensitive matters out loud even outside of a remote meeting? What about during a meeting? Can you guarantee no one’s listening in? Can you guarantee that, even if the data is “only” stored on a major corporation’s servers, it won’t be hacked or sold down the road? What does that data say about you and others?

Whether you’re okay with your daily life being potentially recorded and used by third parties is for you to decide. Many of us would say that’s a terrible idea. But when IoT devices present a risk for your colleagues, your company, and your clients, this is no longer a personal matter.

Our advice is to unplug those devices from the room where you’re working when you’re working. For the time being, the convenience of queueing up your favorite tunes by voice is not worth the security risks.

4. Use a VPN and avoid using your home network

We would hope that your company provides a corporate “virtual private network”, or VPN. But in case it doesn’t, you should be using one. Your personal IP address says a lot about you—where you live, for one. But unencrypted data transferred when not using a VPN runs the risk of being intercepted by third parties—from malicious actors to your very own ISP. Everything you do online, to the extent that it is possible, should be encrypted or at least difficult to access. A VPN is a great start.

Right now, there are a couple of providers we would recommend. They are both located in countries with solid privacy laws, do not require much (if any) personal information, offer reliable servers and, more importantly, do not keep any logs of your online activities. The first is ProtonVPN, offered by the same folks who offer the excellent ProtonMail. The second is Mullvad, which is still fairly unknown yet provides incredible security—open source software, anonymous payment methods, Wireguard—and has been audited independently.  

We would also recommend using alternative solutions to connect to the internet (or talk on the phone) in the first place. We’ve talked about products such as Skyroam and other GSM-type hotspots, and we encourage their use—which brings us to our next point. 

5. Compartmentalize your life

Not only should you avoid using your home connection for work, if you have a work laptop or phone, only use these devices for work. That way, you don’t run the risk of compromising your devices (including any sensitive files they contain) just because you decided to download a seemingly fun game from a dubious website. Similarly, your personal devices are meant to be used in your off-time—so don’t log into a corporate server using the family iPad.

Your work files, in whatever forms, should be handled securely. When it comes to data, nothing should be transferred or stored on personal storage devices, such as external hard drives or a home server. If you’re printing out documents, make sure they’re disposed of securely (shredded) once you’re done with them.

Compartmentalization extends to talking about work, too, and to wandering around the house while on a work call. After all, you may have signed an NDA, but your family members haven’t.

6. Images and sounds can say a lot. Don’t let them.

When you’re on a video call, what does your webcam show? Your face, sure, but what’s the wall behind you? Is there a window offering a view of the street? Photos of family members? How many unique identifiers are in the frame? What if your kids decide to run past?

The same question applies to microphones. What kind of background noise is there? Someone else at home talking? Traffic outside?

This may seem paranoid to some of you, but anyone who’s seen the lengths people will go through to gather information on a target will tell you it’s common sense to neutralize background visuals and sounds.  Ideally, your webcam and mic should reveal the bare minimum needed to communicate with others. Use the background blur available on some video-conferencing tools. Make sure there’s a neutral background behind you, and if you can find a room where there’s little-to-no external noise, even better for the people you’re talking to and for your own security.

7. Don’t get robbed, and encrypt in case it happens anyway

Where you leave your tech devices, as well as how you access them, is always a concern—even at home. Your laptop and desktop computers should be impossible to access whenever you step away, even if you’re just going for a 15-minute walk. You want everything to be locked with passwords or biometrically.

Should someone get their hands on your devices, you want to make sure everything is encrypted. For Windows users, you should encrypt your drives with Bitlocker. MacOS users, look at Filevault. For more advanced techies out there, Veracrypt is an excellent third-party option.

Ideally, once the work is over, you want to lock everything behind a safe or equally secure place. The “layers” of residential security with several perimeters most of us know about? Yeah, same logic applies here. 

You want to make it hard for anyone to get within range of your devices. And if they do, you want to make it near-impossible to access what’s on there.

8. Be smart about phishing (but you already were, weren’t you?)

We’ve seen a lot of phishing attempts lately. Phishing, as we all know, is already a serious threat when you’re in an office setting—except now you’re no longer protected by your company’s firewalls and IT department. Unless that’s your specialty, you simply won’t get the same kind of digital security at home.

Now more than ever, personal security matters because it overlaps so much with professional security.

It’s not a matter of a link or email attachment looking dubious—everything you click on should be approached with care. So, follow the steps outlined by your company, but use common sense and vigilance on top of that.

When it comes to your personal devices, you’ll also need to step up your game. Just because you’ve compartmentalized work and home life doesn’t mean personal devices stopped being a vector of attack. Any kind of cloud storage for your personal data should be end-to-end encrypted.. Look at options like pCloud, Tresorit, or Sync.com. Your personal communications should be end-to-end encrypted as well—preferably via Signal or Telegram. Daily anti-malware scans are a must, and if you’re tech-savvy enough to install a software firewall that alerts you of any outgoing connection, then do so.