Working from home for a while? Here’s how to do it securely.
VPNs, anti-malware, and good cyber hygiene will help prevent viruses and phishing attempts from penetrating your home office.
by Sara MorrisonAlice M., who works as a benefits manager for a health insurance company, primarily used her personal laptop for Netflix binges and Facebook updates before the coronavirus pandemic. Since March, and for the foreseeable future, she’s had to give it a new task: handling confidential medical records. Alice worries her home equipment isn’t up to the job of her job.
“My company usually does give us necessary tools to feel secure, but because of Covid, they had to send everyone home,” Alice told Recode. “If you didn’t have their setup already, you had to use yours.”
“I’d argue that if patients knew this, they wouldn’t be so happy,” she added. “We aren’t as secure as we should be.”
Alice, who requested that neither she nor her employer be named for fear of retribution, may have reason to worry. Millions of workers have had to take their work home with them due to the pandemic and may continue to do so for months to come. Many are doing it without the security and privacy tools their offices had — or even, in cases like Alice’s, the equipment. The result: Hacking activity has more than doubled. One Australian company even blamed the sudden switch to remote work for a ransomware attack.
“In most scenarios, those protections that you had in place in the office don’t exist at home,” Mark Ostrowski, security evangelist at cybersecurity company Check Point, told Recode. “So that’s where you start talking about what are some things that I can do to protect myself?”
Cover the basics
There are a few easy and important things you should do in your work (and personal!) lives to help keep yourself safe. For example, make sure you’re using strong passwords and picking different passwords for every account. Use two-factor authentication everywhere it’s offered. And if you’re one of millions of people who will work from home a lot more as the pandemic stretches on for months, you should take a fresh look at everything.
Rizwan Virani, president of Alliant Cybersecurity, told Recode that with employees setting up several new accounts for various remote work services like file-sharing and virtual meetings, it’s especially important that they’re using strong, unique passwords. And that extends to your home equipment: If you’re using the default password that came with your router, change it. Hackers love default passwords.
“Take time to set that equipment up adequately,” Virani said. “Personalize it and secure it.”
Make sure you’re keeping current on software updates, too. These often come with security patches for newly discovered vulnerabilities. You can also set up your computer to update automatically so you get them as soon as possible.
Also, be wary of freeware. Virani says one of the riskiest things he sees in the small- to mid-market companies his company advises is their use of free services to handle sensitive information like file-sharing or teleconferences.
“The company that’s giving you something for free, they’re getting something out of it as well,” Virani said. “Really vet the partners you do business with and the tools that you use in your business. ... I think a lot of this free software out there, they put a lot of the company information at risk because you don’t know what they do with that information.”
You should also keep your work and personal life as separate as possible. Don’t use your work device for personal stuff and vice versa. That’s a lot harder to do when everything is done in your house, where your personal computer might be just a little bit more convenient in a given moment. It’s even harder if you have to use the same device for work and play. You might open your work computer up to security threats through whatever weird things you do or sites you visit in your personal time.
“I’m sure a lot of people have a distinction between what you do in the workplace and what you do on your own time,” Jeremy Tillman, president of Ghostery, told Recode. “When you blur those lines, and you mash those two things together. You make yourself a little bit more vulnerable in no small part because you’re simply increasing the amount of volume of your at-home digital activity.”
Try a VPN
A virtual private network (VPN) creates a private connection over a public network. Some VPNs allow remote workers to connect directly to their physical office’s server or intranet through their home internet connection. Think of these VPNs as secure tunnels between the two. Naturally, as more people work from home, VPN use has surged during the pandemic — but so have attacks on VPNs. So while VPNs are certainly useful, they’re not foolproof.
There are also consumer VPNs that anonymize all your internet activity by first routing it through a server and encrypting it before it goes out to the internet. If you spend a lot of time on the internet for work, making that activity as private as possible is generally a good idea.
“You do have this entire ecosystem of data brokers who have an extensive network of tracking technologies,” Tillman said. “You’re creating a digital footprint of your business activities and those can in turn be sold to anybody, really. ... It does take on a very different implication when it’s your work.”
A VPN hides your real IP address and anonymizes your internet activity from the websites you visit (as well as the trackers within them) and your internet service provider. To that end, you may also want to consider using tracker and ad blockers and limiting the cookies your browser accepts, if it doesn’t do this already.
VPNs also prevent your data from being intercepted by man-in-the-middle attacks. This is more of an issue when you’re using an unsecured public network like a coffee shop’s wifi — which many of us won’t be doing anytime soon, but we live in hope. It’s not out of the realm of possibility that a man-in-the-middle attack could happen to you over your home network, too. So when you’re sending important work-related data over that internet, it’s more important than ever that it’s encrypted.
One thing to watch out for if you’re considering getting a VPN: Make sure you’re using a reputable company, since you’re running all your internet traffic through its servers. Check out neutral and knowledgeable review sites like CNET and Wirecutter for their recommendations. You’ll probably want to avoid the many free VPN services out there, as many have been caught collecting and sharing user data or even containing malware. In some ways, these options are riskier than not having a VPN at all.
Consider buying some security software
This one should be pretty obvious, but it’s not always. If you’re using a Mac, you might think your device is immune to malware — and you’d be wrong. Windows devices are still more susceptible, but Macs aren’t impenetrable fortresses. Or maybe you just assumed your company’s IT department was taking care of protecting your company from cyberthreats. The average company’s office-based protections might include many good security measures like url filters that block access to suspicious links or sites known to contain malware, firewalls that shield the network from attacks, browser protections, not to mention antivirus software. But that protection might not extend to your living room.
“You’re using a personal computer or even just your work computer, and a lot of these things that are protecting you, unless the company is rerouting all your traffic back to your office [through a VPN], you start off on your own,” Ostrowski said.
While you might be okay with running the risk of getting a virus or malware on your home computer, it might not be worth the risk on your work equipment. You also may be putting your company at risk of a ransomware attack, and those can be devastating both in the money that has to be paid out and the time lost.
There are plenty of good antivirus programs and even browser extensions out there that will help protect your computer. Again, review sites like CNET and Wirecutter are good places to start if you’re looking for recommendations. Wirecutter’s take is to eschew the antivirus software suite for a combination of your operating system’s built-in protections and a few add-ons like browser extensions. Wirecutter does recommend that people who work with sensitive information or browse “riskier parts of the Internet” may want to seek “more intense measures.”
Whatever you choose, consider purchasing it from an official app store or from a company you otherwise know you can trust through impartial reviews so you’ll have extra confidence that it’s on the up-and-up. There are plenty of scams out there — especially these days — claiming to sell antivirus software that’s actually very much the opposite.
Watch out for phishing
So, here’s the thing: The vast majority of security breaches don’t come from bad actors hacking their way into your computer or home network. They come from you letting them in through phishing attacks — that is, emails or even text messages that appear to be from someone you know and trust, like your employer or the World Health Organization, that contain links to malicious sites or files containing malware to download. During the pandemic, the number of phishing attempts has grown exponentially.
You can prevent most, if not all, of these just by being careful about clicking on links or downloading files in emails, especially if they come from unknown senders. Sometimes phishing emails come from a known display name but an unknown email address, so check your email provider’s settings to make sure you’re able to see both the display name and actual email address of the sender. Also, be wary of any emails that ask you to provide any kind of personal information, like your Social Security number, account passwords, or bank information.
When in doubt, don’t click on those links and certainly don’t download attachments. The FTC has a nice little guide on how to recognize and protect yourself from phishing attacks. And if you think you have been the victim of a phishing attack, notify your employer as soon as possible and change any passwords or sensitive information you’ve given away.
Don’t forget about your phone ...
Our lives are in our phones, and that means our work lives are in those devices, too. But it’s easy to forget about or get sloppy with cybersecurity when it comes to your devices.
“People often overlook their phone because they think of it more as a personal device, not a work device,” Ostrowski said. “But we’ve also seen a huge uptick on mobile malware relative to Covid.”
Hackers may send text messages with malicious links, and for emails you open on your phone, it’s harder to tell if the sender names are spoofed or if links point to malicious sites. If you must, refrain from opening suspect emails until you’re on your work computer, assuming that machine has security measures in place.
“Mobile’s kind of the wild, wild West now, so if you’re not expecting something, be cautious,” Virani says.
... or your other connected devices
And while we’re on the subject of devices, take stock of what you’ve got connected to your home network. You might have a bunch of threat vectors hanging out there you didn’t even realize. The proliferation of “Internet of Things” devices means everything from sex toys to baby monitors could be connected to your home wifi. Not all of them take user privacy and security into account, leaving them — and you — with multiple vulnerabilities. And with people working from home, there may be more devices on your network than ever. Employers and employees alike may overlook wireless devices like printers and smart speakers, but anything connected to your wifi can present hackers with another way into a target’s computer or home network.
“Within the last two months, we’ve seen a 42 percent increase on the number of devices connected to an organization,” Yossi Appleboum, CEO of Sepio, a company that provides security from hardware-based attacks, told Recode. “In the last week, we’ve seen an even bigger jump because people started to realize it’s not going to be another week or two [of remote work], it’s going to be longer.”
Aside from limiting your network to only the essential devices (do you really need every device to be a smart device?), keep your software and firmware updated for patches to any newly discovered vulnerabilities. Again, don’t forget to change any default passwords. And make sure you’re buying connected devices from a manufacturer you know and trust. While no brand is perfect, cheap devices from obscure companies tend to have serious security flaws.
One other thing to consider: microphones and cameras. Many devices have them, and if they’re on while you’re working they could present a risk. For example, Alice, the benefits manager, told Recode that one of the few security measures her company did put in place was a rule to turn off all listening devices, like her Amazon Echo, which could accidentally pick her up discussing confidential patient information. The same could go for home security cameras that often start recording whenever sound or movement is detected.
Inevitably, you should think about the security of your home office in broad terms as well as these specifics. Don’t just do one of these suggestions to protect your work life. Try several! Security experts recommend a stack, or layers, of security so that you build some redundancies into the whole system. Even the best anti-malware program can’t guarantee you won’t get hacked, but having multiple safeguards in place means one might catch or prevent an attack or vulnerability the others missed.
If your employer has done its due diligence and provided you with the most secure home office setup possible, that’s great. But it might not be a bad idea to incorporate some or all of these suggestions for your personal computing needs as well. When it comes down to it, hackers are almost always after money, and they can get that from your workday as well as what you do after hours.
If you’re trapped inside with nothing else to do, you’re probably using the internet more than ever. Might as well do it as safely as you can.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.
Support Vox’s explanatory journalism
Every day at Vox, we aim to answer your most important questions and provide you, and our audience around the world, with information that has the power to save lives. Our mission has never been more vital than it is in this moment: to empower you through understanding. Vox’s work is reaching more people than ever, but our distinctive brand of explanatory journalism takes resources — particularly during a pandemic and an economic downturn. Your financial contribution will not constitute a donation, but it will enable our staff to continue to offer free articles, videos, and podcasts at the quality and volume that this moment requires. Please consider making a contribution to Vox today.