InfoSec Blog - Working Safely and Securely in a Remote Environment

Working Remotely

July 1, 2020

Here are some helpful tips and effective practices for working safely and securely in a remote environment, whether it's a temporary situation or a permanent transition.

  • Use a VPN - Make use of the VPN service to access on-campus resources and for an extra layer of security any time you find yourself on a public or unsecure Wi-Fi network (if you are working at a coffee shop or a library, for example). Visit https://www.uoguelph.ca/ccs/service/remote-secure-access-vpn for more information.
  • Run Your Antivirus Software - Run your antivirus program daily to pick up on any abnormal activity or possibly corrupted/malicious files that need to be quarantined or removed. Keep in mind that your VPN and antivirus software may not play well together. If this is the case, you may need to use one program at a time to make sure each piece of software works effectively. Please consult your help desk for guidance on proper use. Visit https://www.uoguelph.ca/ccs/services/software to download antivirus software offered by the University of Guelph.
  • Run Your Updates - Keeping your devices and applications up to date is probably the most underrated way to protect them. It is also the most ignored. Security and software patches are released with most updates. This means that when you ignore an update, you are leaving an application or operating system vulnerable.
  • Beware of Phishing or Suspicious Emails - If you encounter suspicious messages or attachments, please forward them to the help desk for further investigation. There has been a surge in malicious online activity as cybercriminals and cyberattackers leverage the heighted fear of the public during the coronavirus pandemic. Online criminals are delivering coronavirus-themed phishing messages via emails, direct messages, and text messages. These messages are often alarmist and include links or attachments with the call to action to "learn more." Clicking the link often results in account compromise, malware delivery, or something else. As always, slow down and double-check the sender field. If a request seems unreasonable or out of character, do not respond. Contact the sender directly to verify it was them who sent the request or email. Visit https://www.uoguelph.ca/ccs/phishing for more information.
  • Use Strong Passwords - Because there are a lot more threats out there during the pandemic, there are plenty of bad actors looking to take over accounts. The easiest way to protect your accounts from being compromised is to use long, complex, and unique passwords. A good rule of thumb is to make sure that your passwords are at least fifteen characters long and include a number, a capital letter, and/or a special character. The easiest way to accomplish this is to use passphrases that only make sense to you.
    • DO NOT recycle passwords.
    • DO NOT use variations of the same password.
    • DO NOT use the same passwords for your professional accounts that you use for your personal accounts.

    Recycling passwords, using variations of the same password, and using the same password for professional and personal accounts are all sure-fire ways to have more than one of your accounts compromised in the event of a breach. To keep an eye on what accounts may be exposed, utilize haveibeenpwned.com. Also consider using a password manager application to store and generate strong, unique, passwords. Visit https://www.uoguelph.ca/ccs/infosec/gettingstartedpwmgr for more information on password managers.

  • Employ MFA - Double down on your account security with multifactor authentication (MFA) on any accounts that offer it. MFA adds a second check to verify your identity when logging in to one of your accounts. This helps to keep your account from being compromised even if your password falls into the wrong hands. MFA is often done in one of three ways:
    • SMS (text message). This is the least-secure two-factor authentication (2FA) option, largely because messages are unencrypted and susceptible to SIM hijacking attacks. However, keep in mind that SMS is still a better option than no 2FA at all. With this method, a single-use code made up of a string of numbers is sent straight to your phone.
    • Third-party authenticator app. An authenticator app lives on your mobile device, and every time you enter your password, the app generates a one-time code, which you are required to enter. To use a third-party authentication app, you will need to download one (Google Authenticator, Microsoft Authenticator, etc.) from the app store for your mobile device.
    • Security key (hardware token). This is the most secure 2FA option. It's a small physical key that you either carry or plug in to your device to complete your login. If your university issues security tokens, you should be able to request one from your IT or security department.
  • Maintain a Clean Workspace - If you're using a shared workspace, be conscious of clearing it of sensitive, nonpublic information, especially if you have to step away. Also, avoid printing out company information at home or in public spaces if it's not necessary for your business function. In addition, if you are listening in on or participating in meetings that could be considered sensitive or in which you share nonpublic information, be sure to put on headphones. If you have the option, work in a separate, dedicated office space whenever possible.
  • Maintain a Secure Workstation - Use company-issued devices for all your work so you can take advantage of security controls built in by your IT and security teams. If you would like to find out what settings to toggle on or off to secure your workflow and data on your company machine, please contact your respective IT and/or security department for advice.

If you follow these best practices while working from home—or wherever you may be—your work and your information (or other people's information that you might handle) will be at a much lower risk of being compromised.

We hope everyone is staying safe, healthy, and productive.

 

Source: Educause Security Awareness