Security Issues Involved with Working at Home
April 8 2020 | Committees
I was asked last week to discuss the security issues involved with working at home in this new era of social distancing. To help answer the question, I called Craig Beyer of Optiable ( https://optiable.com ) in Baton Rouge. Craig is an expert on back-office systems and he and I have spoken on the subject of office security many times over the past several years.
I started by asking Craig several background questions and then moved on to specific security issues. I’ll list the background questions first here then proceed to a basic list of the security issues without any questions.
Q. It seems to me that we can divide homeworkers into two groups those who came from large firms and those who are solo or small firm practitioners. Does the first group present any special problems especially with regards to access?
A. No. Large firms tend to have multiple locations or offices which means they have addressed this issue and centralized their data into one location which allows easy access from outside users
Q. Regardless of access issues at the firm, does actual setup at home present any specific problems? That is with so many home workers entering into the system all at once is it possible that this would overload the office system.
A. No. Not unless there are hundreds of users attempting to access at once. At that point, I would expect the IT department of the firm to have made accommodations. They may have a centralized server as mentioned above or they may even have had an old server sitting around which they converted into a dedicated source for handling incoming access and maintaining control of their remote users.
Q What about the home computers. Is there a possibility that their system can be too slow or access their neighborhood slows down because of all the stay at home workers?
A. If everyone in the neighborhood is using the same provider (ISP or cable company) this could occur. This might especially be true if the systems had been leveled to expect traffic at certain times of the day but now suddenly becomes very heavy during those times. In that scenario, it is possible that slowdowns or “logjams” on the system might occur.
Q. With regards to small firms or solo practitioners. in many cases, these people already work from home either exclusively or for a great part of their time. In that case, they're probably prepared to shift to a full-time Home Office situation. If they are accessing a small office, it could be they are using some remote terminal situation like Go To My PC which may raise some security issues which we will discuss further on in this article.
What are the major issues you think our readers should concern when starting to work at home?
- Work on the web. If you're not already on the web transition from your on-premises software to web-based software. Why?
- Security will be handled at the application level and relieve you of that concern.
- It costs less to work in a web-based environment once you factor in items like a software license, IT costs, server cost and perhaps even the cost of a second location backup for your data.
- Most of your data and or applications can be hosted on the web including email, documents, spreadsheets and data in other applications.
- The ability to work with others collaboratively.
- Use a laptop.
- It gives you better agility, that is the ability to go back and forth between home and office when that eventuality arises
- BYOD may already be in play, say with regards to a cell phone, giving you the basis for a policy regarding working at home.
- Devise these policies, especially regarding how data residing on home computers will be handled, and be sure each employee reads and signs them,
- Staff members may not have a laptop and may in fact be using a home PC which is not powerful enough for some office functionality. Help the worker buy a laptop or have the firm buy one and loan it to him.
- Security considerations
- Is your cloud-based application syncing locally? If so that means company data is now going to a home-based, locally owned computer and questions may arise with regards to both security and confidentiality depending upon who else has access to that computer at the home.
- With a terminal server or Citrix access solution, data will still stay on the firm equipment although there may be a lag as great as a factor of 10 with regards to typing and data entry.
- Passwords are not as much an issue locally if data is being stored on a web server.
- You should however remember to add or change the password on your router on your network system at home. The point here is to prevent outside users from gaining access to your home network and then scrolling onto your computers to look at data.
- Don't forget a password for your Wi-Fi system if you are using one at home
- use a password manager
- Encryption of the hard drive is the next level of security
- Software typically comes on your computer either Windows or Mac
- Windows users, however, will have to be sure that they have the Pro version and not Home versions in order to get the encryption feature
- It only needs to be done once.
- Two-factor authentication.
- If you are switching between or among multiple devices at home (tablets, cell phones, other PC’s), you should use two-factor authentication.
- It will send a password or code to your cell phone which you will then use to enter the program you are attempting to open.
- I recommend using an application to do this and there are specific two-factor authentication applications available.
- Anyone who banks from home or has used Facebook on multiple devices will be familiar with this process. It is extremely easy to set up
- The VPN allows the setting up of a secure virtual “wall” on your system.
- This involves the protection of packets in the data transmission which many web-based applications now do internally.
- It may be more important to have a VPN for use when you are in a public setting such as a coffee shop or airport terminal, both considerations we don't need to worry about in our present the situation.
- This includes not just standard viruses but newer problems such as ransomware and phishing.
- The best way to ensure security here is not to use passwords but rather to have a standard user for when you are working on your system. That is, do not work as a user with Administrative rights on an ongoing basis. Doing so would allow a virus or other malicious program to be installed, potentially without your knowledge. Rather you should create a secondary user who has non-administrative rights so that if a program attempts to install some sort of a virus or malware, the computer will not have the right to do so.
- Don't click on links or file names from sources you do not know AND have verified sent the message.
- A new type of scam that has come up is a fake email that appears to come from your company and has a voicemail attached to it. The email says there's an urgent message in the VM. Don't run the voice mail it will start some sort of a virus or malware.
- Update software: be sure to keep all your patches up to date in order to have the most current security in place.
“Since you are working at home, this may be a very good time to use your downtime to ensure that your computers are all as secure as possible.”
My final piece of advice comes in an email bulleting I received from the NIST (National Institute for Scientific Standards) which contained a warning about not just phishing scams but old-fashioned social engineering scams. These are ruses where an individual either emails or calls you and attempts to talk you into giving them confidential information such as a bank account, Social Security number or other financial information. You may have seen examples of this such as the famous Nigerian Prince scam that went around several years ago and we can expect to see a number of these arising with the imminent arrival of assistance checks from the United States government.
Remember that with the advent of working at home, the vigilance level now rests with you. Web applications will shift the focus to online in terms of operating with data but protecting the data now, more than ever, becomes something for you to control.
Written on behalf of the E-Discovery Committee
About the Authors:
« back to News