In this article, we will focus on home cybersecurity, or how to secure your remote work from home. The rules and best practices explained in this article apply to all types of remote work, but if you prefer the smell of coffee or sunny terraces, you will appreciate our article on securing remote work outside.
Whether you work full-time from home or just a few minutes some evenings of the week, this article will allow you to establish a more resilient behavior when it comes to remote work.
For each point mentioned below, you will find a scenario to better understand the risks you expose yourself to if you do not apply them.
Let's start right away with the most obvious: WiFi.
Securing the WiFi network
WiFi is widely adopted and extremely convenient: with current equipment, you can connect from anywhere in the house.
So you can work from your bed, your favorite armchair, or for the luckiest among us, your garden.
However, WiFi is based on radio waves, and these waves are broadcast omnidirectionally.
Anyone within the reception range of the antenna can access these waves and try to intercept the exchanged data.
We are talking about the reception antenna's capacity: with a sufficiently powerful antenna, it is possible to capture more distant networks.
The attacker can therefore be further away than your direct neighbor and can carry out their operations from a location where it is difficult for you to physically see them.
What are the risks?
If your WiFi network is not properly secured, the risk is critical. It is exactly as if you let the attacker connect to your personal network.
From there, they can intercept the communications that pass through your network, steal data, corrupt connected computers and smartphones to increase the level of compromise of your network.
Once your hardware is compromised, they can try to infect other networks to which you will connect in the future - including your company's network.
More visible and distressing: depending on the connected devices in your home, the attacker can also control your television, lighting, and who knows what else.
To secure your WiFi network
The first thing to do is to check that WPA/WPA2 encryption is enabled. On your Internet box, in the network settings, check that this type of encryption is selected, and that the key (password phrase) is long and complex enough.
WEP encryption is worthless, avoid it at all costs.
A too simple key (too short or too intelligible) can be brute-forced, meaning it can be attacked by testing all possible combinations to guess the key.
For advanced users, enable MAC filtering.
Each device - phone, computer, connected object - accessing your network has what is called a "physical address" or MAC address (nothing to do with Apple).
MAC filtering allows you to only allow connection to your network for devices whose MAC address you have entered.
The constraint is that every time you want to add a device - a colleague who wishes to connect, a new phone, etc. - you will have to configure your box to accept its MAC address.
The advantage is that the attacker will have a harder time connecting to your WiFi network.
Unless they have administrator access to your box because it allows remote administration. For that, you need to ensure the proper configuration of your box.
Check the configuration of your Internet box
A few years ago, I was in an Airbnb in Panama. In order to quickly improve my Spanish, I forced myself to watch movies in Spanish with Spanish subtitles during the night.
One late evening, the Internet connection stopped working. I couldn't get any support from my hosts who were probably already asleep.
Looking at my network settings, I found the IP address of the Internet box and its administration interface that asked me for a login and password to connect.
I tried the combination "admin" as the username and "admin" as the password and found myself connected to the administration interface on the first try.
From there, I was able to restart the box, which restored its internet connection.
I could also have changed the configuration of the box to route the data through a server that I control and corrupt the connected computers of the hosts and future Airbnb guests.
Risks of a poor configuration
Having access to the configuration of your Internet box means controlling your internet access.
From there, the attacker can lead you to malicious sites or fake login portals to steal your credentials, intercept exchanged data, use your connection as a relay for other malicious activities, etc.
Once again, this is a critical compromise because it allows compromising other devices that can then extend the attack to other networks to which these devices have access.
Securing the configuration of your Internet box
The first thing to do is to change the default password of the administration interface of your box.
Even if it is different from "admin", default passwords for many network devices are available on the internet, such as on this website.
The second configuration element to pay attention to is disabling remote administration.
This option allows access to the administration interface from the internet. By default, this option is not enabled, and you have to be on the local network - connected to the box physically or through WiFi - to access it.
However, a technician or someone who has accessed the network may have enabled it for various reasons. It is good practice to check that this option is disabled.
Separation of equipment
This point does not depend entirely on you but also on your company.
In the case where your company provides professional equipment such as a computer or a mobile phone, it is important to separate their use from your personal equipment.
Risks of using professional equipment for personal activities
Sometimes, the laptop provided by the company is much better than the old machine lying around in the living room, slow and with a poor-quality screen.
It is then tempting, once the workday is over, to use the office laptop for personal purposes.
However, in a personal setting, we have less secure behaviors.
Installed websites, applications, and games can install malware on the computer.
Disconnecting from the company's VPN leads to less secure data exchanges - potentially unencrypted on weakly secured websites or applications.
Once again, the infection during private activities persists when returning to the professional environment and can infect your company's network.
Best practice
The best practice is therefore to separate your equipment and adhere as closely as possible to assigned uses.
Separation of professional and personal networks
This recommendation is probably the most difficult to implement, nevertheless, in the case of critical applications, having a dedicated access point for the professional environment is not a luxury but a necessity.
Indeed, the personal network is home to numerous connected devices: from a not very secure smart TV to children's computers that download games and applications, there are many points of vulnerability on a typical personal network.
As explained in the points above, once these elements are compromised, the attacker can infect your own professional equipment if it connects to the same network.
I think you are starting to see the risks involved: total compromise of hardware and data, infection of the company's network, etc.
How to mitigate this risk?
For "VIPs", users who have high-level access rights to the network and its data, it is interesting to consider a secondary connection to physically separate the networks at home.
This can be a second internet connection - a second box, a second WiFi network, etc. - or a more "mobile" solution such as an access point using the 4G network.
The 4G network can be accessed using either the company's phone or a 4G box or router provided by the company.
This allows for compartmentalizing and isolating the professional connection from the personal connection.
Creating a separate network is often impossible. The 4G plan is limited, and additional network equipment can represent a significant financial burden.
A good alternative solution is to rely on systematic use of a corporate VPN on professional devices.
Secure access to your living space
Now that the technical aspect is secure, let's go over some basic rules regarding physical security.
Indeed, physical access remains a vector that should not be neglected in cybersecurity. Physical access can have more devastating consequences than remote access.
The recommendation may seem obvious, but remember to lock your doors and windows and ensure common security rules.
In addition to that, check the sightlines that give a view of your computer screen. If you have a neighbor with a view, they could use binoculars to perform shoulder surfing from their window.
Observing your keyboard and obtaining information or capturing passwords can lead to devastating opportunistic attacks.
Do not leave your equipment unattended
This is a classic that I still observe too often: unlocked workstations when the user is absent.
This mainly comes from a lack of awareness of the risks and embarrassing situations that can be created.
Risks of leaving your equipment unattended
Imagine yourself as a parent working from home. You are working on your computer when the phone rings, and you get up to answer and walk while talking.
You leave the office where you work to walk around the living room and look out the window while absorbed in your phone conversation.
During this time:
- Your eldest plugs a USB drive into your computer to print a document they downloaded.
- The middle child, punished from social media for bothering the youngest, takes advantage of your absence to respond to their friends and clicks on the links they sent.
- And the youngest sends "slfkjhdfv;:rkgddg xcvkjngr" in response to an email chain with your manager and superiors.
During your phone conversation:
- You have potentially been infected twice.
- You have lost credibility with your hierarchy.
All of this could have been avoided if you had locked your computer when moving away from the phone.
Good habits to adopt
When you move away from your keyboard, even for three minutes, lock your computer.
If you are away for a longer time, close it and store it in a place where it is safe from falls or damage related to the room's activity - a small thought for those working from the kitchen table.
Finally, do not leave your computer or phone visible in your vehicle when you leave it.
Vehicle theft or theft of its contents is within reach of many attackers, organized or opportunistic.
Conclusion
The cyber risk is often too invisible. This is even more true at home, in the family cocoon where it is difficult not to feel safe.
By applying the best practices outlined in this article, you will be able to feel more legitimately secure.
If you wish to improve your company's behavior and make it more secure in a sustainable way, we develop solutions for cyber risk awareness and training.