Your employer has unexpectedly directed you to telework—and you are feeling overwhelmed—you still have deadlines to meet and projects to complete. With many changes happening at once, telework security could be an afterthought or completely overlooked for some. This could put you and your organization at greater risk from attackers, who are always looking for opportunities to take advantage of workplace disruption, especially at this time with coronavirus restrictions causing more than usual workplace displacement and anxiety, the National Institute of Standards and Technology cautions.
NIST advises it’s more than your organization at risk — if your telework device is compromised, anything else connected to your home network could be at risk too.
While most organizations are providing a security checklist for teleworking employees, NIST offers some simple suggestions to improve security. The tips that follow apply to almost all situations, and they’re relevant whether you’re using your organizations’ laptop or smartphone, or your own personal desktop or tablet.
NIST basic tips to improve your telework security:
First and foremost, if your organization has rules or policies for telework, make sure you read them and comply with them. Don’t try to be a ‘hero’ by circumventing organizational security controls to get your work done. Your organization won’t thank you if you put your workplace security in jeopardy by disregarding mandatory guidelines, NIST advises.
- Protect your computer communications from eavesdropping. If you use Wi-Fi (wireless networking) at home, make sure your network is set up securely. Specifically, look to see if it is using “WPA2” or “WPA3” security, and make sure your password is hard to guess. If you’re unsure how to do this, you might be able to find a how-to video or checklist online by doing a search for your Wi-Fi router brand and model.
- If your organization has a VPN (virtual private network), use that on your telework device for stronger protection (your organization’s telework rules or policies will likely tell you if you do). If not, consider using your own VPN—you can find numerous providers online.
- If you’re using your own computer or mobile device (something not issued by your organization) for telework, make sure you’ve enabled basic security features. Simply enabling the PIN, fingerprint, or facial ID feature will prevent people from getting on your device should you walk away from it. Any PIN or password you use should be hard to guess.
- Keep your computers and mobile devices patched and updated. Most provide an option to check and install updates automatically. Enabling that option can be a good idea if you don’t want to check for updates periodically.
- If you’re seeing unusual or suspicious activity on any device you’re using to telework (computer, mobile device, or home network) ask for help—better safe than sorry. Contact your organization’s help desk or security operations center to report the activity immediately.
Final words of caution from NIST
Be especially alert to social engineering attempts such as phishing emails or phone scams related to telework. Social engineering is when someone tries to trick you into doing something or giving away personal information. Scammers and criminals use every major event to come up with new schemes, and with you and others suddenly teleworking, attackers will try to take advantage of this changing environment.
If you get emails from unknown accounts with strange file attachments, if people call claiming to be technical staff asking for your passwords or telling you to go to a website to ‘scan’ your computer, if you get unusual web meeting requests—don’t hesitate to ask questions and verify information by contacting your supervisor or security office.
For more information about telework security, see: