Proton
Illustration of someone working from home.

Working from home: A security guide from Proton Mail’s IT security experts

Working from home is one of the many massive societal changes that COVID-19(new window) has forced upon the world. Millions of people are now handling sensitive work data outside their office for the first time. It can be hard enough to keep data secure in the office, where there are IT security officers to monitor the network, and employees are in their work mindset. Working from home presents a new set of challenges.

From securing your home WiFi network to avoiding being phished by innocent-seeming trends on social media, our IT security experts share tips on how you can keep your data safe while working from home. You can also adapt many of the best practices in our IT security guide(new window) for the current situation.

This is by no means a comprehensive list, but it will give everyone, workers and administrators alike, a good start on the work-from-home security basics. The specific steps you should follow will depend on your threat model.

Cybersecurity best practices for working from home

1. Use your work device — but keep it secure

Using your personal computer for work introduces numerous potential vulnerabilities because it will probably have many more non-essential applications installed on it, like games or torrenting software, and may have been used by others, such as family members.

So it’s better to ask your company for permission to bring your computer home. Your work device will likely already have most of the programs and documents you need to do your job.

However, part of using your work device remotely is recreating the secure environment of your office. Don’t let other people use your work device, Even if you are working from home with family, you should ensure that your work device is secured at all times. If you get up from your laptop, you should, at the very least, lock the screen.

If you are handling very sensitive data, you should make sure the sightlines to your device are blocked while you are working. And when you finish up working, ideally, you should lock the door to your home office.

Employers should also make it clear that lost or compromised devices should be reported immediately so that the necessary steps can be taken to secure sensitive data.

2. Ensure that all data is encrypted at rest

Encrypt your work devices’ hard drives. That way, if anything happens to your computer or phone, your sensitive data will remain safe. Android(new window), iOS(new window), macOS(new window), and Windows(new window) devices all have built-in encryption systems, but you have to turn them on. Also, make sure to write down your recovery code and store it in a secure place.

3. Use encrypted communications

Proton Mail ia a great solution for private email, which preserves security in a simple, straightforward way to both Proton Mail and non-Proton Mail addresses. You can also set an expiration date(new window) for your messages. 

4. Keep all operating systems, programs, and applications up to date

This is imperative. Software is regularly updated in response to newly discovered bugs and vulnerabilities. If you are using an outdated version of an app or operating system, your device is not secure against known threats.

5. Protect your accounts with strong, unique passwords

Your passwords are the first line of defense for your work accounts. You should use a different strong password(new window) (at least 16 characters) for each of your accounts. Use a reputable password manager, such as Proton Pass(new window), to make it easier to keep track of all your passwords.

6. Enable two-factor authentication on all your accounts

Activating two-factor authentication(new window) (2FA) on your accounts can prevent malicious third-parties from accessing them, even if your password is compromised. Apps that generate one-time passwords, such as Authy, or a hardware 2FA token, like YubiKey, are the most secure forms of 2FA. If you’re not sure whether your service supports 2FA, you can check this comprehensive list(new window).

7. Access your office network securely

Avoid sending sensitive information through insecure external applications(new window). If you are using a remote desktop client to access your work computer, you should only connect with a VPN that uses VPN protocols(new window) that are known to be secure.

8. Stay healthy

Make sure you stay healthy. Disrupting your routine, working from home, and the uncertainty surrounding the coronavirus in general means you will be facing significant stress, all of which can make it hard to concentrate(new window). And if you are distracted, you are more likely to make mistakes, including security mistakes.

Look after yourself while working from home by getting a good night’s sleep, establishing a routine, reaching out to colleagues and friends, and taking small breaks during the day. Anything that relieves some of the pressure and anxiety you feel can help you be more efficient, more productive, and make fewer mistakes. An experienced home worker shared some of his tips for new remote workers(new window).

Secure your home WiFi network

9. Change your home WiFi’s password

Most routers come with a preset password. These default passwords are often weak (less than 16 characters) and shared by other routers, making them easy to guess. Even if you changed your router’s password when you first set it up, it is worth changing it again, especially if you have shared that password with guests.

10. Turn on encryption

Most routers now come with the ability to encrypt their traffic. Unfortunately, this option is usually turned off by default. You should ensure that you enable encryption, ideally WPA2, before you begin handling sensitive data on your home WiFi. Otherwise, a nosy neighbor may be able to eavesdrop on your network.

You can enable encryption via your router’s settings. Usually, you need to know your router’s IP address to access its settings. Searching for “[router brand] IP address” will generally do the trick.

11. Turn off network name broadcasting

Hide your WiFi network from malicious actors by turning off network name broadcasting. This will stop your network from automatically showing up on every device that has its WiFi turned on and prevent others from surreptitiously connecting to your WiFi. As long as you know your WiFi network’s name, you do not need to share it constantly, and if you have already logged in to your WiFi network with your work device, it will remember the connection, even if you turn network name broadcasting off. You can turn off network name broadcasting (or SSID broadcasting) in your router’s settings.

12. Use a VPN

Use a secure VPN(new window) that you trust to keep your online activity private from trackers and your Internet service provider. Proton VPN is an open-source, independently audited(new window) VPN service that doesn’t keep logs and comes with a set of security features such as Secure Core(new window), Kill Switch, and full-disk encryption(new window)

Video conference securely

13. Ensure there is no sensitive information sitting on your desk or in view of the camera

If you are talking to someone on a video conference or if you are sharing your screen, do not leave notes or documents with sensitive information (like passwords, URLs, or login credentials) visible. This security consultant pointed out(new window) how much information users inadvertently share on many video calls (and then broadcast further when they post screenshots of the call on social media). 

Credit: Ivano Somaini

14. Password-protect, or otherwise ensure unknown individuals cannot enter video conferences

ZoomBombing(new window),” or jumping into unprotected conference calls to share disruptive or offensive material, is one of the new trends popping up as people get used to working remotely. All your conference calls should be password protected, or you should use services that do not allow uninvited users to join calls. 

Avoid social engineering attempts

15. Do not share screenshots of video conferences or sensitive information on social media

People are engaging more on social media to break the work-from-home monotony. However, you must always keep your IT security in mind. Recently, a trend on Twitter was to share all the cities you lived in. However, “Which city were you born in?” is a common security question, making this seemingly-innocent trend a risk to your account security. 

Similarly, with many people trying out video conferencing for the first time, they were eager to share screenshots of discussions with their coworkers. Unfortunately, even if you ensure there is no sensitive information visible in the background, these screenshots can give phishers valuable information (like who you were talking to or when) to craft more believable phishing attacks.

16. Be aware of phishing attempts, especially COVID-19-themed attacks

Hackers are capitalizing on the curiosity and fear surrounding the current COVID-19 outbreak to send out coronavirus-themed phishing attacks(new window). Some simple steps will protect you from being phished. Do not click on links from people you do not know. If you have doubts about a link or email, verify they are legitimate by contacting the sender via phone or direct message.

Security advice for management

17. Create guides that explain your IT security protocols and what services your employees should use 

Working from home is a new experience for many people. You can reduce your employees’ stress by giving them clear, actionable guidelines. Make sure they all know what your company’s IT security policy is, including what their threat model is. You should also share instructions on which  services they should use while working from home and how to use them. Ideally, you will have your IT security officer reach out to them proactively, sending out reminders and responses to FAQs.

18. Keep access to sensitive networks limited

A lot of companies are a little out of sorts as they set up new work-from-home protocols. It can be tempting to simplify the process by giving everyone access to your entire network, but this would create unnecessary vulnerabilities. Keep access to sensitive data limited to those people who need it for their day-to-day work. That way, if there is a problem, you can more easily isolate the cause.

19. If you are using contractors, keep track of them

As your colleagues and workers shift from the office to their home, it can be easy to lose track of contractors. However, once temporary employees finish their work and their contract is up, you should ensure they no longer have access to sensitive data or your network.

20. Be adaptable to virtual solutions

Using the same old tools to meet new challenges won’t cut it. You will need to be flexible to meet the unique difficulties presented by having your entire workforce dispersed. A good example is using digital document signing or other virtual approvals to prevent unnecessary disruptions to the workflow.

21. Make sure support is available 

Nearly every person on earth has had their life affected by this pandemic. People are stressed, distracted, and worried about their family and friends. Thus, they are going to make mistakes. The key is to make sure they report these errors promptly and that your organization has people standing by to help them resolve their issues.

Obviously, this is a trying time for everyone, and your priority should be to take care of yourself, your loved ones, and your community. For those of you who are fortunate enough to have a job that allows you to work from home, we hope these easy security tips make the transition to working from home easier. Let’s bend the curve by chipping in and doing what we can!

You can get a free secure email account from Proton Mail here(new window).

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Related articles

The cover image for a blog introducing the new Pass Family plan. Text saying 'Introducing Pass Family' next to an image of a family sitting together on their laptops
  • Product updates
  • Proton Pass
Pass Family helps you manage the passwords and logins of up to six family members and gives you more time to spend with your family.
Salt Typhoon
Chinese hackers have compromised US national security by exploiting government-mandated “backdoors”. The EU should learn from this.
An illustration of a laptop with chains and a padlock on the screen to represent a ransomware attack
A ransomware attack is a serious threat for an organization. Here's what they are, how to avoid them, and 11 of the most well-known incidents.
Is Google Calendar private
This article explores what’s at stake when you use Google Calendar, and how using Proton Calendar gives you control over your data.
The cover image for a blog advertising the new Proton Pass switch campaign
Switch from your current password manager to Proton Pass and we’ll pay for the remainder of your contract. Learn how to switch.
An image showing Proton Drive's open-source code in GitHub
Proton Drive’s desktop apps are open source, meaning you can review the code of any Proton Drive app for yourself.