Working from home: A security guide from ProtonMail’s IT security experts

Illustration of someone working from home.

Working from home is one of the many massive societal changes that COVID-19 has forced upon the world. Millions of people are now handling sensitive work data outside their office for the first time. It can be hard enough to keep data secure in the office, where there are IT security officers to monitor the network, and employees are in their work mindset. Working from home presents a new set of challenges.

From securing your home WiFi network to avoiding being phished by innocent-seeming trends on social media, our IT security experts share tips on how you can keep your data safe while working from home. You can also adapt many of the best practices in our IT security guide for the current situation. 

This is by no means a comprehensive list, but it will give everyone, workers and administrators alike, a good start on the work-from-home security basics. The specific steps you should follow will depend on your threat model.

Cybersecurity best practices for working from home

1. Use your work device — but keep it secure

Using your personal computer for work introduces numerous potential vulnerabilities because it will probably have many more non-essential applications installed on it, like games or torrenting software, and may have been used by others, such as family members.

So it’s better to ask your company for permission to bring your computer home. Your work device will likely already have most of the programs and documents you need to do your job.

However, part of using your work device remotely is recreating the secure environment of your office. Don’t let other people use your work device, Even if you are working from home with family, you should ensure that your work device is secured at all times. If you get up from your laptop, you should, at the very least, lock the screen.

If you are handling very sensitive data, you should make sure the sightlines to your device are blocked while you are working. And when you finish up working, ideally, you should lock the door to your home office.

Employers should also make it clear that lost or compromised devices should be reported immediately so that the necessary steps can be taken to secure sensitive data.

2. Ensure that all data is encrypted at rest

Encrypt your work devices’ hard drives. That way, if anything happens to your computer or phone, your sensitive data will remain safe. Android, iOS, macOS, and Windows devices all have built-in encryption systems, but you have to turn them on. Also, make sure to write down your recovery code and store it in a secure place.

3. Use encrypted communications

ProtonMail allows you to encrypt your emails in a simple, straightforward way to both ProtonMail and non-ProtonMail addresses. You can also set an expiration date for your messages. 

4. Keep all operating systems, programs, and applications up to date

This is imperative. Software is regularly updated in response to newly discovered bugs and vulnerabilities. If you are using an outdated version of an app or operating system, your device is not secure against known threats.

5. Protect your accounts with strong, unique passwords

Your passwords are the first line of defense for your work accounts. You should use a different strong password (at least 16 characters) for each of your accounts. Use a reputable password manager, such as Bitwarden, to make it easier to keep track of all your passwords.

6. Enable two-factor authentication on all your accounts

Activating two-factor authentication (2FA) on your accounts can prevent malicious third-parties from accessing them, even if your password is compromised. Apps that generate one-time passwords, such as Authy, or a hardware 2FA token, like YubiKey, are the most secure forms of 2FA. If you’re not sure whether your service supports 2FA, you can check this comprehensive list.

7. Access your office network securely

Avoid sending sensitive information through insecure external applications. If you are using a remote desktop client to access your work computer, you should only connect with a VPN that uses VPN protocols that are known to be secure.

8. Stay healthy

Make sure you stay healthy. Disrupting your routine, working from home, and the uncertainty surrounding the coronavirus in general means you will be facing significant stress, all of which can make it hard to concentrate. And if you are distracted, you are more likely to make mistakes, including security mistakes.

Look after yourself while working from home by getting a good night’s sleep, establishing a routine, reaching out to colleagues and friends, and taking small breaks during the day. Anything that relieves some of the pressure and anxiety you feel can help you be more efficient, more productive, and make fewer mistakes. An experienced home worker shared some of his tips for new remote workers.

Secure your home WiFi network

9. Change your home WiFi’s password

Most routers come with a preset password. These default passwords are often weak (less than 16 characters) and shared by other routers, making them easy to guess. Even if you changed your router’s password when you first set it up, it is worth changing it again, especially if you have shared that password with guests.

10. Turn on encryption

Most routers now come with the ability to encrypt their traffic. Unfortunately, this option is usually turned off by default. You should ensure that you enable encryption, ideally WPA2, before you begin handling sensitive data on your home WiFi. Otherwise, a nosy neighbor may be able to eavesdrop on your network.

You can enable encryption via your router’s settings. Usually, you need to know your router’s IP address to access its settings. Searching for “[router brand] IP address” will generally do the trick.

11. Turn off network name broadcasting

Hide your WiFi network from malicious actors by turning off network name broadcasting. This will stop your network from automatically showing up on every device that has its WiFi turned on and prevent others from surreptitiously connecting to your WiFi. As long as you know your WiFi network’s name, you do not need to share it constantly, and if you have already logged in to your WiFi network with your work device, it will remember the connection, even if you turn network name broadcasting off. You can turn off network name broadcasting (or SSID broadcasting) in your router’s settings.

12. Use a VPN

Use a secure VPN that you trust to keep your online activity private from trackers and your Internet service provider. ProtonVPN is an open-source, independently audited VPN service that doesn’t keep logs and comes with a set of security features such as Secure Core, Kill Switch, and full-disk encryption

Video conference securely

13. Ensure there is no sensitive information sitting on your desk or in view of the camera

If you are talking to someone on a video conference or if you are sharing your screen, do not leave notes or documents with sensitive information (like passwords, URLs, or login credentials) visible. This security consultant pointed out how much information users inadvertently share on many video calls (and then broadcast further when they post screenshots of the call on social media). 

Credit: Ivano Somaini

14. Password-protect, or otherwise ensure unknown individuals cannot enter video conferences

ZoomBombing,” or jumping into unprotected conference calls to share disruptive or offensive material, is one of the new trends popping up as people get used to working remotely. All your conference calls should be password protected, or you should use services that do not allow uninvited users to join calls. 

Avoid social engineering attempts

15. Do not share screenshots of video conferences or sensitive information on social media

People are engaging more on social media to break the work-from-home monotony. However, you must always keep your IT security in mind. Recently, a trend on Twitter was to share all the cities you lived in. However, “Which city were you born in?” is a common security question, making this seemingly-innocent trend a risk to your account security. 

Similarly, with many people trying out video conferencing for the first time, they were eager to share screenshots of discussions with their coworkers. Unfortunately, even if you ensure there is no sensitive information visible in the background, these screenshots can give phishers valuable information (like who you were talking to or when) to craft more believable phishing attacks.

16. Be aware of phishing attempts, especially COVID-19-themed attacks

Hackers are capitalizing on the curiosity and fear surrounding the current COVID-19 outbreak to send out coronavirus-themed phishing attacks. Some simple steps will protect you from being phished. Do not click on links from people you do not know. If you have doubts about a link or email, verify they are legitimate by contacting the sender via phone or direct message.

Security advice for management

17. Create guides that explain your IT security protocols and what services your employees should use 

Working from home is a new experience for many people. You can reduce your employees’ stress by giving them clear, actionable guidelines. Make sure they all know what your company’s IT security policy is, including what their threat model is. You should also share instructions on which  services they should use while working from home and how to use them. Ideally, you will have your IT security officer reach out to them proactively, sending out reminders and responses to FAQs.

18. Keep access to sensitive networks limited

A lot of companies are a little out of sorts as they set up new work-from-home protocols. It can be tempting to simplify the process by giving everyone access to your entire network, but this would create unnecessary vulnerabilities. Keep access to sensitive data limited to those people who need it for their day-to-day work. That way, if there is a problem, you can more easily isolate the cause.

19. If you are using contractors, keep track of them

As your colleagues and workers shift from the office to their home, it can be easy to lose track of contractors. However, once temporary employees finish their work and their contract is up, you should ensure they no longer have access to sensitive data or your network.

20. Be adaptable to virtual solutions

Using the same old tools to meet new challenges won’t cut it. You will need to be flexible to meet the unique difficulties presented by having your entire workforce dispersed. A good example is using digital document signing or other virtual approvals to prevent unnecessary disruptions to the workflow.

21. Make sure support is available 

Nearly every person on earth has had their life affected by this pandemic. People are stressed, distracted, and worried about their family and friends. Thus, they are going to make mistakes. The key is to make sure they report these errors promptly and that your organization has people standing by to help them resolve their issues.

Obviously, this is a trying time for everyone, and your priority should be to take care of yourself, your loved ones, and your community. For those of you who are fortunate enough to have a job that allows you to work from home, we hope these easy security tips make the transition to working from home easier. Let’s bend the curve by chipping in and doing what we can!

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

14 comments on “Working from home: A security guide from ProtonMail’s IT security experts

  • Thanks so much for writing these posts in these difficult times.
    Very glad I signed up for ProtonMail and ProtonVPN, can’t wait for ProtonDrive!

  • Hi, i’d like to ask two things that for me where left unclear: First, you cited about Encryptions, saying ‘utilize encryptions for your datas’ but you haven’t yet explained how!

    Could you please elaborate on that?

    By encryption, you mean ‘encrypt the internet acess’ whit vpn, or encrypt EVERYTHING we work whit at?

    For example, if i work whit Word, should i encrpy my Word app, files, or what?

    If i am to encrypt my word files, how am i supposed to do that?

    Do i install a new program, or what?

    Thank you for answering me…=)

    • Hello Yel,
      Sorry about the confusion. It is important that your device’s hard drive or memory is encrypted. If you encrypt your device’s memory, then you do not need to encrypt individual files. They will all be encrypted in storage.
      Most modern devices already have encryption options built in, you just need to turn them on. For instructions for each type of device, follow the links under Step 2. You should not need to install a new program to encrypt your device’s memory.
      It is also important to you encrypt your Internet connection by turning on WPA2 on your router (Step 10) and using a VPN (Step 12).
      Hope this clears things up!

  • Thanks so much for making being a Proton Customer even better! You already provide a terrific service and these security tips are just the icing on the cake. I have always found your technical support to be fast and helpful. Thanks again.