It’s funny how things change… If you’d have suggested in 2019 that within 12 months, the privilege of working from home (or abroad) would morph, practically overnight, into a right. Three years on from the lockdown-inducing pandemic, and the world is very much open for business — normality has been restored, and thankfully the memories of isolation and social-distancing are fading.
However, while the pandemic may have freed us from the confines of the office cubicle, it had another, unexpected effect — a boom in cybercrime, and it’s a trend that has continued to this day.
With remote work and global employment now the new standard and most of the world exclusively relying on email, instant messengers, and video conferencing to communicate, would-be hackers have more options than ever when it comes to launching their attacks. Since 2020, the pool of potential cybercrime victims has suddenly turned into an ocean, and before long, malicious actors phishing and scamming their way through the remote working revolution, leaving a trail of destruction in their wake.
In case it wasn’t clear before, cyber security isn’t something to ignore — especially if you’re working remotely. In this article, we’ll discuss how you can defend yourself (and your employer) when you’re WFH.
Embrace Zero Trust Security
In an age where traditional security perimeters have all but disappeared, embracing the Zero Trust Security model becomes paramount. And while it may seem more relevant to those overseeing remote workplaces rather than individual employees, it’s still worth getting to grips with the concept.
This approach operates under the assumption that no one, whether inside or outside the network, should be trusted by default. Instead, every user and device must be verified and authenticated before gaining access to sensitive data or systems.
Zero Trust Security ensures that even if a threat actor gains access to one part of your network, they won’t have free reign to move around. Implementing this approach involves multifactor authentication, least privilege access, continuous monitoring, and strict access controls. By adopting a Zero Trust mindset, you significantly reduce the risk of unauthorized access and data breaches.
Key aspects of the zero trust framework include:
- Identity Verification: Ensure that all users and devices are thoroughly verified and authenticated before granting access to your network or sensitive data. This typically involves multifactor authentication (MFA) and strong, unique credentials.
- Least Privilege Access: Apply the principle of least privilege, which means granting users or devices the minimum level of access required to perform their tasks. This reduces the potential damage that can be caused by compromised accounts.
- Micro-Segmentation: Segment your network into smaller, isolated zones or micro-segments. This limits lateral movement for cyber attackers, making it harder for them to traverse your network undetected.
- Continuous Monitoring: Implement continuous monitoring and real-time threat detection to identify and respond to any suspicious activities promptly. This proactive approach helps prevent potential security breaches.
- Strict Access Controls: Implement strict access controls and policies based on user roles, device health, and contextual information. Only authorized entities should gain access to specific resources.
- Zero Trust Frameworks: Familiarize yourself with widely recognized Zero Trust frameworks such as NIST’s Zero Trust Architecture, Forrester’s Zero Trust eXtended (ZTX), or Google’s BeyondCorp. These frameworks provide detailed guidelines for implementation.
- Cybersecurity Training: Invest in cybersecurity training for your IT staff and employees. Understanding the principles of Zero Trust and how to apply them is crucial for successful implementation.
- Consultation Services: Consider consulting with cybersecurity experts who specialize in Zero Trust Security. They can provide tailored guidance and help you design a security architecture that aligns with your organization’s needs.
- Threat Intelligence Feeds: Stay updated on the latest threat intelligence feeds to understand emerging cyber threats and vulnerabilities that may affect your security posture.
Keep Software and Systems Updated
One of the most common entry points for cybercriminals is outdated software or unpatched systems. Ensure that your operating system, applications, and antivirus software are regularly updated. Cybersecurity patches are often released to fix vulnerabilities that hackers may exploit. Ignoring these updates is like leaving your front door wide open for intruders.
- Enable Automatic Updates: Most operating systems and software applications offer automatic update features. Turn them on to ensure you receive the latest security patches without having to manually check for updates constantly.
- Schedule Updates: If automatic updates aren’t available or practical for specific software, set a regular schedule to check for updates. Consistency is key to staying protected.
- Prioritize Critical Updates: Some updates are more critical than others. Pay close attention to security updates and patches, as they address known vulnerabilities. Always install these updates as soon as they become available.
- Update All Software: It’s not just your operating system and antivirus software that need attention. Be sure to update all installed applications, including web browsers, office suites, and plugins like Adobe Flash or Java.
- Mobile Devices: Don’t forget about your mobile devices. Keep your smartphone, tablet, and any other connected devices up to date by enabling automatic updates if possible.
- NIST National Vulnerability Database (NVD): The NVD provides a comprehensive list of known software vulnerabilities and their severity ratings. Regularly check this database to see if any of your installed software are on the list.
- Software Update Tools: Many antivirus programs include features to help you manage software updates. Check if your antivirus software offers this service, as it can simplify the update process.
- Software Vendor Websites: Visit the official websites of the software you use regularly. Most vendors provide information on the latest updates and security patches.
Use Strong, Unique Passwords
Password hygiene is a basic yet crucial aspect of cybersecurity. Avoid using easily guessable passwords or reusing the same password across multiple accounts. Consider using a reputable password manager to generate and store complex, unique passwords for each of your online accounts. This practice makes it exponentially harder for cybercriminals to gain access to your accounts.
With phishing and malware so commonplace now, it’s crucial you choose a strong password. Top 10 network threats (July 2021) Image source
It’s also worth looking into whether any of your email addresses have been compromised in the past — check this using Have I Been Pwned. If your address was part of a breach, change your passwords immediately, and activate 2-factor authentication — this will provide an extra layer of protection, should anyone attempt to access your account in the future.
- Complexity Matters: Create passwords that are complex and difficult to guess. Use a combination of upper and lower-case letters, numbers, and special characters. Avoid using easily guessable phrases like “password123.”
- Length Matters Too: Longer passwords are generally more secure. Aim for passwords that are at least 12-16 characters in length.
- Avoid Common Words: Don’t use common words or phrases in your passwords. Dictionary words, even with substitutions like “p@ssw0rd,” are still vulnerable to dictionary attacks.
- Avoid Personal Information: Refrain from using easily discoverable information like your name, birth date, or the names of family members as part of your passwords.
- Unique for Each Account: Never reuse passwords across multiple accounts. Each online service or account you have should have its own unique password.
- Consider Passphrases: Consider using passphrases – longer combinations of random words, which are easier to remember and more challenging to crack. For example, “PurpleTiger$JumpingMoon!”
- Use a Password Manager: Password managers can generate, store, and autofill complex passwords for you. They are a convenient and secure way to manage your passwords.
- Password Managers: Consider using popular password managers like LastPass, 1Password, or Dashlane. These tools can generate strong passwords and store them securely.
- Password Strength Checkers: Security.org and Bitwarden can check the strength of your passwords. They can help you identify weak passwords that need to be changed.
Encrypt Your Data
Data encryption is your shield against data breaches. Ensure that sensitive information, whether in transit or at rest, is encrypted. Most modern communication tools and cloud storage services offer encryption features. Take advantage of them to safeguard your data from prying eyes.
- Understand Encryption Types: Familiarize yourself with the two primary types of encryption: at rest and in transit. At rest encryption protects data stored on devices or servers, while in transit encryption secures data as it moves between systems.
- Use Secure Protocols: When transmitting data over networks or the internet, use secure communication protocols such as HTTPS for websites, SFTP for file transfers, and VPNs (Virtual Private Networks) for remote access. These protocols often include encryption by default.
- Full Disk Encryption: Enable full disk encryption on your devices, including laptops and mobile phones. This ensures that even if your device is lost or stolen, the data remains protected.
- Strong Encryption Algorithms: Ensure that strong encryption algorithms are in use. Common ones include AES (Advanced Encryption Standard) for data at rest and TLS (Transport Layer Security) for data in transit.
- Regularly Update Encryption Software: Keep your encryption software and tools up to date. Security vulnerabilities are occasionally discovered, and updates often include patches to address these vulnerabilities.
- Built-in Encryption Tools: Many operating systems, like Windows BitLocker and macOS FileVault, include built-in encryption tools. Explore these options for securing your devices.
- Third-Party Encryption Software: Consider using third-party encryption software like VeraCrypt for creating encrypted containers or tools like GPG (GNU Privacy Guard) for email encryption.
- Cloud Storage Encryption: If you use cloud storage services, such as Google Drive or Dropbox, make use of their built-in encryption features. Additionally, look into client-side encryption solutions that encrypt your data before it’s uploaded to the cloud.
- Data Classification Policies: Implement data classification policies within your organization to determine which data requires encryption and what level of encryption is appropriate.
- Training and Awareness: Educate yourself and your team about the importance of data encryption and how to use encryption tools effectively. Knowledge is a critical aspect of successful implementation.
Stay Informed and Educated
Cyber threats are ever-evolving, and new attack vectors emerge regularly. Stay informed about the latest cybersecurity trends and threats. Regularly educate yourself and your colleagues about phishing scams, social engineering tactics, and best practices for staying safe online. Cybersecurity awareness is a potent defense.
- Follow Cybersecurity News: Regularly read reputable cybersecurity news sources, blogs, and forums. Websites like KrebsOnSecurity, Dark Reading, and Threatpost provide valuable insights into the latest threats and trends.
- Subscribe to Threat Intelligence Feeds: Many organizations and security companies offer threat intelligence feeds that provide real-time information about emerging threats. Subscribe to these feeds to stay updated.
- Join Online Communities: Become part of cybersecurity-focused online communities and forums. Engaging in discussions and sharing experiences with peers can help you gain practical knowledge and stay updated on the latest trends.
- Cybersecurity Certifications: Consider pursuing recognized cybersecurity certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).
- Online Courses and Platforms: Platforms like Coursera, edX, and Cybrary offer a wide range of cybersecurity courses, often provided by top universities and experts.