Best practices for keeping your work-from-home office secure

Working from home keeps you physically safe, and many offices are planning on making telecommuting a long-term option for its employees for the foreseeable future. But this new normal has led to a major rise in cyberattacks, as hackers shift their tactics to exploit less-secure home networks and vulnerabilities in popular security services like VPNs.

Most workers are conscientious about avoiding seedy websites and not clicking on suspicious links. But for more sophisticated threats, you can’t be expected to spot them on your own. And unfortunately, most complementary or free antivirus packages only protect against the most conspicuous threats. 

This article will highlight the less obvious problem areas in most home office setups, and everything you (and your antivirus and security software) should do to avoid malware, ransomware and other attacks.

Secure your router

Tom’s Guide has already detailed all the ways that your router is incredibly exposed to outside threats. Now that home offices contain more proprietary information, hackers are devoting more time to infiltrating individual households, and routers are an easy entry point to access your personal data and devices. 

Taking a few minutes to change the default administrative passwords and default network name, turn on automatic firmware updates and enable WPA2 or WPA3 encryption will make a world of difference. You can also consider purchasing a new router with OpenVPN capabilities to secure your network. 

VPNs aren’t always secure

Some companies use business VPNs to protect and encrypt their data, while many individuals purchase their own VPNs, or antivirus software bundled with a VPN, to protect their browser history and bypass geographic blocks on certain websites. Unfortunately many VPNs have been exposed with critical security flaws in recent months. 

This doesn’t mean that you should avoid using a VPN, but you should be discerning about potential problems with a given service. For example, Avast’s security software includes a VPN, but they save your data in order to sell it to advertisers. 

In case any VPN is compromised, choose one that doesn’t save your data to begin with. Tom’s Guide’s top 3 antivirus software (Kaspersky, Bitdefender, Norton) all have VPNs with no-log guarantees, meaning they don’t track your data. Only Norton, however, comes with unlimited VPN usage, while the other two are capped unless you pay extra.

If you’d rather invest in a dedicated VPN, look into one that will secure not just your work computer, but also your mobile and tablet devices, streaming devices (e.g., Chromecast, Xbox One) and your router. Also, keep in mind that VPNs don’t automatically protect all your data: if you freely provide personal or monetary information online, a VPN won’t prevent sites or hackers from knowing who you are.

Zoom comes with risks

Among a long list of Zoom security issues, Trend Micro researchers discovered fake Zoom app installers that let hackers steal your login credentials, access your webcam and keystrokes, and allow for remote PC access. And earlier this month, security research firm Talos found major vulnerabilities in Zoom chat that let users install malware onto the PCs of fellow meeting invitees. 

This goes to show that antivirus software companies are great at catching scams like this, but also that popular work-at-home applications are being specifically targeted for vulnerabilities. You should certainly secure your Zoom calls from trolls, but if less tech-savvy employees create Zoom meetings without restrictions, or if you take a Zoom call on an unprotected mobile device, you could end up at risk despite whatever precautions you take. 

If you can’t convince your coworkers to try out a more secure Zoom alternative, your best bet is to invest in malware protection that will block arbitrary code execution of viruses that you could not otherwise prevent. 

Watch out for phishing from fellow employees

The COVID-19 crisis has led to plenty of coronavirus-themed phishing attacks, but most tech enthusiasts are pretty good at spotting third-party scams. Phishing from your coworkers, on the other hand, may be unexpected enough to catch even the most careful people.

In an old job, hackers managed to access my department head’s email. Then, the department received an email with a password-protected “Outlook” link to a confidential pay raise document. I didn’t buy it, but enough coworkers did to cause a chain reaction of compromised info.

Most phishing attempts have telltale signs of bad spelling and fishy email addresses. Spear phishing, however, comes after bad actors research the daily apps and activities common to your workplace, so their emails include information that make them seem genuine. 

If you receive dozens of Zoom or Google calendar invites, a cloned template with a malicious link from a trusted co-worker will catch you because it’s too routine to think about closely. Plus, now that you can’t walk over to a coworker’s desk to ask for information, it might be more natural to think a “co-worker” may have forgotten the password to access something.

Most antivirus software contains anti-phishing features that send pop-ups warning you if a site is insecure, or block known phishing sites; rather than rely on this, however, it’s up to you to be skeptical. If you’re ever uncertain, go directly to the website in question and log in first. Then, if an email still asks for your credentials, you know something is amiss. Or, just message your coworker directly on Slack and make sure they really send the request.

Parental controls to the rescue

Lucky workers got to bring home a work laptop, but a healthy group of people are using a personal laptop for work out of necessity, or checking work emails on their phones while they lay in bed. That work-home blurring can get especially risky if you allow family members, especially kids, to have “screen time” with devices you use for work.

If you’re unable to set boundaries and have work-specific devices, it’s worth considering some specific parental-control apps that make sure your kid doesn’t provide any protected information online and filters out bad sites. Or, pick an antivirus program that bundles in parental controls along with other protections, like Norton 360 with Norton Family or Kaspersky 2020 with Kapersky Safe Kids. 

Tailor your security software to your needs

Look through some of the best features of any antivirus software, and you’ll find many that can be handled by specialist companies individually. You may already have a password manager, a VPN, parental controls, a cloud backup of files, or other security measures, so you may end up paying for features you don’t strictly need. On the other hand, you may prefer one secure hub to manage all of your security features, rather than jumping between different websites. 

Whatever your preferences, there are specific features to look out for that are especially useful for at-home work, and that you won’t find in many free antivirus software packages.

Hardened browsers or security extensions increase the encryption protections on any web browser, blocking malware, phishing sites and keylogging software. You will also want a service with built-in webcam protection.

Keep an eye out for a game mode or silent mode, and not just if you’re a gamer. Antivirus software can cause slow-downs with other software. So if you’re using intense creative applications for work and need a performance boost, you may want to pause some background antivirus programs when you know you won’t be on the web. 

You may be vulnerable to ransomware attack, and if you don’t regularly back up your data on an external hard drive, consider a service with automated backups of key files. That way, you can revert to a previous set of files in an emergency. Also look into some kind of file shredder to make sure that any “deleted” files can’t be found and restored in case someone gets access to your computer.

Finally, if you’re willing to pay more for security, some deluxe packages of antivirus software include identity theft protections, watching your bank accounts, cards and SSNs for bad activity. Hackers looking for business secrets will be perfectly happy to steal your personal information along the way, and it can’t hurt to guard against that.