Telecommuters are everywhere. They’re at the local coffee shop, fast food restaurant and bookstore. In fact, according to Gallup’s Work and Education Poll, the number of U.S. workers who say they telecommute is up significantly in the last decade. The numbers are only expected to increase as more companies diversify staffing thanks to things like increased access to smart technology, cost-cutting incentives – cutting back on pricey office real estate – and overall productivity that makes working from just about anywhere, well, easier than ever.
Of course, with the uptick in road warriors come some uniquely challenging security risks.
SafeBreach Co-Founder and CTO Itzik Kotler says that one of the biggest mistakes people make when working outside the office is assuming that the environment they’re working in is safe.
“They leave mobile devices unattended, connect to public and insecure hotspots and while they are using an insecure wireless connection they may be performing sensitive transactions like checking bank accounts or accessing confidential company data,” he said.
With offices in Sunnydale, California, and Tel Aviv, Israel, SafeBreach works with companies worldwide to develop proactive security solutions.
“The risks of connecting to unprotected hotspots are really high,” Kotler said. One reason is that a wireless hotspot may not have any security measures in place, like a firewall, to protect against Web-based attacks.
“The hotspot may be vulnerable to wireless eavesdroppers that intercept or monitor the data sent between your browser and the Internet,” he said. “The hotspot may also be a rogue access point set up by an attacker to infect users with malware, steal confidential information on devices or pose as a legitimate service provider to collect credit information for access.”
It may seem like the stuff of a spy thriller, but it’s actually how hackers get access to data that fetches top dollar, like credit card numbers and bank passwords.
And because it’s virtually impossible to tell a safe hotspot from a potentially dangerous one, Kotlet recommends not using them in the first place. “Bring your own personal wireless access point (MIFI),” he said. “Many service providers like AT&T or Verizon offer them today.”
Expert Tips for Users
The lure of the free WiFi may be a little too tempting for many of us. That’s why Alx Block, a tech expert who works with both Automattic and WordPress.com from his office in Philadelphia, says there are actually a few ways to work smarter, like using a virtual private network (VPN) or a proxy connection.
“VPNs are fairly common and affordable,” Block said, “and allow for you to browse the internet without having to worry about someone sniffing your data from the network.”
Block follows a few simple rules:
- First, don’t allow your phone to connect to networks without permission. Avoid keeping WiFi options open. “This way,” he said, “you won't accidentally connect to an open network and expose yourself.”
- Second, look for tools that help monitor outgoing Web traffic, like Little Snitch, a program that will actually show you what you’re sending to sites you visit.
- Third, install and keep up to date anti-virus software, even on Macs. He recommends Avast, a program that can scan websites for malware as you visit them.
- Fourth, password protection is key. Consider using a password manager from LastPass or 1Password that allow users to store unique passwords for all online accounts securely. “Passwords should always be strong and unique,” Block said, “and you should never use the same password for more than one service.”
“The weakest link in a company is the biggest threat,” he said. “All it takes is one employee with an insecure password to allow for a full breach.”
What IT Pros Should Be Considering
At Flashpoint in New York City, Allison Dixon is the director of security research, where she helps to provide business risk intelligence (BRI) to clients. In her experience, “Breaches have happened when employees lack a good awareness of their physical environment,” she said. “When laptops or phones are stolen, it’s difficult to know if they were taken for the value of the hardware or the value of the data inside. Even if the data is encrypted, it’s difficult to ensure the password is truly uncrackable and was never re-used elsewhere. It’s a frustrating scenario if you have no way to tell the extent of the harm that happened.”
While it’s tough to prevent theft, she says there are a few important questions IT pros should be asking:
- Do users have screen protectors installed on company laptops?
- Are employees using VPNs? If so, is each one set up securely with 2FA?
- Do employees recognize that certificate warnings could signal a possible interception attempt?
- Is each machine running a firewall to block unsolicited inbound traffic?
- Is thumb drive usage controlled?
- Is asset management software being used?
“The employee has as much at stake in the security process as the company does,” said Nixon, “and it’s important that they also feel that these measures are important.”
Some of the most crushing hacks in recent years have started because a single user opened the door by clicking a bad link or phishing scam. Because it’s easy to spoof a site or email, users need to be aware when not to enter login information or share security information on these phony sites. A simple misspelled URL could lead to big problems.
“Making sure that you’re on the correct URL and that the site is secure with the correct SSL credentials is one of the most basic checks that you can do any time you enter your password anywhere,” Block said.
The risks are high for companies that have employees working in the field, which are most companies nowadays. “If the company does not give the employees a VPN,” said Nixon, “they can’t act surprised when the employee goes to a coffee shop and gets their cookie stolen.”
One method of defense that anyone can set up now is a strong authentication for applications on devices and in the cloud. This helps prevent someone from accessing key applications when they get hold of a device whether by stealing it or even accessing it through unprotected networks.
Kotler recommends using file encryption for sensitive data on devices, and installing host-based security products that can protect against viruses and malware.
“Consider cloud-based security options that enable users within an organization to have a consistent set of security protections,” he said, “whether they are in the office, at home or on the road.”
Natalie Hope McDonald is a writer based in Philadelphia.