Large parts of the UK are now working from home which leads to unknown risks. Chris Lin, VP, Information Technology at Mozilla, offers tips on how companies and employees can successfully design a secure home office in the age of COVID-19.
It’s no exaggeration to say that the pandemic has fundamentally changed the way we work. Work-from-home policies have been deployed across industries that will be in place long after the crisis is resolved. We only need to look at the accelerated adoption of communication platforms such as Slack and Zoom to see this.
For example, Microsoft’s collaboration platform Teams generated almost three billion minutes of online meetings in a single day in early April, a new record and just under five times the amount generated just four weeks earlier. With this huge and abrupt shift to telecommuting however, comes new challenges and security risks that need to be addressed.
When it comes to security, there are three core areas that should be addressed when designing a home office: IT and hardware security, connection security and data security. At Mozilla, we’re well versed in approaches to home office security, as half our global workforce (and more than two thirds of our UK workforce) worked remotely prior to the pandemic. Because of this, we’ve learned some things along the way on how to build a secure home office – here are our tips:
Most devices provided to employees and associated software are monitored by an in-house IT expert or a specialised contractor. This means someone is dedicated to maintaining the antivirus software and firewall protections that have been set up, making sure they stay clear of virus, malware and potential security threats.
Companies as a rule tend to impose guidelines around the use of private devices such as laptops or storage drives for work because they are significantly less secure. However, when working from home, the likelihood of strict adherence is reduced, particularly if they’re not set out clearly.
That’s why it makes sense for employees to only use equipment secured in advance with common protection software by the company’s IT department. However, they also need to be protected when used in the home – this means not using private USB sticks coupled with other private devices (via Bluetooth, for example).
Moreover, employees should be careful when checking work and private emails on the same device as malicious actors often try to spread malware in inboxes. Some are impersonating Zoom, Microsoft Teams, and Google Meet for phishing scams, and others are even sending out emails posing as authorities such as an organisation’s CEO.
Secure data transmission
Another major consideration is how company data is stored and transmitted between employee devices. Most companies require access to employee data at all times, and ensuring data is stored in a secure and safe manner is paramount.
To achieve this, we highly recommend strictly separating work and private computing devices, from laptops to smartphones and even tablets. Employers should ensure employees are using specific cloud solutions such as Egnyte, Dropbox and Box for storing all company assets, and discouraging the use of personal storage solutions or private USB sticks.
Employees should also only use secure and approved platforms when sending data to third parties such as customers, clients or service providers. There are a number of different options available such as Firefox Send, WeTransfer or Google Drive that can be used to guarantee data doesn’t fall into the wrong hands.
What has also been made clear by the rise of remote working is the need to secure the connections over which sensitive data is transferred between businesses and employees. At home, most people access the internet over Wi-Fi, which in many cases, is not protected effectively against attacks.
While most people are aware of the dangers of connecting to public wi-fi networks, many may not realise the weakness of home wi-fi networks. Most people use their routers after purchase by plug & play with the default provided password and a weak Wi-Fi key, which is definitely insufficient for professional work.
Most organisations mandate that a VPN (virtual private network) should be used for access to an internal company network where documents and programs are stored. This is an effective protection measure to avoid hostile actors intercepting data, as you never know who may take the opportunity to break in.
Employees can also safeguard against the dangers of an insecure connection strategy at home in a number of ways. At home, it’s recommended to engage at least WPA2 encryption for your WI-FI router, and ideally WPA3 if you have access to it on your device. Vigilance with related software and firmwares is also key, as is ensuring company data is only accessed via a VPN and avoiding public networks if this facility is not available.
In the end, there’s no one right way to secure your home office, but the strategies outlined above will go a long way to mitigating the potential risks. Focusing on these three areas will help make sure security best practices are deployed across your organisation to remove potential risks and concerns at a time when they are least welcome.
By Chris Lin
VP, Information Technology