Staying Secure While Working Remote: One User’s Story
When I started my journey here at Duo I was incredibly excited. At the same time, I was a little overwhelmed.
You see, my role was going to be 90% remote – and I had never worked like that before. I was accustomed to the routine and predictability of going into an office every day and logging in to my corporate machine, which was connected to everything I needed to do my job.
Secure Remote Worker Responsibilities
During my orientation, the IT department handed me my corporate laptop and then started the rundown of all the security controls I would need to follow to integrate into the security culture. I quickly realized that this was not going to be effortless. I was suddenly responsible for things like protecting my own user account, making sure my system was patched and up to date and that it was going to meet security requirements. If I had any hope of connecting to the systems that I needed to execute my day-to-day tasks, those security requirements had to become part of my workflow.
I consider myself fairly technical, however, I will admit that things like making sure my browser was up to date, my OS had the latest version installed, that I was on a secured network connection, had firewalls and encryption in place, had antivirus updated and running, etc…. well, these were just not necessarily things that were top of mind for me. And I certainly wasn’t very concerned with those things on my personal computer, which I used mostly for gaming, streaming, and social media.
Now I was expected to become a security agent. I was responsible for protecting not just my own account, but the corporate data I was working with. Luckily, the IT team made things super easy, even if I was a little resistant at first to following all the rules.
Remote Worker Tips
To adapt to this new security-focused remote work situation, I incorporated a few key security practices (and they’re not just for work, but for personal use as well).
1. Keep work stuff and personal stuff separate
This is important not just for security reasons, but for your sanity. It is incredibly tempting to log into your social platforms, check your bank account, or have your twitch stream running in the background while you work.
Why, you may ask? Well there is the saying don’t mix business with pleasure, this is not just for your productivity and mental health, but for security reasons as well. Nothing kills productivity more than if you accidentally introduce malware or ransomware to your work machine, social sites have less controls in place than corporate applications and introduce an uncontrolled risk element.
If you have a separate laptop for work, keep that designated for work activities. If you don’t, then try using separate profiles on your computer to keep things separate.
2. Protect your accounts - MFA all the things!
When you are a remote worker, protecting your identity is paramount! This means diligence around where and when you input your username and password. It can be so tempting to click on links in your email; but make sure you recognize the sender and the site you are being taken to.
You have to look out for phishing, a method through which bad actors attempt to wreak havoc and steal your company’s information by getting users to enter credentials (usernames and passwords) into sites that look legitimate. I don’t think you want to be responsible for your company hitting the news because of a data breach, so be mindful of what you click on.
Even better – as annoying as it may seem –use multi-factor authentication (MFA). MFA protects your applications by using a second source of validation, like a phone or a token, to verify a user’s identity before granting access. Think of it as something you know (your username and password) and something you have (your phone).
Many organizations have implemented MFA, much to the chagrin of users like you and me (or so I thought). I quickly learned that MFA isn’t just another annoying security control; it actually protects my identity. So if I accidentally click on something I shouldn’t, which I will neither confirm or deny I may have done, and my credentials get compromised, there is a security layer in place protecting my identity and I am able to work with my security team to change my password….again. Plus, it’s pretty satisfying to click deny on a log-in request on my MFA app when I didn’t initiate the login...so I have heard.
I now also use my MFA to protect my personal social accounts as well, and have been quite shocked by how many unauthorized attempts have happened against them - and with MFA I’ve been protected every time.
3. Keep devices up to date
I used to hate keeping on top of all the patches and updates to my web browsers and operating systems. They took forever to be installed half the time and afterwards my systems were always slowed down. Really it was a hassle that I never saw the benefit to. I was annoyed when I learned that corporate policy was to install the updates within a week of them being released for non-critical updates, and the first time I was blocked for not having a critical update in place, I may have been a little vocal.
Then, there was a critical vulnerability on a web browser that a family member had their personal information stolen through, and another instance where they ended up having to re-image their entire system because they got hit with ransomware. Meanwhile, because I had been trained to keep things up to date, so not only was my work computer ok, but my personal computer was fine as well.
Guess those security guys actually do know what they are talking about. Now everything is updated, maybe not immediately, but I have a schedule on all systems that runs nightly looking for and installing updates, so I don’t have to wait when I go to log in for everything to run.
4. Use a secured network
Remember those college/university days when you revelled when there was an open wi-fi connection? It felt like hitting the jackpot. I was always so annoyed when I had to log-in to connect to the internet – the internet is there, I should just be able to connect to it! This all changed when I started paying for my own internet, which was long before I got into security. I made the rookie mistake of not securing my network, and couldn’t figure out why my bandwidth sucked. Well….there was an enterprising group of college kids next door who were piggy-backing on my network. I had to quickly learn all about WPA/WPA2 encryption and locking down my network.
So when I started working remotely, I figured I already had this in the bag. Then they told me I had to connect to corporate resources using a secured company portal. Unsecured connections (endpoints)are yet another way that bad actors can piggy-back into an environment and cause damage. So not only did I need to have a secured network at home but had to use corporate tools like a VPN to create secured tunnels into the network.
The extra step seemed unnecessary, but I realized there are applications and systems that still live behind the corporate network that I couldn’t get to if I didn’t create the secure tunnel in. When you go into the office, everything is protected behind the corporate firewall – the remote connection tools keep all of that secure and controlled, and keeps track of who does what. So it protects the company and me. With that logging in place I can’t be blamed for accessing something I shouldn’t.
5. Don’t be shy - ask for help
When you are in an office, it’s easier to stroll up to the help-desk and ask an off-the-record, off-the-cuff question. There is no log, no record, no ticket. Being remote, well, it becomes pretty tricky to get fly-by answers from the IT team, so it can be tempting to just try and figure things out yourself. I urge you not to do this.
When something goes wrong on your work system and you are remote, it is advantageous to ask for help and reach out. Why, you may ask. Well, if there is something wrong with your system, chances are it isn’t going to fix itself. Trying to fix it yourself can result in the issue getting worse, impacting your productivity and potentially your security. Chances are you're not the first person to have an issue and your IT team will be able to get you sorted quickly.
It’s not like with your personal systems, where you can either take it to a computer technician (which then usually means you are without your machine for a while), or if you are an enterprising do-it-yourselfer, you may just reinstall/restore your own system. Most corporate computers are locked down with controls, and it really is best to let your remote support team resolve the issue rather than trying to sort it out yourself. Asking for help means everyone stays happy and secure, and you can get your work done.
My Summary of Remote Worker Tips
Working remotely initially seemed pretty overwhelming with all the new security protocols I had to follow, but I’ve actually found it to be pretty easy, and it’s improved my security practice in my personal life as well.
Keeping work and personal separate means I have less distractions throughout the day and I am more productive
Protecting my user accounts and keeping my systems up to date means I have peace of mind that my work and personal accounts and systems can’t be compromised
Using secure connections keeps my bandwidth for what I want to use it for, and means I can access systems in the office from my home.
Asking for help means that I don’t have to try and figure out how to fix things on my own, or pay expensive technician bills
Best of luck to anyone else who finds themselves in a situation where they need to work remotely. Just remember that while the security rules put in place to allow remote work may seem jarring at first, they are there for a reason. And you might just find that you can adopt them in your personal life.
Let’s face it, in today's digital world where everything is connected, having a little security in place to protect yourself probably isn’t a bad thing.
Phishing is a low-effort, successful method for attackers seeking access to your organization’s data.
This guide gives you a detailed look into how phishing has evolved and the new tactics used to fool users, with statistics on the personas and industries phishers are targeting.Get the Free Guide