Working Remotely
Working or studying from home or any other location does not exempt you from cyber threats. As long as you have active Internet connections, cyber threats are always lurking. When you work from home, you are still using work devices, email addresses and network systems. Therefore, if your device gets compromised AU systems will also be at risk. Because of this it is important to practice good cybersecurity behaviour.
How do Cybercriminals Target Remote Workers?
- Physical theft of a device: If you leave your device unattended in public, an attacker can steal the device or access sensitive information from your device.
- Phishing: Phishing emails are the easiest and cost-effective attack method for cybercriminals. Attackers can send targeted phishing emails based on events taking place and gathering information from your online accounts.
- Social engineering: Attackers may use other communication channels to orchestrate an attack such as text messages or calls to victims pretending that they are from legitimate organizations and requesting sensitive information (e.g. passwords, credit card numbers).
- Ransomware: This is a type of attack where an attacker infects a device with malware that encrypts the data on the device and then denies access to the user until a sum of money is paid. The malware is usually delivered via a social engineering attack or a rogue USB stick.
- Wireless hijacking: This is when attackers mimic a Wi-Fi network by creating a network that uses the same name as a legitimate one (e.g. a hotel or airport public Wi-Fi network). Usually the network names will differ by one character. Once you connect to the illegitimate Wi-Fi all your network communications will be routed to the attacker.
- Eavesdropping: This is when an attacker listens to Wi-Fi traffic, steals and records information as it is transmitted over a network by a device. The attack takes advantage of unsecured network communications to access data as it is being sent or received by its user. The attacker can record all online activities and account usernames and passwords. Eavesdropping is also known as a sniffing or snooping attack.
- Traffic manipulation: This is when an attacker infects a device with malicious code, that allows the attacker to insert their own traffic to influence data and obtain access to your organization’s network. This means that an attacker can replace a legitimate message with their own phishing message for example.
How Can You Secure Your Home Network?
- Secure your Wi-Fi
Wi-Fi enables us to work from home effectively and is the backbone of the home network. It is therefore critical to ensure that the home network is secured. The most basic way of securing your home network is by changing the default administrative password for the router and using a strong passphrase. You can also create a separate network for non-critical activities such as game consoles, children's devices and for visitors. Enabling WPA2 encryption in your configuration settings helps to deter attackers from eavesdropping/sniffing.
- Use strong passphrases
Passphrases are longer passwords that are formed from at least two words but still includes special characters. The benefit of using these is that they take longer for hackers to crack than short passwords.
- Use and Multi-Factor Authentication (MFA) where it is available
Multi-factor authentication provides an additional layer of security by requiring two or more authentication factors to unlock devices. This means that in addition to a password you would require a PIN sent to a different device such as your phone and or biometric such as a fingerprint. Therefore, in the event that someone else gets hold of your password but do not have the other authentication factor, they cannot access your account.
- Always use AU sanctioned devices
Using personal devices for work presents security issues because if your personal device gets compromised while you are logged on to AU systems, the rest of the network can also become compromised. AUs devices offer additional layers of security such as antivirus/anti-malware detection, and regular updates to ensure that attackers do not take advantage of software flaws. If you need to use your own device for work, ensure you get authorization from your supervisor or contact the Helpdesk as you may need additional software or permissions to protect AU digital assets.
- Adhere to all applicable AU security policies and procedures
Even when working from home, it is still your responsibility to adhere to AU policies and procedures. The AU Security of Digital Information and assets policy and associated procedures are designed to help you in fulfilling your responsibility to protect the digital assets of AU and the university community.
- Connect to the Pulse Secure Virtual Private Network (VPN) every time you log on
A Virtual Private Network (VPN) allows you to connect to the AU network through the Internet using an encrypted tunnel to ensure your online privacy and protect your sensitive data. Pulse Secure is the VPN used by AU to protect AU information as it is sent over the World Wide Web.
- Use communication & conferencing tools that are approved by AU
Microsoft Teams is the AU sanctioned communication and conferencing tool. Therefore, if you are setting up a meeting make sure you use MS Teams for internal meeting. While you can attend a Zoom meeting created by an external party, you should not create meetings using Zoom. If you are setting up an external meeting where parties cannot use teams, create your meeting using Adobe Connect. Adobe Connect is a real-time virtual classroom and meeting environment designed for distance education and collaboration that is currently used by AU.
- Protect sensitive information
Just like you do in the office, lock your device when you are not using it. This is to protect sensitive data from accidental deletion or snooping by family members or visitors. Do not allow unauthorized users to use your work devices. Do not leave sensitive printed documents in plain sight.
- Be aware of phishing attacks
Despite your location, phishing attacks will always persist. More so when there are major events happening across the world such as a pandemic or disaster, attackers try to take advantage of these to orchestrate.
- Back up your data
To ensure that you do not lose your work in the event that your computer crashes or your computer is stolen, you need to have a data backup. You may do this by saving/storing your files on the AU OneDrive or on AU SharePoint or by using Virtual Desktop workspaces.
Updated November 09, 2020 by Digital & Web Operations, University Relations (web_services@athabascau.ca)