Top security tips for employees working from home

A man typing on a laptop keyboard with icons for home wifi, security, storage, analytics, settings and more floating around
(Image credit: Shutterstock)

The last 12 months have been unusual for many reasons. COVID-19 has forced the majority of the world into lockdown, and as a result, much of the global workforce has had to quickly adjust to working from home. For many, this will have been the first experience of long-term remote working in their professional lives.

Things are likely to shift in a more lasting way, too. A survey from US-based Enterprise Technology Research (ETR) revealed that the percentage of workers around the world that will permanently work from home could double in 2021 due to positive productivity trends seen during the coronavirus pandemic. The survey of IT decision-makers found that pre-COVID, 16.4% of their companies' workforces worked from home compared to the 34.4% predicted for 2021.

There's a lot to get used to with remote working, from Zoom meetings to battling with temperamental Wi-Fi, homeschooling and setting up a comfortable at-home office space. But one of the biggest challenges from a work perspective is the potential impact that it can have on security. Outside of the office's network perimeter, employees become much more susceptible to cyber threats. There are, however, a number of tips, tricks and tools that can help keep staff safe when working away from the office.

The first matter to address is passwords. While many will argue that passwords are outdated technology, they still control access to all of our devices and digital services, and so should be treated with the respect that this entails. If you’re re-using the same passwords for multiple services, this can open up major vulnerabilities if one of those services is compromised.

Using predictable or easily-guessed passwords is also a problem; even a password that contains capital letters and numbers may not necessarily be as secure as you think it is. The best way to ensure that your passwords are as strong as possible is to use a password manager like Lastpass or 1password, which can store a different complex password for every account you have. They can also help create new passwords that fulfil specific strength criteria, like the number of characters or pronounceability.

One of the benefits of using a password manager is that you can easily change your passwords, which you should consider doing on a semi-regular basis anyway, whether you need to or not. For maximum security, you could change them as often as every month, but at the very least you should use a free breach tracking service Have I Been Pwned to monitor whether your account credentials have ended up in any recent data breach dumps. If they have, change any affected passwords as soon as possible.

More factors, more security

Another excellent way to protect access to online accounts is to enable multi-factor authentication (MFA). Also known as two-factor authentication (2FA), this feature requires both your existing password and a secondary verification method - such as a hardware token or randomly-generated code - before it will accept a login attempt. In practise, this means that even if an attacker does have your password, unless they also have your secondary login method, they won’t be able to get in.

“We talk about cybersecurity requiring a holistic approach, and this is precisely where each person's participation is vital,” says Rois Ni Thuama, Red Sift’s head of cyber governance. “Failing to use MFA and a password management system is in my view the digital equivalent of leaving the bow door open and setting sail. Remember the Zeebrugge disaster? The ferry operators took shortcuts and the damage was immeasurable.

“MFA and the associated risk mitigation impact is well known and understood. I believe that provisions in employment contracts should compel personnel to participate in firm-wide policies and practices and put personnel on notice that failing to adhere to best practice jeopardises the firm, colleagues, data, reputation and clients and that this is intolerable to the firm.”

Almost all mainstream cloud services and apps now support some form of two-factor authentication, and it’s worth enabling it everywhere you can. While it may sometimes be a little frustrating if you’re trying to log into a new device in a hurry, it will provide an extra layer of protection that could make all the difference.

“If you have ‘MFAed all the things’ your organisation may be able to do away with any arduous or inconvenient password policies,” explains Ian Thornton-Trump, CISO of threat intelligence firm Cyjax. “With MFA in place, ‘summer123’ becomes as secure as ‘insert 16-plus character keyboard smash, special character, numbers, letters, upper/lowercase’ nonsense.”

Secure software, secure hardware

On the subject of multi-layered protection, it’s important not to overlook your device when thinking about security. We’re all guilty of putting off those nagging software updates because we’re ‘too busy’ or ‘in the middle of something’, but what nobody likes to admit is that those updates are there for a reason. They exist to patch security holes that, sooner or later, hackers are going to start exploiting.


The total economic impact of IBM Security Verify

Cost savings and business benefits enabled by IBM Security Verify


It’s especially important to keep an eye on your software patches if you’re using a personal device, as there’s a good chance that your company’s IT department won’t have any way to remotely install updates. That means it’s your responsibility to make sure you’re not at risk. It’s a good idea to set your operating system to automatically download and install updates wherever possible, and there are also third-party software tools that can help you keep track of any outstanding patches for your installed apps.

“Remote Monitoring and Management (RMM) tools are the answer here,” Thornton-Trump says; “they’re easy to deploy and easy to use. The primary use is to keep those employee- owned devices up to date and deploy a centrally-managed antivirus or EDR solution. The secondary role is to allow IT staff to assist an employee to troubleshoot corporate access to corporate systems. Managed Service Providers (MSP) have been doing this for years, providing support for disparate systems running uncommon configurations in all kinds of different networks.”

Corporate networks are usually guarded by a battery of different monitoring and protection technologies to ensure that no unauthorised snoopers are lurking on them, but sadly most of our home broadband networks aren’t quite so well-defended. An unsecured network can allow an attacker to intercept and tamper with communications going across it, but there are ways to prevent this. Changing your router’s default access credentials is a good first step, as these are often freely available from the manufacturer’s website. A VPN service can help protect against anyone trying to spy on your network traffic, and is also useful for those of us who may prefer to get out of the house and work from a cafe or coffee shop. Your router may even have built-in security features included as standard - if so, you may as well switch them on for additional protection.

While we’re on the subject, it’s a good idea to deploy antivirus software on any machines that are used for work tasks (and ideally all of your devices in general). There are a number of capable free solutions which will work well, including Windows Defender. Whichever tool you prefer, make sure to schedule regular scans in order to maintain ongoing levels of protection.

Finally, it’s very important that staff are aware of the organisation’s internal policies and procedures, particularly around data sharing and security. Make sure that clear, documented guidelines are available for all employees, with refresher training if necessary; this will help staff stick to best practices. Similarly, staff should feel comfortable contacting the IT department if they have any questions or concerns around security issues. If employees think they may have identified a security risk, they should be able to notify the IT team as easily as possible.

Drop-in support sessions can be useful for building rapport between IT staff and employees, as can dedicated communication channels in corporate collaboration apps like Slack and Microsoft Teams. The key is to make sure that workers have an easy way to contact IT if they feel unsure about anything, and that they are encouraged to do so.

The current situation is a big adjustment for many of us, particularly those of us that haven’t experienced remote working in any sustained capacity, but just because we’re outside the office doesn’t mean that we can’t be secure. By following these tips, you can help protect yourself and your organisation from cyber threats while working from home.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.