Cybersecurity Risks and Precautions in a Work-From-Home Environment

First Republic Bank
September 30, 2020

The COVID-19 pandemic has dramatically sped up the transition to working from home. Millions of employees now have an established digital workspace at home, and more workers than ever before are juggling career responsibilities and the challenges of home: barking dogs, crying babies, learning to use the mute button while on Zoom calls and the increased cybersecurity risks associated with working outside of the office.

While many companies were already shifting toward a work-from-home culture, the COVID-19 crisis accelerated the trend by an estimated 5 to 10 years. That sudden shift left many organizations — and their workers — unprepared for the sudden adoption of remote work. Consequently, 56% of employees are logging in from their personal computers while one in five haven’t received any cybersecurity or information technology (IT) training as they moved from in-office to at-home workspaces. This unexpected transition has increased corporate cybersecurity vulnerabilities while opening new gaps for online criminals to exploit.

How to keep your at-home workspace safe from cybercrime

Hacker attacks happen about 2,200 times a day, and, when cybercriminals succeed, it’s overwhelmingly due to human — and not system — errors. That’s because a firewall offers consistent protection, but people, meanwhile, are often distracted by deadlines, upcoming conference calls and colleague requests throughout the day. In short, what can seem like an unimportant oversight can sometimes leave a home computer and sensitive data compromised. That’s why the best cybersecurity starts with ensuring workers make smart daily choices, as well as stay up to date on the best ways to be safe online.

Get familiar with your company’s cybersecurity guidelines.

Many companies have established work-from-home procedures intended to help mitigate the increased risks associated with working from home. That’s because your home device often won’t come with the same layers of preventive security as your office PC. Review the protocols and ask for clarification if anything is unclear. While you’re at it, find out who to contact if you do encounter a cyberincident or technical issue. The speed of response can help mitigate an attack.

Safeguard sensitive information.

Data loss can happen anywhere, even when you’re working from home. A well-intentioned loved one can glimpse at confidential data or overhear a private conversation not intended for them; sensitive information can be viewed through a home office window. To avoid these potential mishaps, make sure your work devices and confidential information (papers) are physically secure in your home office space, away from areas that are easily viewable from a public space (or even a 10th-floor window). Lock your screens when you wander into the kitchen, and, when you’re finished for the day, store and lock your devices and confidential materials in a secure, out-of-sight location. For added security or if device theft is a concern, consider file-based or full-disk encryption.

Use proper password and username protection.

It can take less than a second for a computer program to crack the most commonly used passwords. That includes the name of your pet, your zip code and even a favorite word with numbers substituted for some of the letters. Instead, use a random combination of 10 or more letters, numbers, and special characters. Still, most humans find passwords like i$g2s&n7z? more than a little challenging to remember. Alternatively, consider the easier-to-remember passphrase — a list of four or more unrelated words — in lieu of a password wherein letters such as As, Es and Os are replaced by 4s, 3s and 0s. Passphrases are just as difficult for a computer to hack but much easier for a human to remember. For either method, consider a password management app, which can easily safeguard and keep track of hundreds of randomly generated password combinations or passphrases. However, the risk of a password manager is that if you lose the key, you lose access to your passwords or, worse, you potentially give fraudsters access to your passwords.

Fraudsters know that we are creatures of habit and that most of us only use a limited number, or even one, username and password for all accounts. Best practice is to not reuse any usernames and passwords for sites. If you use the same username and password for all sites, one data breach at a third-party company may result in fraudsters having access to all of your accounts across websites and companies. This should be especially avoided for financial accounts.

Where available, always enable two-factor authentication for an extra layer of security.

Secure your router connectivity.

Your Wi-Fi connection is only as secure as your router settings. If you’re not using a password or an SSID (a Wi-Fi network name) — or if you haven’t changed the factory-assigned default (usually “admin” or something as easily guessable) — your network may be vulnerable, as cybercriminals may be able to see the confidential information you type into websites. For passwords and usernames, choose combinations of letters, numbers and special characters that can’t easily be guessed. While you’re at it, ensure your firmware is updated to the latest version to enhance security.

Keep your work and personal accounts separate.

A quick visit to a favorite social media or shopping site can, unbeknownst to the user, create an opportunity for hackers to use malware or steal confidential information. If you toggle between public and private sites, you could unknowingly provide hackers with access to your company’s network and workplace data. Other common mistakes include accidentally sending personal photos to a colleague or emailing confidential information to the wrong person. To avoid a data mishandling incident, it’s best to use separate devices to access your professional and personal accounts.

How to identify a scam — before you’re scammed

Even before the COVID-19 crisis, cybercriminals were good at reaching corporate employees. One simulated phishing attack — a test run by a large multinational consulting company — found that 7 in 10 phishing emails reached a targeted employee. Of those recipients, 7% clicked a malicious link. Even the savviest internet security experts can and have been duped.

Be wary of emails containing links and attachments.

Links and attachments are used as gateways for malware installation, creating a back door between your computer and your organization’s broader network. Before clicking any links or attachments, be sure the sender is a trusted source. Carefully check the sender’s email address to make sure it’s from the person you think it is and hover over links before clicking to confirm they lead to a legitimate URL. Attackers often mimic or spoof a corporate email address, but a fraudster’s address may have slight character changes, a misspelling or a different top-level domain (such as .net where .gov should be). Also ask yourself “Was I expecting this email?” If you weren’t expecting an email with an attachment or a link, that may be a red flag. Another indicator could be the use of urgency or saying that you should keep things a secret (or else you may get in trouble, as an example).

Carefully vet callers who ask for remote computer access.

Attackers often impersonate someone from an internal IT department, a third-party vendor or a government agency. A red flag is an unsolicited caller who asks for personal information like a user ID or password or asks for remote access to your computer. Before sharing any information or access to your device, including your phone or tablet, hang up and call your corporate IT department to verify the request.

Overall, work-from-home security precautions shouldn’t be all that different from those practiced in the traditional office space.

At First Republic, we offer complimentary cybersecurity services to proactively safeguard your accounts. To schedule and learn more about these services, please contact your banker, relationship manager or wealth manager.


This information is governed by our Terms and Conditions of Use.