COVID-19 has transformed the way we work. The data of a company is a valuable asset, and working from home with your computer opens a considerable attack surface that puts its integrity at risk, as well as the complete security of the company.
43% of the attacks reported by the National Cybersecurity Institute (INCIBE) were directed at SMEs. More than half of the affected companies have suffered an attack in the last 12 months.
The average repair cost for one of these cyberattacks is estimated to be € 35,000. In most cases, it means the closing of the business.
These companies, in general, do not have sophisticated cyber protection systems. But it is human failures, and not technological security holes, that are the most common cause of cyberattacks. Therefore, prevention has to do mainly with personal safety habits.
We present here a series of recommendations to be able to telework from home safely.
1. Protect your home Wi-Fi with a password
Forget passing your Wi-Fi password to your neighbour and avoid connecting to foreign networks as much as possible. Although this allows you to do without cables and work anywhere in the house, it is much safer to connect your computer to the router using a network cable. Also, the wired connection is much faster than Wi-Fi.
[Also Read: How a switch or Network switch works]
2. Visit only seemingly safe sites.
You must pay attention that a padlock appears in the address bar and that the web address begins with https. The https protocol is not entirely secure, but it is much better than simple HTTP.
Web browser with the address of the Open University of Catalonia, in which you see the padlock and the https.
3. Use a Virtual Private Network (VPN)
A Virtual Private Network (VPN) is software that acts as a tunnel between the computer and the destination VPN server. The data travels encrypted.
Ideally, the SME would have its VPN server to which workers connect from home. If this possibility does not exist, a paid VPN (never free) that connects your computer to a VPN server, and from there to the company, would add an extra layer of security. This is especially important if you are accessing the internet from a network that you do not control (for example, from a hotel or an airport).
Another advantage of a VPN is that it hides your IP address and geographically relocates you.
A Virtual Private Network (VPN) allows the user to browse in an encrypted and secure way. Author provided
4. Update the software (especially the antivirus)
It is essential to keep the programs you use up-to-date, since the updates, many times, are for security. Failure to update software contributes to 57% of cyber attacks and data theft.
All software is susceptible to security holes. For example, in 2017, the WannaCry ransomware attack exploited a vulnerability in Windows to infect more than 200,000 computers in 150 countries. The British health system had to cancel 19,000 consultations and spend £ 92 million to repair the damage.
Although modern antiviruses identify viruses and other types of malware, some of them are not easily detected.
5. Keep an eye on emails and social networks.
It is essential to inform employees about phishing, a type of cyberattack that involves obtaining information from the victim through, for example, a link sent in an email.
Microsoft Office users are a target audience to whom .doc files are sent (people no longer tend to pick at .exe files) infected with malware.
Suspicious file scanning is advisable. In addition to antivirus (which can be disabled by malware ), you can always use VirusTotal’s online service to scan websites and files. VirusTotal is a powerful service that bundles many different antivirus programs.
Also, access to social networks with the work computer should be avoided (or prohibited), since applications such as Facebook Messenger and WhatsApp are known sources of malware.
6. Back up your data frequently
It is essential to keep backup copies of your data regularly. This makes it easier for your company to restore your system if it is infected by ransomware. The blackmail capacity of cybercriminals is inversely proportional to how often you back up your data.
7. Have one password per account
We have all been guilty at some point of using the same password for multiple accounts. This poses serious security risks. If the data of the users of a company is exposed, the passwords could be used to access the statements of the same person.
For example, this year EasyJet suffered a cyberattack that exposed the personal data (including complete credit card details) of more than 9 million passengers. Microsoft admitted the data breach of 265 million users in 2019. Last year alone, Facebook acknowledged the theft of personal data of more than 800 million users.
A key strategy to limit risk is to have different passwords for each account. Above all, a private password should never be used for a work account.
Can you check if your email or password has been publicly exposed after a cyberattack through the Have I Been Pwned service?
8. Choose strong keys
To establish a strong password, it is best to think of one that is long and easy to remember but only for you. An example is a series of initially unrelated words such as Comida_Papa_Mama_Domingo. You can check the security of a key in this online service.
9. Modify passwords from time to time
In addition to having a unique password per account, it must be changed several times a year. To help us manage all this, there are password managers such as 1Password or RoboForm, which securely and automatically store access to all your accounts from your computer (each with its password). So you only have to remember the master password of your manager.
10. Don’t use Gmail to send confidential documents.
Please note that any information you send through any free email such as Gmail will be scanned. For example, one of us remembers how he once started receiving offers for hotels and flights to Dallas on his account. I didn’t know why. The reason was that they had sent him an invitation to a conference in that city. This was attached as a PDF document in an email that I had not yet opened.
It is possible to encrypt emails with Outlook before sending them. If you do not have a secure email service, there are many others such as Tutanota, Mailfence or ProtonMail that encrypt the content of messages from sender to receiver. The recipient does not have to have the same email provider, as they are based on an asymmetric cryptography system.
If you have to share a large amount of data that does not fit in an email and you decide to share a folder on Google Drive, for example, you should first encrypt the content using an encryption program.
We can always add extra layers of security (such as two-step authentication) to avoid situations of stolen credentials. It can even become practically invisible.
The recommendations set out here, well followed, significantly increase safety and eliminate the vast majority of risks.