How to prevent security breaches when working from home


April 13, 2020 - By Sonny Schürer & Martin Nielsen

Tags: , ,

When you work at “the office”, you take security and many other things for granted. When you work at home, things are different. In addition to doing the regular job, all of a sudden you’ve got a new side gig as Chief Security Officer, Facilities Manager, and Corporate Canteen Chef, too.

Now that millions of people around the world are learning to keep their jobs while keeping their social distance, the importance of preventing security breaches when working from home has never been greater. In this blog, we provide nine proven ways to improve your digital safety and protect your privacy.

1. Understand that conferencing/remote work platforms aren’t secure by default 

As we shift towards more remote work, many of us have started relying on platforms such as Zoom, WebEx, GoToMeeting, Skype, Teams, and Slack. In some cases, these platforms were already part of our workflow. In other cases, they’re brand new additions. 

It’s easy to assume that because your company or clients recommended (or enforced) the use of a specific platform that it’s safe. In the case of Zoom, we have already seen numerous privacy and safety issues pop up. For example, Zoom can track your ‘attention’ by alerting call hosts when participants do not have the Zoom app (whether on desktop or mobile) focused for more than 30 seconds. Zoom also harvests a noticeable amount of data—ranging from your IP address, physical address, real name, phone number, employer, and more. While the company states it does not sell data to third parties, it does have a lot of data and sells some of it to third parties. Finally, newly released vulnerabilities make it possible for unwanted users to bypass security measures and access other users’ webcams. See also a thoughtful blog on Zoom by Dave Tyson.

This isn’t meant to target Zoom in particular. Just as many, if not more risks could be listed when it comes to other platforms. We simply want to encourage managers, employees, and clients to be aware of the issues involved, and make sure they are mindful of privacy issues related with different platforms. Every company (and freelancer) should have processes in place to minimize data gathering, implement secure and unique passwords for all meetings, and make sure employees—at the very least—keep their apps up to date. 

2. Don’t trust microphones and webcams 

For years, we’ve known that malicious agents can hijack microphones and cams and spy on users who have failed to secure their devices. Here are two things you can do to mitigate these risks.  

First: keep your devices updated. Operating systems, security patches, apps, and drivers should always all be up to date. Make sure Windows Update, the Windows Store, Google Play, and the Mac/iOS stores are set to auto-update. If needed, head to your webcam manufacturer’s website and grab the latest driver.  

Second: physically disable your microphone and webcam when they’re not being used. If they’re peripherals, simply unplug them. If you’re using a laptop or another device with built-in mic and cam, you can use covers to block them. Assuming this is a work device, just stash it away when you’re done using it for the day. 

3. Beware the internet of things 

You may be comfortable letting your smart devices listen in on every word spoken in your place, even though they can be abused by third-party apps that do some phishing in addition to their purported function, and that’s your choice. However, you’re working from home now. Are you certain you’re not going to mention sensitive matters out loud even outside of a remote meeting? What about during a meeting? Can you guarantee no one’s listening in? Can you guarantee that, even if the data is “only” stored on a major corporation’s servers, it won’t be hacked or sold down the road? What does that data say about you and others? 

Whether you’re okay with your daily life being potentially recorded and used by third parties is for you to decide. Many of us would say that’s a terrible idea. But when IoT devices present a risk for your colleagues, your company, and your clients, this is no longer a personal matter. 

Our advice? Simple. Unplug those devices – at least from the room where you’re working, at least when you’re working. For the time being, the convenience of queueing up your favorite tunes by voice is not worth the security risks. 

4. Use a VPN and avoid using your home network 

We would hope that your company provides a corporate “virtual private network”, or VPN. But in case it doesn’t, you should be using one. Your personal IP address says a lot about you—where you live, for one. But unencrypted data transferred when not using a VPN runs the risk of being intercepted by third parties—from malicious actors to your very own ISP. Everything you do online, to the extent that it is possible, should be encrypted or at least difficult to access. A VPN is a great start. 

Right now, there are a couple of providers we would recommend. They are both located in countries with solid privacy laws, do not require much (if any) personal information, offer reliable servers and, more importantly, do not keep any logs of your online activities. The first is ProtonVPN, offered by the same folks who offer the excellent ProtonMail. The second is Mullvad, which is still fairly unknown yet provides incredible security—open source software, anonymous payment methods, Wireguard—and has been audited independently.   

We would also recommend using alternative solutions to connect to the internet (or talk on the phone) in the first place. We’ve talked about products such as Skyroam and other GSM-type hotspots, and we encourage their use—which brings us to our next point.  

5. Compartmentalize your life 

Not only should you avoid using your home connection for work, if you have a work laptop or phone, only use these devices for work. That way, you don’t run the risk of compromising your devices (including any sensitive files they contain) just because you decided to download a seemingly fun game from a dubious website. Similarly, your personal devices are meant to be used in your off-time—so don’t log into a corporate server using the family iPad. 

Your work files, in whatever forms, should be handled securely. When it comes to data, nothing should be transferred or stored on personal storage devices, such as external hard drives or a home server. If you’re printing out documents, make sure they’re disposed of securely (shredded) once you’re done with them. 

Compartmentalization extends to talking about work, too, and to wandering around the house while on a work call. After all, you may have signed an NDA, but your family members haven’t. 

6. Images and sounds can say a lot. Don’t let them. 

When you’re on a video call, what does your webcam show? Your face, sure, but what’s the wall behind you? Is there a window offering a view of the street? Photos of family members? How many unique identifiers are in the frame? What if your kids decide to run past? 

The same question applies to microphones. What kind of background noise is there? Someone else at home talking? Traffic outside? 

This may seem paranoid to some of you, but anyone who’s seen the lengths people will go through to gather information on a target will tell you it’s common sense to neutralize background visuals and sounds.  Ideally, your webcam and mic should reveal the bare minimum needed to communicate with others. Use the background blur available on some video-conferencing tools. Make sure there’s a neutral background behind you, and if you can find a room where there’s little-to-no external noise, even better for the people you’re talking to and for your own security. 

7. Don’t get robbed, and encrypt in case it happens anyway 

Where you leave your tech devices, as well as how you access them, is always a concern—even at home. Your laptop and desktop computers should be impossible to access whenever you step away, even if you’re just going for a 15-minute walk. You want everything to be locked with passwords or biometrically.

Should someone get their hands on your devices, you want to make sure everything is encrypted. For Windows users, you should encrypt your drives with Bitlocker. MacOS users, look at Filevault. For more advanced techies out there, Veracrypt is an excellent third-party option

Ideally, once the work is over, you want to lock everything behind a safe or equally secure place. The “layers” of residential security with several perimeters most of us know about? Yeah, same logic applies here.  

You want to make it hard for anyone to get within range of your devices. And if they do, you want to make it near-impossible to access what’s on there. 

8. Be smart about phishing (but you already were, weren’t you?)

We’ve seen a lot of phishing attempts lately. Phishing, as we all know, is already a serious threat when you’re in an office setting—except now you’re no longer protected by your company’s firewalls and IT department. Unless that’s your specialty, you simply won’t get the same kind of digital security at home.

It’s not a matter of a link or email attachment looking dubious—everything you click on should be approached with care. So, follow the steps outlined by your company, but use common sense and vigilance on top of that. 

When it comes to your personal devices, you’ll also need to step up your game. Just because you’ve compartmentalized work and home life doesn’t mean personal devices stopped being a vector of attack. Any kind of cloud storage for your personal data should be end-to-end encrypted. Dropbox is not good enough and hasn’t been for years. Look at options like pCloudTresorit, or Sync.com. Your personal communications should be end-to-end encrypted as well—preferably via Signal or Telegram. Whatsapp, it should be remembered, still has worrisome security flaws. Daily anti-malware scans are a must, and if you’re tech-savvy enough to install a software firewall that alerts you of any outgoing connection, then do so. 

We wrote a blog post offering cybersecurity tips a while back, and many of the tips still apply. Since it was written in 2015, you should follow the mindset, but update the solutions—some software may be outdated. An excellent (and often-updated) resource if you’re in doubt about which secure programs or services to use is Privacytools.io. Do check it out.  

9. Don’t apologize if pets interrupt a meeting 

OK, they’re technically personal identifiers, but we’ll make a slight exception because they’re also funny.

It’s OK if work meetings are occasionally interrupted because an attendee’s fluffball, hound dog, or feral ferret decided it was time to get some attention. Given what’s going on out there, the comic relief is welcome and brings a bit of levity that we all need.

What do you think? Did we miss anything? Please comment on social media and let us know. We’ll probably be working at home…

Photo by Kyle Hanson on Unsplash

Sonny Schürer

Senior Vice President

Sonny has helped manage AS Solution since its founding in 2003. A leading member of The Danish Trade Organization for Safety and Security and an active member of ASIS, Sonny has extensive experience in executive protection, event security, investigations and maritime security.

As a member of AS Solution’s management team, Sonny heads the company’s European operations from its Copenhagen-based European headquarters. Sonny has also overseen the development and growth of AS Solution’s anti-piracy services, Scandinavia’s largest maritime security service with operations worldwide.

Martin Nielsen

Martin Nielsen

Executive Protection Operations & Executive Projects Director

With over 18 years of worldwide experience in executive protection, physical security, and security operations management worldwide, Martin has participated in, led, planned, managed and executed security details in more than 65 countries. He has held positions from team member to detail leader, SAIC, operations manager and assistant director. Martin’s experience with security for ultra-high net worth individuals and corporations also includes program design, recruiting and training agents, technology sourcing, system and GSOC design, SOP and TTP development, and creating training programs for EP agents and other security professionals.

Martin believes in being on the forefront of technology, and keeps up on the latest developments within everything from access control to drone and counter-drone technology.

Passionate about developing both hard and soft skills for himself and others, Martin has consistently sought the best training ever since he started in the industry. He is a graduate of more than 35 courses.

Martin’s current role at AS Solution supports senior management in a variety of ways, including protection program data analysis, handling client information requests, organizing and coordinating outreach and external relations efforts, improving EP training programs, and overseeing special projects from conception to completion.