By Thomas G. Stephens Jr., CPA, CITP, CGMA
Many businesses are responding to the COVID-19 pandemic by encouraging team members to work from home. The effort will reduce the possibility of one contaminated team member potentially contaminating many more. The intent is solid and socially responsible, but not everyone has thoughtfully considered the security ramifications of shifting their entire workforce to remote access. Many of these new remote workers could potentially and unknowingly compromise sensitive information. In this blog I provide five security best practices you need to have in place.
Do Not Connect through Unsecured Wi-Fi
Many home Wi-Fi networks remain unsecured. As such, cybercriminals can easily intercept data transmissions over these networks. This could result in potentially compromising sensitive and privileged information. Therefore, if you work from home and use Wi-Fi, at a minimum protect the network by requiring a password to establish a connection. You should never use an unsecured Wi-Fi network, regardless of whether it is in your home, a hotel, or any other venue.
To improve security relative to your internet access while working remotely, consider these options:
- Connect to the internet using wired connections. Not only are they more secure, but also may be faster.
- If wired connections are not practical, secure your Wi-Fi connection with a strong password. You may need to reconfigure your Wi-Fi router to add this password.
Consider a Virtual Private Network
Virtual private networks (VPNs) create a secure, encrypted “tunnel” in the otherwise unencrypted internet. Accordingly, a VPN encrypts all traffic that passes through it, even if the network itself is not encrypted. Assuming a secure network connection (as described in the previous paragraph), a VPN adds yet another level of encryption to your data. Your IT staff may already have a VPN option in place for you. If they do not, you can take advantage of one of many good “personal” VPNs, including Nord VPN, Private Internet Access, Express VPN, and CyberGhost VPN.
Be Aware of BYOD Risk
If you work from a computer that you provide personally, as opposed to a company-provided device, are you sure that your device is adequately secured? This is known as a Bring Your Own Device (BYOD) risk, and it can be significant. Your information technology (IT) staff has likely implemented necessary security measures on the devices they maintain. Examples include ensuring that anti-malware software updates automatically, users do not log in with administrative rights on the computer, and unauthorized software cannot run on the computer. In the traditional home computer environment, however, often these and other necessary security measures often are not in place. Further, because several family members likely use the home computer, you run the risk of compromising data due to someone else's actions or activities on the device.
In short, when working from home, try to use devices managed by your IT team. Doing so places the security issues associated with the computer in the hands of professionals who have adequate training for the task. If you must use a personal device to work remotely, at a minimum ensure that your operating system and all your applications have the most recent updates available. Also, verify that anti-malware software is installed on the computer and is updated at least daily. These measures help to reduce BYOD risk when working from home.
Do Not Leave Data Behind
Following on the previous point, be careful about where you store data. In remote work situations, it is common for team members to save files on the local hard drive, as opposed to the corporate server or some cloud-based resources. Then, when the working environment transitions back to a more routine one, and you return to the office to work, you may realize that all the files you have been working on are still on your home computer.
To address this, consider storing all your data on an external hard disk and then taking that hard disk with you to the office when normal operations resume. Better yet, if your organization provides access to cloud-based storage such as OneDrive for Business, store the files there. That way, you can collaborate with team members in real time using Microsoft Office applications.
Is Your Office Computer On?
Some tools allow you to enter your office computer remotely. This approach gives you access to all the files on the device and network and to all the applications installed on the computer. There is a downside to this approach: you must leave the computer turned on so you can access it remotely. Of course, while the computer is on and you are not physically present in the office, unauthorized users might choose to run applications and access data from that device. Consider asking your IT staff to enable Wake-on-LAN (WoL) on your computer. Without going into a technical discussion, WoL essentially allows you to turn on your computer remotely. With this feature enabled, you won't have to leave it running 24/7, thus reducing your security risk.
The global COVID-19 pandemic has put us all in uncharted territory. Yet business needs to continue with as little disruption as possible. One way that can happen is to work from remote locations to reduce the risk of contracting the disease or contaminating team members. For those who work remotely on a routine basis, hopefully the five items discussed above have already been addressed. For those who are suddenly working in this environment, be sure to address the issues outlined here to reduce the risk of compromising confidential and sensitive data.
Don’t make a challenging situation any worse because of a data breach.
Thomas G. Stephens Jr., CPA, CGMA, CITP, is one of the shareholders in K2 Enterprises, affiliating with the firm in 2003 and joining as a shareholder in 2007. At K2, Stephens focuses on creating and delivering content, and is responsible for many of the firm's management and marketing functions. You may reach him at email@example.com. Learn more about K2 Enterprises.
Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.