As we enter these times of being ‘locked away’ in our homes, many employees are having to adjust to new ways of working, including Working From Home (WFH). This is to keep us as physically safe as we can be from the new coronavirus that we hear about every day on the news. There is no escaping it, even so for the UK’s Prime Minister, Boris Johnson, and Health Secretary, Matt Hancock, who have been diagnosed with it as we write this on 27th March 2020.
If this is you and you’re new to WFH, what can you do to make your working life and practices easier? How can you keep your home systems safe and also your corporate network? Many people worry about infecting either set of systems and recognize that we all have a part to play as end-users and workers. How do we keep them safe and, dare I say it, virus free?
In the blog, we’ll discuss our five key areas for keeping yourself safe when WFH. This blog was contributed by Mat Gardam, a Cyber Security Engineer / Consultant. We’d like to say a huge thank you to Mat for sharing his expertise.
Training and Policies
Every employee should have access to their organization’s HR policies which may be useful in times like these. One of those policies should cover training and the training methods used throughout the organization. (if this policy doesn’t exist, that may be a wakeup call for your employer!)
You can also consider speaking to your manager – virtually of course - or maybe send an email to see if you can expense online training providers such as > Pluralsight, KWTrain, and CBTNuggets. These are primarily technical training providers but will also cover management and governance style topics that can help you get security-savvy.
Time at home is a chance to learn new things and can be used to yours and your employer’s benefit for upskilling, learning new skills and keeping abreast of the latest changes in technology and certification.
Using approved devices/secure connections
When connecting to your organization’s network from your home network, the adage to remember is that a network is ‘only as strong as its weakest link’. If you, the end-user, are connecting from home and your home network is not secure, the potential to infect your organization can be increased. Although your organization should have internal safeguards and procedures in place for this, you as the end-user need to do your bit, and this blog is written for you.
Your employer’s policy should outline which software and technical methods are appropriate for logging into work systems and tool. These will of course have been approved to keep the organization data ‘safe’ and secure.
If your organization does support ‘bring your own device’ (BYOD) use of personal technology to access work systems, make sure you practice good personal security. The next few tips will help you here.
Protecting your home network
So, what else can the home-user do to protect their network?
Firstly, change any default passwords on networking equipment – anything that is set or never changed from the default is quite a big security risk, albeit some vendors now do have unique passwords for every bit of their equipment. The problem here is that if an outsider can access your wireless network and obtain an Internal IP (Internet Protocol) Address, they are on your network and can cause all sorts of mayhem if they wish.
Make sure that all computers are patched with the latest updates. These can contain fixes for known security vulnerabilities and help to keep you safe online and also make sure firmware and BIOS levels are patched and kept up-to-date. This is quite often something that gets missed out, albeit this maybe a bit more advanced than just applying a Windows update.
Passwords, my favourite! Don’t have the same passwords on every website you visit. If you use the same password across many sites, when one website database is compromised, you may find that all your sites are compromised. This is particularly worrying at a time like now when support services are limited, and customer service is hard to access. This risk could even mean that potentially your bank details compromised.
However, don’t panic! There are things you can do:
• Use different passwords for every site and maybe use Keepass (or a password storage manager) to store these passwords.
• Use 2FA (2 Factor Authentication) – Some sites offer this and you could use something like mobikey to help setup 2FA.
• Consider using your mobile phone as your 2FA Key – Both Microsoft and Google have options and apps to start using these methods.
There are many options to stay safe – it’s about doing some research and looking at what we have and can utilize to better effect to keep ourselves safer online. Many of the tools available are free or low cost, so this doesn’t have to mean a large financial outlay either.
Where threats come from
The modern day ‘Cyber’ threat can come from outside the home as well as inside. Let’s just say for an example from experience that when I blocked ‘Minecraft’ on my home router, my son was still playing it when I returned home from work. He had done his research whilst I was out and had installed a VPN (Virtual Private Network) to bypass my firewall settings.
My mistake was that I had only implemented them very basically, not understanding that bored children will always find a way! Other threats can be from outside the home, when the malicious person is within wireless range of the house. With that in mind, consider implementing MAC (Media Access Control) to only allow your networking equipment to accept access from approved MAC Addresses. This is a bit more complex, however there is a lot of material on the internet.
Threats can also arrive via emails. We are all relying on emails currently to keep connected, but be careful when clicking on links within an email. These links will potentially allow an adversary to install malware onto your system and this in turn can be used to access your systems or even control them. These are known as ‘Phishing’ scams and can be targeted broadly, or in some cases to high profile individuals, known as ‘Spear Phishing’.
Some adversaries have already started using the current threat and stating that they need your help to fight the Coronavirus and to click on a link to register.
Some of these emails may be legitimate but if you have not signed up to anything – ask yourself, how did the sender get your email address, and do you recognise the sender email address? If it looks odd or suspicious, it most probably is.
Finally, consider your anti-virus software and keeping this up to date, although ‘Windows Defender’ is quite good nowadays.
This is only a very brief introduction to home-user network security and the main message is that there is a great deal that you can do, even if you’re not a technical person. It takes a little patience and research but the information is out there – and of course if you have time, maybe consider a basic technical security course as the end-user. You never know, you could be the next home-user security champion of your organization.
Keep well and stay ‘cyber’ safe!
About the author
Mat Gardam is a Cyber Security Engineer specialising in implementation and detection techniques in the Cyber Security Sector. He has worked at a few High Profile Organisations specialising in defeating the adversary. He has worked across many sectors from Defence, Banking and Business Continuity. Mat is also studying for a Masters Degree at Cranfield University in Cyber Defence and Information Assurance which is expected to complete at the end of 2021 with a final dissertation focussing on the way Artificial Intelligence can be used in the Defence Sector.