Cyber Scoundrels Emerging: Defending Your Home Office

By guest contributor Bill Blunden. Bill Blunden has been an IT consultant for over 30 years. He currently teaches Cybercrimes and Investigating Cyber Terrorism at Mississippi College.

Note: This article is provided for informational purposes only. It is not intended to be a substitute for consultation with counsel. Nothing herein should be relied upon as legal advice.

You don’t have to look back very far to see how one event changed the way we live. Up until the morning of September 11, 2001, traveling on domestic airlines was almost as easy as riding a subway to work. At that time, airport customer service agents would ask a few questions such as, “Has anybody else been in possession of your luggage?” There were no long security lines, body scanners, or EOD dogs roaming the hallways. Airline security will never be as lax as it was before that fateful day.

I think it is safe to say that COVID-19 is ushering in a new type of workday. Our new commute consists of traveling from our breakfast table to our work table. In some cases, this may only be a matter of clearing the breakfast plate and opening a laptop. Working from home (“WFH”) is the way small, medium, and large businesses are continuing to keep moving forward. Whether or not this crisis lasts 30 days, six months, or longer, the world will never be the same.

It isn’t surprising that some industries will flounder and some industries will flourish within the new norms. There will be an economic course correction. Public venues, such as theatre districts and shopping malls (the ones that survived the online shopping boom), will certainly have difficulty surviving. But companies that offer online employment, teleconferencing, and home network solutions will probably see their stock prices rise.

Unfortunately, criminals will also see the new flow of money being invested into the surge of WFH. Criminal enterprises and cyber scoundrels will try to take advantage of these rapid changes. Are system administrators and security experts ready? And is your data still safe?

The short answer: it depends. If your company already supports remote users and has security policies in place for those users, then adjusting will probably be a case of increasing the company’s Internet bandwidth and updating their control access policies. No, this isn’t as easy as it sounds, and your IT department will be working extra hours to accommodate the increase in remote users, hardware, and the technical support that will be required for the employees. There may be telecommunication issues that need to be resolved, including corporate smart phones and VOIP phones that need to be configured and distributed.

What about the companies that don’t have a current remote user program? This is where the exposure to your corporate and personal data exists. Your IT department is probably very proficient at keeping the bad guys from getting past your firewalls and keeping your machines updated with current patches. But they may not be experienced with corporate VPNs and cloud computing. But I feel confident that they will get it up to speed in short order. Just make sure you have a good supply of Hot Pockets and Red Bull. But experts will tell you: your network is only as secure as the weakest link. And the weak link is YOU, and the bad guys know it!

Now that your home is your office, you have just been promoted to a member of the IT department for that branch. Unless an IT person lives with you, you are responsible for the cyber security of your branch office as it connects to the corporate offices. Although your home network may only consist of three nodes (cable modem, Wi-Fi, and computer), it still has access to your company files, in one form or another. So, what should you do?

TIP #1: If you have the means, purchase a new computer that you use only for WFH and only install the programs you need to do your job. Avoid storing personal files on this computer. You may have to physically send your new computer to your IT department. Do not install any program that you don’t currently have on the computer at your corporate office. I know this sounds extreme, but there is a reason why the IT department won’t allow you to download “freeware” on your computer. Don’t download and install toolbars, weather applications, screen savers, or games. They may not be malware, but they will still eat computer and network resources. Remember, nothing is free.

TIP #2: If you are going to use your existing computer to WFH, make sure it has the latest software patches and the latest antivirus definitions installed. If you don’t know how to do this, check with your company’s IT department. Do not just “wing it.”

TIP #3: Change the password on your cable modem (if your ISP allows) and on your Wi-Fi router. Most people don’t change these passwords and they are published in hacking scripts around the world. This means that a bad guy could access your WFH network without much effort from anywhere. Make sure your passwords aren’t basic; don’t use “password” or “nunY0urBus!ness” or something as simple. Cute passwords, cuss words, and your cat’s name (which is probably on your Facebook account) are not good passwords. Try something random like, “Cgg-8o#pEf.” Make the bad guys work harder.

TIP #4: Practice safe computing. You should navigate the Internet like driving a car. Be mindful of where you are and if you wouldn’t drive there during business hours, don’t go there on your WFH computer. There are websites designed to be “watering holes” where you could infect your computer just by visiting the site. Hard times fall on everybody at some time. The bad guys know this and exploit your needs by leading you to false opportunities and get-rich-quick schemes.

TIP #5: Treat every email like it is a phishing scam, until it isn’t. NEVER click on a link. I understand how difficult this may be, especially now. I can promise you, there is not a respectable financial institution in the world that is going to send you an email with a link for you to click on to check your account. If they are legitimately sending you hyperlinks, shame on them. If somebody (or a company) sends you an email with a link or an attachment, and you REALLY need to “double-click,” call the sender and ask them if they sent the email to you first. Train the people you work with to find solutions rather than sending a link. If it is a business, look up the phone number and call the published number. DO NOT use the phone number that was used in the email.

TIP #6: Backup your computer and your files. Take advantage of legitimate cloud backup storage sites, such as Microsoft OneDrive, Dropbox, Box, and others. Hopefully, you won’t need to use the backup, but you should plan for the worst.

TIP #7: As the newest member of the company IT department, communicate with your corporate IT department and monitor their published security tips. Your company may begin to offer WFH checkups to make sure you’re protecting their data. They may even help finance your WFH security upgrades. Remember, the company has a stake in your WFH security.

Welcome to the world of WFH. There are going to be a lot of benefits to the new ways companies conduct their business. But there are going to be many new security holes for cyber scoundrels to exploit and new attack vectors to get your company’s and your data. IT professionals will do their best to stop the bad guys, but now you are member of that IT department. So, get to work.