Your employer has unexpectedly directed you to telework—and you are feeling overwhelmed. With many changes happening at once, telework security could be an afterthought or completely overlooked. This could put you and your organization at increased risk from attackers, who are always looking for opportunities to take advantage of disruption generally and weak security practices specifically. But it’s more than your organization at risk—if your telework device is compromised, anything else connected to your home network could be at risk too.
Don’t panic. There are some simple things you can do to improve your security. The tips that follow apply to almost all situations, and they’re relevant whether you’re using your organizations’ laptop or smartphone, or your own personal desktop or tablet.
Basic tips to improve your telework security:
- Find out if your organization has rules or policies for telework, and if so, make sure you read them and comply with them. For example, it may be OK for you to use your own computer for reading company email but not for accessing sensitive customer data.
- Protect your computer communications from eavesdropping. If you use Wi-Fi (wireless networking) at home, make sure your network is set up securely. Specifically, look to see if it is using “WPA2” or “WPA3” security, and make sure your password is hard to guess. If you’re unsure how to do this, you might be able to find a how-to video or checklist online by doing a search for your Wi-Fi router brand and model.
- If your organization has a VPN (virtual private network), use that on your telework device for stronger protection (your organization’s telework rules or policies will likely tell you if you do). If not, consider using your own VPN—you can find numerous providers online.
- If you’re using your own computer or mobile device (something not issued by your organization) for telework, make sure you’ve enabled basic security features. Simply enabling the PIN, fingerprint, or facial ID feature will prevent people from getting on your device should you walk away from it. Any PIN or password you use should be hard to guess.
- Keep your computers and mobile devices patched and updated. Most provide an option to check and install updates automatically. Enabling that option can be a good idea if you don’t want to check for updates periodically.
- If you’re seeing unusual or suspicious activity on any device you’re using to telework (computer, mobile device, or home network) ask for help—better safe than sorry. Contact your organization’s help desk or security operations center to report the activity.
Be on the lookout for social engineering attempts such as phishing emails or phone scams related to telework. Social engineering is when someone tries to trick you into doing something or giving away personal information. Scammers and criminals use every major event to come up with new schemes, and with you and others suddenly teleworking, attackers will try to take advantage of this changing environment. If you get emails from unknown accounts with strange file attachments, if people call claiming to be technical staff asking for your passwords or telling you to go to a website to ‘scan’ your computer, if you get unusual web meeting requests—don’t hesitate to ask questions and verify things by phone or other means before proceeding.
For more information on telework security, see:
- User’s Guide to Telework and Bring Your Own Device (BYOD) Security
- STOP. THINK. CONNECT.
- CIS Controls Telework and Small Office Network Security Guide
- ITL March 2020 Bulletin: Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions
- NIST Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security