How to work from home securely, the NSA way
People working remotely is no longer unusual, so the National Security Agency (NSA) has produced a short Best Practices PDF document detailing how remote workers can keep themselves safe from harm. In fact, the guide can also be applied to people using computers at home generally and is written in a way that's easy to understand.
Back to basics
The NSA's three main executive summary points are:
- Upgrade and update all equipment and software regularly, including routing devices
- Back up your data and disconnecting any devices you can
- Limit administration to the internal network only
You may be surprised by how seemingly basic these suggestions are given the source, but this simplicity is in its favour. Consider how many folks will only decide to start making backups once they've lost everything for the first time. You have to start somewhere, and not every organisation asking employees to work from home has necessarily considered these opening talking points due to budget, resources, or other factors. They may not even have a budget for work-owned devices, amd may instead be relying on employees using their own devices.
Even thinking about who has access to what on a home network is beneficial—there's nothing wrong with limiting access to guests on the home network, for example. Some routers and packages allow you to isolate guests on their own little network, away from the main one. This can help reduce the spread and impact of an infection, and keep all of those valuable work and / or home documents safe.
Much of the NSA's advice leans heavily into ensuring all the little things are taken care of:
- Keep your software up to date. From Windows to your web browser, everything needs to be updated regularly.
- Keep your router updated. This may sound odd if your router is supplied by your ISP, as many of those update automatically. But if you run an off-the-shelf router you may be fully responsible for its overall well being. This isn't mentioned, but you should consider changing the default password when you first boot up the router. Without some hunting around on the Internet, you may never know if what's shipped is a default applied to multiple routers, or if it's unique to you.
- Use a password manager and two-factor authentication (2FA). The guide highlights that while some form of 2FA is better than nothing, some types of 2FA are better than others.
- Separate work and life activities. It's a lot easier to figure out where a breach happened if you don't have sensitive work documents scattered across 3 personal devices.
- Connect to your office with a Virtual Private Network (VPN). Using a work-supplied VPN makes your computer part of the work network, keeping data safe as it travels over the Internet.
Getting physical about security
There's a strong focus on physical device security of one kind or another too, which is often overlooked. Some highlights include:
- Cover your webcam.
- Mute microphones.
- Limit sensitive conversations.
The latter is particularly interesting given the slow rise of IoT in the home alongside an increasing amount of voice activated and "always listening" hubs. As the guide notes, all of the below could potentially cause trouble if set to record:
- Baby monitors
- Children's toys
- Smart devices
- Home assistants
- Games consoles
- PCs with microphones attached
This is especially the case where a poorl-secured device is recording audio and storing it (for example) on a wide-open server where anyone can grab the contents. If you have children at home, consider how many of the toys in the next room may have recording / Internet connectivity and make yourself a to-do list.
If you're going to make backups, I would add to the NSA's advice to place files on an external device by suggesting that you also encrypt your data. While it's unlikely that someone will break into your home and steal a hard drive, better safe than sorry. You're probably more at risk of taking it somewhere and accidentally losing it, so the encryption will help in any case. Finally, keeping those external devices disconnected when not in use will help lessen the device's exposure to bad things. If you experience an infection on your PC, you don't want it affecting your backups.
Unsocial networks
There's quite a bit of advice in relation to social networks and social engineering. It's easy to let your guard down when at home, and security advice from work may be a little harder to come by when not in the office.
- Don't post personal information online that can be used to reset your passwords, such as your first pet's name or the street you grew up on.
- Lock your contact list down to friends only, if you can.
- Watch out for copycat and imitation profiles.
The best practices document also correctly notes that it's worth checking both the Terms of Service and app or website settings regularly. Changes in policy can leave you exposed.
Overall, the NSA has produced a useful step by step guide covering a lot of bases, including public hotspots, email, and even user habits. Give the document a read and feel free to add in some tips you think the NSA may have missed in the comments section.
Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.