WFH Cybersecurity Guide for Employers and Employees
As more and more employees work from home — rather than company headquarters — cybersecurity risks increase. Each time an employee logs on, their decisions could allow a hacker to gain access.
Enhancing cybersecurity when working from home is a team effort. Both employees and employers must collaborate and problem-solve.
Why focus on cybersecurity when working from home?
When employees log on from home, employers have plenty to be concerned about. Are staffers doing laundry rather than answering calls? Will collaboration opportunities decrease when staff members are miles apart? But productivity aside, there's good reason to put cybersecurity at the top of the worry list.
In 2020, more than 70 percent of American workers did their jobs from home, and more than half said they wanted to keep doing so when the pandemic ended. In that same year, hacking attempts against corporations more than doubled. Criminals knew that security would be lax for at-home workers, and they took advantage.
If more staff wants to work from home, and more criminals want to exploit that opportunity, it's time to pull together a comprehensive plan to mitigate risks.
5 working-from-home security tips for employees
Whether your home office is a temporary or permanent workspace, keep security in mind.
Start with these five cybersecurity tips:
- Use a VPN. Almost every enterprise organization has a virtual private network (or VPN). These setups allow access to your organization's servers, so it looks and feels just like you're on site. But while you work, you're wrapped in the company's security policies.< Your communication is encrypted, so hackers can't listen in on what you're doing. And your device is little more than a portal, so you're not putting your company at risk through your personal decisions.
- Ask for a company-owned device. It's easy enough to volunteer your home computer for company work. But using a device your company owns comes with plenty of benefits. You won't have to invest in antivirus software, and you won't be responsible for keeping your software up-to-date. The company will do all of that for you.
- Update your router. More than half of all people don't change the password that comes with their router from the factory. If you haven't updated your device, it's very easy for hackers to get a list from the manufacturer and start listening in on your work.
- Lock your device. Heading to the kitchen for a snack? Stepping out to walk the dog? Lock your device before you go. This simple step can keep a physical intruder from stealing your data while you're away.<
- Report problems early. If you spot something unusual happening on your device, on the server, or both, speak up. Sometimes, employees notice things long before the IT department ever will. Stay in touch with your colleagues and notify them as soon as something seems amiss.
5 home cybersecurity tips for employers
Just because your company has endorsed remote work doesn't mean you can wash your hands of security policies. You may not be able to stand over the shoulders of your workers, but there are plenty of steps you can take to protect your assets.
Start with these five tips:
- Require two-factor authentication. Protect vital assets by requiring a second step before users can see them. Use something simple, like a code sent to an authenticated device. Or try a more sophisticated method, such as asking users for a physical key you only deliver to a few select employees.
- Update company devices regularly. Schedule meetings with your employees, log into their machines, and update their software. Ensure they're running current versions of your antivirus solutions, and run reports on suspect devices to look for hackers.
- Hold regular training sessions. Use Zoom to speak to all employees at once. Outline what you're doing to keep the company safe, and explain why their decisions can have catastrophic consequences for your security.
- Tap into access control. Don't give everyone in the company access to sensitive files. Set up roles, and only give access to those who meet the requirements you've outlined. Finding the right roles and assets can be time-consuming and contentious. But you'll only go through this process once, and when you're done, you'll have airtight rules you can enforce immediately.
- Monitor carefully. Watch your server reports, and take action as soon as something goes wrong. Be available to hear concerns from your remote workers, as they may see things you miss.
5 physical home office security tips
When we talk about work-from-home cybersecurity, we often focus on connection. How does your device link to the corporate server, and is that connection secure? It's worthwhile to examine the physical space in which the work happens.
Try these five physical security tips:
- Work from home (not a coffee shop). Researchers say that we're more creative in a crowded space filled with colleagues than we are at home. But coffee shops can be hotspots for theft. If you're logged on for work, make sure you're in a room you can control. Preferably, you'll be alone.
- Lock your door. Don't let a thief walk right into your office and walk out with your company computer. Keep the door locked.
- Secure your devices. Lock your sensitive and portable devices (like laptops) inside a desk or safe when you're not working. If you're subject to a home invasion, your device will be harder to find and steal.
- Charge from home. Don't use a charging station at a place like an airport. Wait until you're in a safe and controlled environment to plug in your laptop or company-owned device.
- Don't share. A nearby colleague may ask to borrow your device for the afternoon. Don't allow this unless you run the request past your IT department.
3 ways to ensure compliance
We've provided a lot of steps here, and most of them are written like suggestions. If you're in charge of security, you may like them to sound like commands. How can you make it happen?
Try these working security tips:
- Make training sessions mandatory. Schedule meetings weeks in advance, so your employees can clear their calendars. Keep a record of attendance, and circle back with those who missed the training. Ensure that management is aware that these meetings aren't optional.
- Use the employee handbook. Outline exactly what work-from-home cybersecurity policies you've created, and ensure that all employees read and sign the document. Be as clear and explicit as possible, and answer questions promptly.
- Use disciplinary action. Employees who don’t follow your rules should face some sort of consequence. If your company uses a “write up” policy for performance issues, expand it to include violations of IT policies.
Collaborate With Okta
At Okta, we work with thousands of companies that have remote employees. We can help you set up tight boundaries around your assets, and we can help you spot problems early. Contact us to find out more about how we can help.
How the Coronavirus Outbreak Has and Hasn't Changed the Way Americans Work. (December 2020). Pew Research Center.
Hacking Against Corporations Surges as Workers Take Computers Home. (April 2020). Reuters.
Why Have VPNs Become So Important to Corporations? (January 2020). Forbes.
Most People Never Change Their Router's Password. (2017). BetaNews.
Why You're More Creative in Coffee Shops. (January 2021). BBC.