This is the first of two posts from the Citrix Office of the CTO on helping your employees to increase situational awareness and reduce risks when working away from the corporate office. Read the second post here.
If you’re an IT admin for any of the millions of employees recently sent home to work because of the COVID-19 pandemic, here are some useful tips you can provide to your teams to help increase their security IQ so they’re situationally aware and contextually risk appropriate. That’s a fancy way of saying, “Make sure they know what’s going on around them at all times, and they’re doing enough of the right things to protect the security and privacy of themselves, the organization, and your customers.”
Tip 1: Assess Your Work Space
Never worked from home before? Take a step back and look at your physical space from all angles and perspectives. Can it adequately provide for the security and privacy of sensitive data?
- Consider what could be looking at you or listening to you — and disable it.
- Just like in the office, lock your screen when you walk away.
- Don’t send pictures of your home office on social media.
- Avoid leaving sensitive documents laying around. Use a shredder.
- Finally, get an ergonomically comfy chair. Otherwise, you’ll avoid it — and work — with predictable, long-term outcomes.
Tip 2: Choose video chat and collaboration tools wisely
Not surprisingly, the use of collaboration software and video chat have exploded in recent weeks. Take full use of them, but remember, these services are recording your video, voice, and chat conversations.
- Use a webcam cover, and turn off webcam and microphone access for all apps that don’t explicitly need it.
- Don’t have confidential email or other sensitive content up in the background. A quick screenshot lasts forever on Twitter.
- If you’re truly paranoid, use collaboration apps only from a separate hardened tablet, not installed on your trusted system that manages sensitive data.
- Control what’s behind you or otherwise visible on the webcam.
- Assign individual meeting passwords to avoid being video conference bombed!
- Oh yeah, and wear pants. Trust me on that one!
Tip 3: Rethink What and How You Share
In addition to clicking on risky links, there are several common practices that erode security and privacy in seemingly invisible ways.
- Ever downloaded the “App of the Day”? Realize that apps have access to files, peripherals, the clipboard, and other mechanisms for eroding privacy and security.
- Don’t use consumer-grade software with sensitive company data. This goes double for personal file-sharing services. Guessing where the data has been distributed or who might have access to it isn’t a fun game for auditors and attorneys.
- Avoid the use of USB sticks because they expose sensitive data and can have malware. If you feel you have to use one of these to be productive, contact your IT admin — STAT!
- Avoid the use of social media on work systems. Aside from just wasting time and getting freaked out over the latest “news,” you’re often just one click away from malware.
- Realize that photos and videos give away more than the picture. Detailed location data, identities, and context can be captured from anything you post.
- It sounds obvious, but don’t accept help from random people online to solve your technical or business problems. You might not think people do this, but a quick check of social media, chat forums and collaboration sites will prove otherwise.
- Turn on multi-factor authentication (MFA) when accessing sensitive data. If you’re a “highly privileged” employee, use certificate-based access and mutual authentication.
Tip 4: Be Wary of Your New “Co-Workers”
While you may be tempted to let your kids use your work PC “just this one time,” think again. The same goes for sharing networks and credentials (even for entertainment services). Just don’t do it.
- If there are separate individuals and companies working in the same location, use separate networks. It’s also best to have separate personal and company networks.
- If your network seems slow, monitor bandwidth to see who’s hogging it. You can prioritize traffic so that online game usage isn’t killing the network during working hours — but don’t forget to prioritize access for the kids’ education needs as well.
- Question: When was the last time you changed your WiFi password to kick all your kids’ friends off your network? I suggest putting that into practice regularly. You’re welcome.
Tip 5: Make Privacy a Priority
We’re all familiar with corporate security policies, but who’s helping you manage your personal privacy? Corporate and personal privacy should be considered as synonymous when it comes to security priorities. Treat your own security with the same precautions as your corporation governs for work.
- Working from home can expose your location, personal phone numbers, account information and other private attributes. Ensure that your various apps, data, and connectivity sufficiently separate between work and home.
- Explicitly disable webcams and microphones until they’re needed.
- Turn off home automation and assistants that might be listening to sensitive communications, including your TV smart remote!
- Ask your IT department to configure your access for bi-directional privacy.
Note to IT Professionals: Working securely while working remotely is both an immediate requirement and an ongoing challenge. We’re all learning together how to optimize for the “new normal.” Some tips in this article can be directly implemented by your displaced workers, and some will require IT assistance. Let’s use them as a foundation to generate an ongoing conversation around options for evolving the work-from-home situation from surviving to thriving.
