Written by: Joe Emerson // May 29, 2020
Last updated: May 29, 2020
Jack Nilles’ Twitter account identifies him as “a former ‘rocket scientist’ spacecraft designer turned applied futurist, father of telecommuting and author….” The book that helped earn him the “father of telecommuting” title is “Telecommunications-Transportation Tradeoff: Options for Tomorrow,” published in 1976. Nilles long has held that one of the primary hurdles to working remotely is security. With COVID-19 exponentially increasing telecommuting, you don’t have to be a rocket scientist to know this is a good time to explore cybersecurity tips essential for remote workers during the pandemic.
First, Some Tech Language
Nilles’ initial push for telecommuting involved satellite offices because it was rare for people to have the technology at home to work remotely. A lot has changed since apple was just a fruit, including language. Here’s a primer on computer-age terminology that first-time telecommuters might find handy:
Hardware tokens are small devices used to authenticate a user’s identity when logging into a system, typically by plugging them into a USB port or other connection point or reader.
IoT stands for internet of things, the countless devices and systems worldwide that are connected by the internet.
ISP stands for internet service provider. These are the entities delivering internet capacity to your home, from Verizon to Viasat.
Local accounts are for users granted administrative or other privileges on a given computer/server.
Password managers, be they hardware or a software app, are for encrypted storage of all of a user’s password information. A big plus is the ability to store and recall complex passwords that are more difficult to hack.
Remote desktop refers to technology that allows a user to connect to and operate a computer located elsewhere.
SOHO stands for small office/home office network. SOHO networks are tailored to the needs of the smaller businesses they serve.
Standard accounts are computer user accounts used for everyday tasks.
Two-factor authentication means adding a layer of security to the process of accessing websites, programs, or systems. For instance, you post a password (something you know), and then you’re emailed or texted or phoned a numeric code or other identifier to a personal device (something you have) to finish the process. Or you use a password and then a voice print, fingerprint, or iris scan (something you are) for the second step.
Two-step verification can qualify as two-factor identification (password plus code sent to a personal device), but unlike two-factor identification, two-step can use the same ID factor (something you know, have, or are) twice.
VPN stands for virtual private network. VPN service provides private, secure connections to websites and computers.
WPS stands for Wi-Fi protected setup. It’s a function on wireless equipment that allows users to automatically add devices to the wireless network.
WEP stands for wired equivalency privacy and is an encryption tool for wireless connections.
WPA stands for wireless protected access. It’s more secure than WEP.
WPA2 is version two of the WPA. It’s the most secure.
Picking the Brains of 2 Cybersecurity Experts
Before we get to tips such as don’t get hooked by phishing scams, let’s explore the dark corners of telecommuting (the risks) and strategies to avoid them.
Network and security specialist Mike Foster inked a story for Mheda.org titled “Recommendations for Cybersecurity for Remote Workers During Coronavirus.” Information technology expert Dion Hinchcliffe wrote a story for ZDNet.com story titled “Working in a Coronavirus World: Strategies and Tools for Staying Productive.” Here’s their advice on:
Virtual Private Networks
Foster: These shielded networks do deliver privacy, but when it comes to security, they’re not enough. Both ends of the network have to be secured, too.
Hinchcliffe: Be clear on rules of use to maintain security when employees work remotely. Rule No. 1: Employees shouldn’t do any work-related task unless the VPN is engaged.
(H3) Internet Access
Foster: The atmosphere and coffee at a Starbucks or the trappings of a hotel room or lobby might be nice, but the security is iffy at best. Security is less iffy in a worker’s home, but what about other potential users and devices in the home?
Foster says connecting at home can be risky because of subpar ISPs, compromised IoT devices in the house, and access by unauthorized users. Working from a coffee shop is just reckless, he says.
Hinchcliffe: Can the home system carry the load? The company might need to underwrite mobile hotspots, data plans, and other service upgrades and security precautions to enable remote operations.
Foster: Disable the WPS. Yes, a WPS makes life easier for the digitally-challenged. “Unfortunately, it also makes it easier for attackers to connect.”
Hinchcliffe: Don’t assume that the employee’s ISP has adequate protections. “Create a safe and effective foundation for remote digital access. First and foremost, this means providing secure access to IT (information technology) resources within the business as well as to the internet itself.”
Passwords and Firewalls
Foster: Ensure that workers know how to secure their phones and other devices. As for access to systems and data, two-step verification is advisable. “Options for the second step include phone callbacks, physical USB hardware token keys, authentication apps on phones, and one-tap login solutions.”
Firewalls? “Some firewalls and Macs provide an option called ‘stealth mode.’ When you activate this, you may get a scary warning that if you configure the computer to hide, it becomes difficult for outside parties to connect to the computer. Yes, that’s the point! Block everyone. Nobody needs in except your IT professionals, and they already have a way in.”
Hinchcliffe: Two-factor authentication (2FA) is the way to go.
Foster: The worker’s local account should be standard user. Period.
Foster: More programs on a system equal more risk. Go with the bare minimum.
If the worker is using company equipment, be sure IT keeps it in working order. If it’s the worker’s equipment, IT should ensure there are antivirus protections in place – updated and operating.
Theft of equipment poses a security risk, too, since devices are portals for hackers. Consider physical security measures at the home, including pickproof locks.
Testing the System
Foster: Run drills, with workers performing all their typical tasks. Make sure the equipment, services, and employees are up to the challenge. Drills produce questions and present problems that yield answers and lead to solutions, making the real thing easier. “Additionally, give your employees guidelines on what to do if they lose connectivity to the office, and what to do if they feel like their remote computer might be under attack.”
Hinchcliffe: “Again, test everything upfront, including usability, and ensure you do this by putting actual workers in front of your intended remote work access solution(s) to see how well it actually works.”
What Exactly Are the Online Risks?
Forbes warns of three primary online security risks remote workers face:
- Susceptible WiFi service is a major risk, a portal that hackers can use to compromise a company’s system.
- Passwords are an Achille’s heel, and weak passwords are a hacker’s foot in the door.
- Phishing scams are the leading cause of system breaches.
Forbes also cites four indicators that someone’s remote work system has been breached:
- Unfamiliar programs appear.
- Computer slows.
- Pop-up ads begin populating the screen.
- Mouse, keyboard lose functionality.
Call IT immediately.
Cybersecurity Tips for Remote Operations
Securitymagazine.com, in response to the push for remote operations caused by the coronavirus, shared its top 10 security tips for working remotely:
10. Security Is About People
Cybersecurity breaches typically can be traced to human error. The solution? Training; then more training. Drills help, too.
End-of-day checklists are one backstop to avoid missteps, but staying aware and careful are the real firewall.
9. Make Outsiders Responsible, Too
Employees aren’t the only people who need to hold the line on remote security. Vendors and contractors are part of most operations. Be sure they are under the same obligations as employees to meet security standards.
8. Don’t Get Too Comfortable
Now that home is the workplace, you can’t limit work talk to the workplace. Don’t share critical system information, and restrict sensitive conversations to private places.
7. IT Is the Traffic Cop
Part of IT’s job is to monitor system traffic, and that includes deviations of data flow, particularly if the flow is unusually large. Those red flags shouldn’t be ignored.
6. Virtual Maintenance Actually Matters
IT must be vigilant under normal circumstances. That vigilance must be kicked up a few notches when the number of remote workers surges. Constant monitoring for updates and patches is essential.
5. Minimize User Hurdles
Make the system as user-friendly and functional as possible. Access to systems and data must be guarded, but there has to be a balance. Protect, but don’t obstruct.
4. Limit Remote Access
Data have varying degrees of sensitivity. Limit remote access to the most valuable information. Allow what’s imperative, but keep a tight rein on the time and extent of access.
3. Steer Clear of Starbucks
It’s critical that remote workers use only secure networks. Cafes and libraries don’t qualify. Workers who don’t have secure WiFi should be provided a private hotspot.
2. Company Devices Are the Safest Bet
If possible, remote workers should be strictly limited to the use of company devices when doing company work. If need be, personal devices can be vetted by IT to meet minimum standards.
1. The No. 1 Risk Is Phishing
As already noted, phishing is the No. 1 threat to remote operations. Training is the solution. Remember:
- Legitimate entities don’t request personal data.
- Act-now messages are a red flag.
- Crises such as the coronavirus pandemic are common plot lines for hackers.
- Clicking on unknown hyperlinks or attachments is a fool’s errand.
- Phony websites are part of the click-bait ploy.
- Lousy spelling and grammar are telltale signs.
USF Can Help with Cybersecurity Training
USF’s Office of Corporate Training and Professional Education has a program suitable for employees of all stripes in businesses large and small.
Our Cybersecurity Essentials class can help you:
- Keep yourself and your business safe when online.
- Learn how to create strong passwords and secure data.
- Defend against social engineering tactics used to exploit businesses.
- Identify and avoid malware.
- Implement essential cybersecurity practices.