Written by
Jerônimo do Valle
In pre-pandemic days, most offices had a clear separation of duties. The employee was in his cubicle doing whatever analysis or content creation his job involved, and the IT department had certainly already taken care of security. Today, this simple division is completely blurred. Unfortunately, the digital transition has been accelerated by restrictions and every person who now works from home has taken on the responsibility of doing so safely.
Interestingly, the “unspoken” reality is that, for most of these professionals, the chances are good that a sort of “promotion” has just taken place from the home computer to a work computer. The problem that begins there, because in this new paradigm, everything has to be taken more seriously; there are always consequences.
First of all, there are some users who completely ignore antivirus protection, based on the fact that they “have nothing a hacker could want”, not realizing that this is not what it is all about, right now. The point is that this attitude doesn't work, when the company's data is stored on the personal device, so the installation of an antivirus, as well as its maintenance, in relation to updates, is mandatory. If possible, it is vital that you check with your direct superior or even with the company's IT group, to make sure you are using the correct software.
Speaking of updates, it is equally important to check for automatic security updates, especially if your operating system is Windows. It turns out that every time Microsoft releases a patch, all the vulnerabilities fixed become public knowledge, making it easy for malware coders to take action, hoping to exploit the security hole, before the update disables it.
Moving on, there is also the problem of the network connection. Many offices require long-term remote employees to connect to the company network using a corporate virtual private network or VPN. This makes the remote PC part of the corporate network and gives access to resources that are available only there. In most cases, using a VPN effectively takes that remote PC off its own local network, which means local resources like network printers won't be available, but that's a small price to pay.
It is also worth noting that when the corporate VPN is used, all Internet traffic passes through the employer's servers. Therefore, it would be wise to refrain from browsing “irrelevant content” when on the company VPN.
As an addendum, if the work is very sensitive, one might consider splitting the home network, keeping work computers and related devices on the main network, while phones, family tablets, IoT devices, etc, stay on the guest network.
E-mail is inherently insecure, but when a company's employees connect using the same internal network, the IT department can impose a degree of protection that would not otherwise be possible. For personal email, one can choose to add an encryption service, but at the business level, email encryption must come from above. If a situation arises that requires communication of sensitive corporate data via email, you may want to ask management to implement encryption.
Figuratively speaking, in the office, when a question arises, you can go to a colleague's desk with a quick question; the work-from-home equivalent is likely a text message using a personal phone. However, basic SMS text messages have no real protection from interception or interference. This flaw can be corrected by meeting with other employees and agreeing on a secure messaging app to use in place of texting. Even better would be to use a business messaging application provided by the company itself.
The same is true of videoconferences - which have almost universally replaced face-to-face meetings -; they are also not necessarily safe. It is the responsibility of the organizer to ensure that the meeting is protected from eavesdropping or attacks.
Lastly, it's a fairly common scenario when the “newly promoted” work computer becomes the kids' after-hours homework or play computer again. In this case, you can minimize the possibility of problems coming from other users by ensuring that each family member has a separate account. For even greater separation, it is recommended to create one account for work only and one for personal use.
For sensitive business-related accounts, multi-factor authentication must be enabled. In fact, the employer may even require this step. This technology ensures that if someone obtains a password, perhaps in a data breach, it cannot be used to log in, as a second factor is required, usually a time-based one-time password (TOTP), generated via an application on the user's smartphone. Without this second factor, the password is useless.
Anyway, there is a lot to be done to improve and protect the “work from home” situation, however all these procedures are really essential. The best part is that investing a little time in security also benefits the health of your personal digital life, as a rule. Of course, after implementing all these points that we talked about, the company could still suffer a data breach for having employees working from home, but this definitely becomes quite unlikely.