COVID-19 pandemic makes us think again about the way we live, work, and conduct many day-to-day businesses. The more people work with digital devices, the more at stake they are online.
In this article, we’ll give you a handy cybersecurity 101 with 6 best practices that deal with common online risks (including phishing and brute-force attacks) when working with the 4 most frequently-used devices in and out of the office setting.
4 types of devices
Generally, there are 4 types of devices in office work we are normally dealing with.
1. Company devices
Owned, controlled, and managed by a company, such as desktop computers, or notebooks for people who are frequently on the move for business purposes.
2. Personal devices
Owned, controlled, and managed by an individual, such as personal laptops, tablets, mobile phones, among others.
Ideally, personal devices should not store any company data prior to the company’s consent or acknowledgment. And this leads us to the 3rd kind of device, BYOD.
3. BYOD (Bring your own device)
BYOD trend is on the rise, as an increasing number of personal devices are used for non-personal (work) purposes.
BYOD is done for many reasons, but one most common reason is for the convenience of both sides: the person who uses the device(s) and the company.
However, when business confidential information can be accessed from such personal devices, special agreements are normally made between the device owners and the companies. And extra security setups are done on the devices by a company’s division-in-charge, typically ICT department.
4. Public devices
Computers, tablets, or similar devices which are usually made available for public use.
Such devices are typically seen in public spaces, such as public libraries, art museums, internet café, hotels, to name only a few.
One thing to keep in mind when using public devices: All accesses that require identifiable personal data, such as:
your personal or work email accounts
social media—like Facebook, LinkedIn, Twitter, etc.
storage clouds—like Google Drive, etc.
or anything that requests you to key in your own usernames and passwords before access should never be done on public devices. (Yes, even in Incognito mode!)
No one can assure you how your personal data is going to be stored, retrieved, and used by the owner and other users of the same devices you are using.
6 Best Cybersecurity Practices — In and Out of the Office
1. Your own responsibility
According to Mr. Sebastian Sussmann, CIO of Axon Active Vietnam, “hackers learn about human’s greatest vulnerabilities”, and most cybersecurity breaches happen out of several human factors like uninformed practices and psychological weaknesses.
a. Bad passwords
People sometimes take to unhealthy and uninformed habits online for the sake of their convenience. However, “there’s always a trade-off between convenience and cybersecurity,” warns our CIO.
People can become extremely lazy at (or simply under-appreciate the significance of) creating passwords strong enough against potential scams like brute-force attacks. They are situations when hackers adopt the hit-or-miss approach, experimenting with numerous passwords until they luck out and strike gold with the correct passwords. A classic hacking method, brute-force attacks are “still effective and popular” in this day and age (Kaspersky).
Read on to see tips for creating a strong password (or click here).
b. Two-factor authentication dismissal
As cyberattacks are on the rise, and the number of cybersecurity measures also increases to bring the situation under control, more and more cybersecurity solutions for online users are introduced. One such measure is the two-factor authentication (2FA).
Two-factor authentication is a method designed exclusively to doubly-secure online accounts. In fact, 2FA adds another level of security on top of the typical username-and-password protocol, and makes it additionally challenging for cyber thieves to steal online users’ private information.
~ Paraphrased from Norton.
Ironically, 2FA still remains unfamiliar to the vast majority of the population. A 2016 study in the US showed up to 61% of those surveyed had no idea what 2FA means (American Banker). Two years later (2018), a survey by Duo Security shows “more than half of Americans had never even heard of it.” (CNET).
For those who are aware of it, or have used it at least once: 2FA is still underestimated for its scam-proof importance. It even comes off intimidating for some people as the 2-step verification process goes.
A 2018 survey among a group of such online users shows “over 90% of Gmail users still don’t use two-factor authentication” (The Verge), although Google survey shows this method can “block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks” (Google Security Blog).
c. Time-pressure and ‘asap’ traps
Time-pressure and the sense of urgency (‘getting things done asap’) are our psychological weaknesses—the Achilles heels, that are usually targeted at by cyberattackers.
One of the most common and “easiest” ways for a cybercriminal to get your personal data is through phishing emails, which normally pressurizes you to do something quickly. In such emails, they would claim they are doing something for your own good, and tricking you to give up private credentials to your bank accounts, for example, by setting you up in a false “asap” trap.
“They will typically word it with a view to making you want to take action immediately.
So, for example, they might send a security warning and ask you to click on the link to restore access to your account. If you do so, you will arrive at a site that looks like your bank’s site, but that is geared at gathering your username and password.”~ Cyber Defense Magazine 2018
Mr. Sussmann, advises us to treat emails (even from those you know) with a skeptical eye to find the inconsistency and illogicality in the messages they are trying to convey.
CEO Fraud, Recruitment Fraud, or Fake HR are a type of phishing—“a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information” (Knowbe4).
In Axon Active’s experience, they can even trick an employee for unauthorized company access to gain company confidential information.
d. Large friend lists
Another human flaw that Internet scammers can manipulate is our fancy over big friend lists.
Not being picky at whom you are befriending online, such as Facebook, Twitter, or LinkedIn, leaves the door wide open for these online scammers to trace your digital footprints and collect the personal information you leave virtually—be it your home address or your company policies. They would then use it to craft a story that is totally and personally convincing for you in attempts to scam you with their phishing emails.
“Be careful and try to identify fake profiles and care about what you want to share to whom,” advised our CIO.
2. Network security
Speaking of cybersecurity, there are 4 types of network under consideration.
a. Company network
The most secured network that is set up, controlled, and actively monitored by a dedicated department of a company (i.e. ICT division) to detect and identify any unauthorized behaviors on the network at an early stage.
Oftentimes, this kind of network boasts different zones to meet various demands for Internet use in a corporation.
b. Private network
The second-most secured network that is typically provided and used in the privacy of a person’s home-setting (ie. not shared with neighbors) by an Internet contractor, with fewer layers of security compared to Company network, and no dedicated network-monitoring personnel overall. Also known as fixed broadband.
Some of the best Internet providers are AT&T Wireless and Verizon Wireless (in the US), Swisscom and UPC (in Switzerland), FPT and VNPT (in Vietnam, where Axon Active ODC and OTC are operating), just to name a few.
For Private network, there are 6 basic precautions to take:
Never use the default access password for your router (the device that connects your local network to the Internet provider)
Make sure this Private wireless network (Wi-Fi) that you have is encrypted with WPA2 and a strong encryption key. Also, make sure that the access point is not using the default password to get access for the configuration.
Only grant your Wi-Fi (or computer) access to those you know and trust, because once the trustees have the access, they can easily get access to your private data that are meant to be kept away from wider public acknowledgment.
Always have your antivirus software and firewall ON and up-to-date.
Check if the Domain Name Server (DNS) is correct to prevent DNS leaks. If you have no idea how to get this done on your personal devices, better ask your company’s ICT experts for more information.
Say ‘No’ to unlicensed software on your devices: Untrusted, cracked software that you can find around the Internet is not something to rely on. Its provider(s) can use the software as a gateway to retrieve, store, and use your personal data illegally or without your prior consent. “Hacked, cracked and other illegal softwares are usually infected, poisoned, and can be used as a Trojan to get access to your devices,” warned Mr. Sussmann, Axon Active’s CIO.
c. Cellular network
A network for mobile devices that is more or less as secured as Private network.
It’s the Mobile network that people use on the move (also known as mobile broadband), such as 3G, 4G, or 5G,.., provided by a mobile internet provider.
d. Public network
A network with the lowest level of security.
What makes this type of network least reliable to use is its typically going without any security layer—even in the case it uses encryption, usually a password, it’s known by everyone! Your private information and personal data will be most at risk of getting sniffed. For that reason, all businesses should be done over secured networks, such as full-tunnel VPN.
Learn more about sniffing attacks on Wikipedia.
In case you are left with no other choice but to use a public network, follows are important things to keep in mind:
Always turn the firewall on
Use VPN Full-Tunnel
Always establish https:// connections when possible
Never bank-transfer, do banking transactions, or anything that you don’t want to go public with over this network.
3. Passwords
Below is the checklist to a strong password.
My passwords are:
Passphrases Learn what a passphrase is
Not from a dictionary and therefore not easy for someone like a brute-force attacker to find out.
Mixes of uppercase, lowercase, special characters, and numbers For example: Ab!;z$fgTr&48#%1
Have minimum length of 8 characters. The longer a password, the safer it is. If you’re wondering if a long password could be inconvenient, remember: “There’s always a trade-off between convenience and cybersecurity.”
Alternatively, make it a ‘sentence’ password For example: Set your secret sentence “I love chocolate, bananas, and strawberries” as the password i<3choc,n4n4s&b3rr!es, or combine the initials into the password !<3c13&s. Think out of the box and get creative!
Not the same for all my online accounts. If one gets hacked, all get hacked! For example: my Facebook and Twitter account passwords are not the same.
Managed and stored in a password manager Such as Kaspersky Password Manager
Used in combination with two-factor authentication, whenever possible
4. Latest updates for your devices, firewall, and antivirus program
One of the most pro-active and effective defense methods against cyber threats is to make sure your devices are always up to date.
Besides desktop computers, laptops, and mobile phones, these devices come in a variety of shapes and sizes as far as the latest technological advances are concerned, e.g. SmartTV, IP phones, webcams, IoT devices, baby phones, Google Home, or any devices connected with the Internet.
Once your devices get the latest firmware updates, their built-in firewall and antivirus software will also get the updates essential in your fight against cyber threats. (Don’t forget to turn them on!)
Devices operating on Windows system has Windows Defender Antivirus. Or you can use, for example, Avira as a basic software that comes for free.
5. Kids and guests
If you’re working on a company device, or adopt the BYOD trend as a way to work remotely from home with your team, make sure that you steer clear of kids and guests having access to these devices—no matter how convincing their excuses, or how innocent you think they are.
You’re right to think kids aren’t capable of scheming against you—far from cybersecurity attacks. But their careless and uninformed computer habits on your devices can put you, your private data, and your company’s confidential information at stake in a foreseeable future.
Tips:
protect your device with a strong log-in password
always log out of your devices when un-used
Bonus tip: put your device(s) in the back of one closet (or two). Lock it up .
6. Hygiene
Don’t you know?
A group of University of Arizona researchers found “the average desktop [computer keyboards] has 400 times more bacteria than the average toilet seat” (National Center for Health Research). Yes, you got that right. 400 times!To keep you work from home safely, it’s worth it to shift the attention a little bit off the virtual world to where the virtual and real worlds meet: your keyboard. So, never underestimate the habit of cleaning your devices, especially the keyboards and the mice. (But you don’t have to take them into the shower to deep clean them, though!)
Reproduced from Patrick Allan 2015
Another handy tip to keep you hale and hearty is to adopt the most basic hygiene practice of washing your hands and fingers frequently and thoroughly with soap under running water or hand sanitizers. It keeps your keyboards and mice from getting dirty right from the beginning.
Otherwise, ask your company’s ICT team for further advice on how to clean your devices in a proper way.
Bonus points to broaden your horizon
Below are some references you can dig in to get to know more about the points we roughly cover here:
1. Tips for cybersecurity when working from home
Reproduced from European Union Agency For Cybersecurity 2020
Published on March 24, 2020, by the European Union Agency For Cybersecurity
2. These are the 12 most common phishing email subject lines cybercriminals use to fool you
The top subject lines, according to researchers at cybersecurity company Barracuda Networks, are based around the following key phrases:
Request
Follow up
Urgent/Important
Are you available?/Are you at your desk?
Payment Status
Hello
Purchase
Invoice Due
Re:
Direct Deposit
Expenses
Payroll
3. A Teacher Did an Experiment to Show the Power of Handwashing, and You Can’t Stay Unimpressed
Reproduced from © Jaralee Annice Metcalf / facebook
Summary
In this article, we’ve walked you through the 4 types of devices and 6 best practices—all to enhance your state of cybersecurity while working remotely. They are self-responsibility, network security, passwords, latest device updates, kids and guests, and hygiene.