Keeping your data safe when working from home

20th March 2020

As home working becomes the new ‘normal’ during the current Covid-19 crisis, it’s important to take a moment to think about your digital security for both your personal and work activities. 

The risk from those with malicious intent will sadly be heightened at this time MyConcern's Chief Technology Officer has put together a checklist and some advice on how to protect yourself, your family and your company’s information. 

Remember, all the same principles about protecting personal and/or sensitive data apply when working from home, so be especially mindful about the data that you are processing.

Top tips for data security when working from home:

1. Beware of phishing emails

  • Be suspicious of the email you receive! 
  • Pause a few seconds before clicking on hyperlinks in an email; it might appear to have been sent by a trusted source, such as a colleague, but it could have been faked. 
  • Hover your mouse over the links, you will be able to see the full URL, this will help you to identify if the link is going to where it says it is.
  • Does it look right, are they any spelling mistakes or logo discrepancies, does it look like the usual emails you receive from that organisation?

For tips on how to identify a phishing email, Google “NCSC step 5 avoiding phishing attacks” (or if you trust this hyperlink, visit www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks)  

If you do click on a link that turns out to be malicious, contact your IT department immediately, they will be able to help and advise. 

If you don't have an IT department, run a virus scan on your device and once completed, change the password for that system/website.

 

2. Don’t enter personal or company credentials into unknown sites

Be very suspicious if you receive an email that requires you to log in with your company (or personal) details, especially if the email is unexpected or it’s the first time you’ve been asked to login in this way.  It is better to visit the web site by opening a web browser and typing the link yourself.

 

3. Use Company issued equipment when possible

Wherever possible, try to use company-issued equipment, your IT department should have been keeping it up-to-date with the latest security updates.

If you are having to use your own computer, do the following:

  • Make sure your home computer has the latest security ‘patches’ so that it is fully up-to-date (see tip number 4).
  • Make sure that you have anti-virus software installed and che­ck that it is fully updated.  It’s no use if it is 6 months behind the latest signature file!  Ensure you run a scan of the whole computer on a regular basis too.
  • Depending on the version of operating system you are using, create a new user account (with a password) which you only use for work.  This will keep your work and home stuff separate.  Again, if possible, downgrade the account from being an Admin user to be a Standard user.
  • If your company has a VPN, always use it to connect to your office network.
  • If using a VPN, once you’ve finished working, make sure you disconnect from the office network.  Don’t just let your computer lock the screen – the connection will still be running in the background.
  • Do not connect to your office network from unsecured WIFI hotspots such as a café.

 

4. Patching

Keeping your devices up-to-date with the latest software and security updates is fundamental to keeping your information safe.  

In most office environments, this task is completed by your IT team. With home-working becoming the norm this responsibility falls to everyone.

  • Make sure you regularly check for updates and always apply them.
  • If done regularly this should only interrupt you for a few minutes.
  • To download patches, press the Windows key, or go to the Start menu, then type “Update” in the search bar. 
  • This will show you a button on the menu called Check for Updates; click it, then when the Updates window opens, click on the grey Check for Updates button to start the updating process. 
  • Do this at least weekly.
  • Mac users will also be prompted to install new updates when available.

 

5. Think Mobile - mobile phones need to be secure too!

Just like the advice above to patch your computer, you should regularly update your mobile phone with the operating system patches released by the phone provider.

You should also use a PIN number to access your device.

  • Switch on the requirement to log in with a PIN and set it to use at least 6 digits; more is preferable and don’t use easily guessable numbers such as your birth date.

 

6. Maintain good password hygiene – a password manager can help

Certain password rules are enforced by most company’s equipment, but the rules still cannot prevent weak passwords being used or when using your own devices. 

  • When picking a password, longer passwords containing multiple words are better.
  • You can read the National Cyber Security Centre’s advice on setting a good password using three random words here
  • You can check whether any websites you have used have been previously hacked/compromised, at a site called “Have I been pwned”.  This data all depends on whether a site has announced that they’ve been compromised or if the compromised credentials have been released by security experts/hackers.
  • If you find that your chosen password has been compromised, change it following the guidance from the National Cyber Security Centre (NCSC) about long passphrases.  
  • Don’t re-use passwords. This can make you vulnerable when a website is hacked (even one that you don’t use) and all their users’ passwords are exposed. If you’re in the habit of using the same password on multiple web sites, you dramatically increase the risk of someone being able to guess your password through a “brute force” attack. 
  • Do not use an easily guessable password, such as pet names, children’s names, dates of birth etc. This information can be easily obtained through social engineering or by looking at your social media profile/posts.  To find out more on Social Engineering check out this post.
  • The simple solution to this is to use a different password for each site you log into.  How do you remember hundreds of passwords?  The answer is to use password management software.

Using a Password Manager

  • To “remember” all of your passwords, use password management software.  Many companies now use password managers, but if you don’t have one you can easily set one up yourself. You can download a free password manager such as LastPass, Dashlane or KeePass.
  • Most password managers allow ‘cloud synchronisation’, this means you can install it on your devices (laptops/desktops/mobiles) and it will securely synchronise to the cloud so any changes or additions are immediately updated across all of your devices.
  • Once set up you only need to set and remember one really strong, unique password to protect all the others.
  • Encourage your family members to download their own and use them too.  Some of these, such as LastPass, also have a mobile phone app that synchs to your account, so you can access passwords from whatever device you are using.
  • Some Password Managers have additional tools such as how many times you have reused a password, Dark Net scanning and the ability to change compromised passwords from within the Password Manager itself.
  • Mostly, all good Password Managers will generate a strong and complex password for you, so you don’t have to come up with one yourself. No more randomly picking words from the dictionary or a book you have to hand!

 

7. Switch on 2FA

Wherever possible, switch on two-factor authentication.  This means that even if a hacker manages to capture your username and password, with 2FA you’ll have an additional layer of security to protect you.  Two-factor authentication can be set up in many ways:

  • Email – A code is generated and sent to an email address you have set
  • Text – A code is sent to your registered mobile number
  • Phone Call – An automated phone call is made to your registered phone number to give a code or allow you to approve/deny to the login attempt
  • Apps – Apps like Google Authenticator or Microsoft Authenticator can be used to manage and store multiple account code generations. You can configure the App for your account and it will then generate a new code every 60 seconds that will automatically expire.

 

8. Only use Company approved communication platforms 

Most companies have specific communications platforms in place such as Microsoft Teams or Slack etc. You should continue to use the systems you already have in place as their security practices will already have been reviewed by your IT department.  It's also important to use features such as group chats and video calls to stay in touch with your colleagues while spending extended periods of time in isolation. 

 

9. Data Protection Responsibilities

All the same principles about protecting personal and/or sensitive data apply when working from home, so you should be especially mindful about the data that you are processing.  DO NOT process any personal data, as defined in the GDPR, for work purposes on your own devices if you have been issued with company equipment. If you are asked to do so but haven’t had equipment provided, speak to your IT Department and/or your Data Protection Officer.

 

To read more about information security from a trusted source, visit the web site of the National Cyber Security Centre (NCSC).

Written by Darryl Morton, Chief Technology Officer, MyConcern.