Jay Gomez shares how employees can protect themselves from cyber threats in the face of an extended work-from-home assignment. Formerly information security head and data protection officer at ABS-CBN, he is now based in Hong Kong as senior vice president for cyber risk at Kroll Associates (Asia) Limited.
What are some of the common threats that WFH employees are susceptible to, especially those who use personal computers?
During normal times, we are protected by corporate infrastructure like firewalls, web filtering and other measures. However, when we went into work-from-home mode last year, corporate users started using their own devices and internet connection at home. The WiFi access points of the home network are usually not secure, meaning they don’t use encryption. That’s one issue.
Second, most personal devices don’t have an antivirus, they’re not even patched. There are cases where the employee uses pirated software, which is a source of malware. Sometimes, we let family members use our work-issued laptops and they see sensitive or confidential information such as personal or company data.
From a security standpoint, we don’t see what’s going on with the employee’s laptop. You may have data loss protection software but if the employee doesn’t connect to your corporate network, there’s no way to keep track of whatever is going on.
Antivirus software can only protect you to a certain extent. If the virus or malware is a “zero-day,” meaning the antivirus does not have its signature, then there’s no way to protect your computer unless you have what we call an endpoint detection and response or EDR tool.
Actually, there are many threats: your home network, your software if you’re using pirated ones, sharing your computer with other users. Updating of software is also a problem. Let’s say you’re using software applications (for example, Oracle or SAP) or a client-server application that needs updating from time to time or even the operating system itself, if you’re not connected to your office network, then it’s likely you’re not getting the right updates.
Should we use a VPN if we work from home?
I highly recommend that you do so. If Lopez Holdings, for example, has a VPN for corporate use, use that. You can also subscribe to a VPN for your own personal device. Personally, I use a commercial VPN (Private Internet Access) for my laptop and phones.
What’s a 2FA? Do we really need it?
Social media, web-based email and any other application that you subscribe to would normally ask you to provide a username and a password. But most of them would allow you to enable a feature called two-factor authentication (2FA) or multifactor authentication (MFA). 2FA’s principle, to put it simply, is using what you have and what you know. Like with your ATM account, you have the card and you know the PIN code; if you don’t have any of those, then you cannot withdraw your money. It’s the same with the username and password. Even if hackers happen to guess your password, but if they don’t have the 2FA which could either be a PIN, Microsoft Authenticator, Google Authenticator or your biometrics, then they’ll still be unable to log into your account. I recommend that you download authenticator software or put 2FA on your phone. Or you can buy and use YubiKey tokens or subscribe to a password manager that has 2FA or MFA features.
Your password must be a “passphrase” with uppercase and lowercase letters, special characters and must be at least 15 to 16 characters. A password is easy to break, especially if it’s a word that can be found in the dictionary; sometimes it’ll take a hacker only several seconds to break it.
What initial steps can we take to protect ourselves from cybersecurity threats?
Prevention is the first step. No. 1, use a complex passphrase, use 2FA or MFA. Second, don’t use the same password or passphrase for all your accounts. There’s something called “credential stuffing,” where hackers have a database of usernames and passwords that they use for all applications on the chance that you have the same password for your banking account and email account; once they guess the password for one account, they can actually log into the rest of your accounts.
Don’t connect to your neighbor’s WiFi. Use data when you’re at the airport and not the airport’s free WiFi. Install legit software. Install antivirus in your personal computer and phone.
As much as possible, don’t use personal computers for work. However, there’s something called MDM or mobile device management solution, where the company can monitor work-related files without looking at the rest of your computer. They can even do a remote deletion of workrelated files from the device when necessary.
What are some telltale signs of a breach?
If your personal device is acting funky—sometimes it’s very slow, or when you start the browser it opens a lot of other windows or browsers. When you get a lot of emails that you don’t normally receive, or when you can’t access your account; that’s a telltale sign that hackers were able to log in and change your credentials. A good indicator also is when you receive 2FA/ MFA requests on your phone or on Microsoft Authenticator or Google Authenticator applications but you’re not logging into any of your applications. That means someone is trying to log into your account using your password but they don’t have the 2FA/MFA, so the transaction cannot be consummated. When this happens, change your password/passphrase immediately.