See it and Sell it First at ASI Show Orlando – January 4-6, 2025.   Register Now.

Cybersecurity for Remote Workers

With millions of people working from home, cyber threats are more of a concern than ever. Here’s how to protect your company.

As the coronavirus bore down on the United States, tens of millions of Americans became telecommuters virtually overnight. Now, companies have been challenged to make sure their employees remain aware of cybersecurity threats just as scammers and hackers take advantage of the crisis to wreak havoc.

Waveform.com, a California company that works to strengthen cellphone signals, estimates that 85 million Americans are now working from home full time; their commercial sales have fallen since office buildings have closed, but increased exponentially for private homes as workers settle into their remote setups for the long haul.

Cybersecurity from home

“That’s such a huge, monumental shift to remote work unlike anything we’ve ever seen in the U.S.,” founder and CEO Sina Khanifar told City News Service in Los Angeles. “And I expect the number to go up.”

The increase in remote work has also led to more virtual meetings. Remote conferencing service Zoom reports that daily user volume increased from 10 million people in December to 200 million in March. But it’s given rise to a new form of cyber harassment called “Zoombombing,” where intruders infiltrate calls and post explicit images and hate speech.

NPR reports that a doctoral dissertation defense in California, an Alcoholics Anonymous meeting in New York, Sunday school in Texas, online classes at the University of Southern California and a city meeting in Michigan are among recent victims. The FBI has even issued a warning.

It raises an important question: With so many employees working in home offices, how do companies continue to protect business assets and keep their cybersecurity stringent? Here are six tips for employees so they can help their employers keep connections secure and avoid vulnerabilities during this critical time.

Be aware of phishing.
Scammers are ready and able to exploit the increase in remote work, knowing that companies’ assets are even more vulnerable at this time of crisis. Business Insider reports that hackers are taking advantage of widespread confusion by posing as healthcare officials or government agencies (like in Canada) to trick people into downloading malware or giving up their login credentials. It’s called phishing, and it’s on the rise. But it’s not just email; phone calls and texts can also be used to target people.

“Make sure that employees know never to share personal or financial information if they weren’t expecting the request,” says Aaron Zander, head of IT at San Francisco cybersecurity firm HackerOne. “If the email looks like it came from a colleague, they should call the individual directly or create a new email message to confirm first. Now that so much more is being done over email, we have to be extra diligent in checking who’s sending them.” If it’s from an outside party, alert the IT team and check if it’s legitimate, says Darren Guccione, CEO and co-founder of password management firm Keeper Security in Chicago.

Workers need to be on high alert for coronavirus-focused scams, particularly ones that have “an important message from your local health officials” or a promise of relief money that’s immediately available. “Hackers are preying on our need for more information and trying to tempt us to click suspicious links,” says Ayanna Haskins, founder of cybersecurity consultancy Datcher Group. “Everyone needs to be on the alert for these scams.”

Keep work and personal devices separate.
Whenever possible, remote employees should be given company machines configured with enterprise-grade security. If they’re working on their own devices, remind them to keep them up to date with antivirus software, and to maintain an updated browser to ensure installation of critical patches, says Randy Mohrbacher, technology advisor for Top 40 distributor AIA Corporation (asi/109480). In some cases, however, employees using personal devices may only be able to have restricted access.

“If you allow team members to access sensitive information or corporate networks from their personal devices, there’s no way of knowing if the system has enough protections in place,” says Colton DeVos, marketing and communications specialist at IT consultancy Resolute Technology Solutions in Winnipeg. “With corporate equipment, your IT team can ensure each device has adequate antivirus, firewalls, email protection and other protective filters.”

Remind employees not to use company-owned equipment for any personal use, which could expose it to threats, says Dr. Wesley McGrew, director of cyber operations at HORNE Cyber, a cybersecurity firm. That includes not lending company-owned or even personal devices to family members; in fact, they shouldn’t have access to them at all.

“This isn’t the time for an employee’s child to download malware onto a laptop while trying to play a video game,” says Konstantine Zuckerman, CEO of CYBRI, a cybersecurity company in New York City. “They could compromise the whole company.” He warns against “over-permissioning” when employees are given more-than-necessary access.

Employees should also be directed not to use private email addresses or transfer/storage tools for documents, says Kacper Brzozowski, technical founder at career advisory company Zety in Warsaw, Poland. Their security measures can’t be monitored by IT teams.

Require strong passwords.
A recent study by security applications and services company SplashData found that the top two passwords among employees are still “123456” and “password.” Strong passwords should be required by a company’s systems and accounts, says Guccione, and employees shouldn’t be reusing them. “The overwhelming majority of successful cyberattacks are the result of stolen or compromised passwords,” he adds. “Deploy a robust password manager that will help employees remember their passwords while keeping them secure.”

Companies should also implement multi-factor authentication (MFA), which requires additional identity validation of the user. Once the employee enters their username and password, they’ll be asked to input a code from their smartphone, answer a security question, or even scan their fingerprint or face, says Zander.

“It makes it hard for outsiders to access your data,” says Haskins. “Ideally, the second factor is hardware- or app-based, since a hacker shouldn’t have any access to it.”

Minimize entrance points.
Continue to remind employees to install updates, especially important security ones, as soon as they become available. “Make sure they allow the updates to complete,” says Mohrbacher. “Encourage them to verify legitimacy with IT if an update requests the user’s approval or requires a reboot.”

Workers should not install any new apps or software that hasn’t been approved by IT. “They may not be as thoroughly tested and protected as the tools workers normally use,” says Zander. “They could pose a great risk for the corporate network.”

And no matter where they’re working, even in their home offices, employees should get into the habit of locking their devices when they’re unattended. “Setting ‘go to sleep’ times is a great idea,” says Charlie Tupitza, cyber and data breach lead at America’s Small Business Development Centers. “Many business conversations are confidential, even from family members. Find a way to protect them.”

If employees are connected to the company’s VPN, they should disconnect and then lock down the device before walking away. “Leaving connections open can allow for breaches into the corporate network,” says Zander. “There are also a lot more people connecting via these services right now, so disconnecting will give your infrastructure team a little more room to breathe.”

Since most people aren’t able to take their laptops to coffee houses at the moment, security issues with public Wi-Fi are less of a concern. But remote workers should still secure their home routers, which also need a strong password and updates. “Have employees change the default administrator password on the router and any other network equipment they’re using,” says Zander. “They should be using WPA2 security or higher.”

Monitor virtual meetings.
Now with so many people using virtual conference software, hackers are disrupting meetings and using them to access networks. Make sure employees are using company-approved tools, and remind them to be cautious when using others. “Familiarize yourself with the privacy and security settings of the video conference software before using it,” says McGrew. “You should also visually inspect the list of attendees before and after the meeting, which helps ensure no rogue people have joined it.”

Remind everyone not to share meeting phone numbers, IDs or URLs over social media. “It can allow people to drop in and listen to sensitive conversations and record your voice or video,” says Zander. “Some meeting tools allow you to limit meetings to only people in your organization or require an additional password to join, but not all do.”

In general, employees should be extremely cautious about the potential of overexposure on social and avoid advertising when virtual meetings are happening and with whom; hackers are monitoring. “Scammers notice changes in patterns,” says Mohrbacher, “and they’re very skilled at taking advantage of behaviors and data during times of significant change.”

Send reminders on protocols.
Keep in touch with employees about reminders on safe cyber practices. If you don’t have them already, put together training modules with lessons, simulations and quizzes so employees are informed. “Security software and processes are important,” says DeVos. “But even more crucial is a well-educated team that knows how to stay safe online and flag any threats they come across.”

To that end, have a clear reporting procedure in place. “They need to report suspected or actual incidents promptly so your security team can investigate, identify and address them,” says Guccione. “All employees need to know who to contact and how, and should be aware of emergency procedures to perform on their end, such as disconnecting devices. Meanwhile, the security team needs to know exactly what to do once an incident is reported.”