If you tell your friends you work remotely for people you have never met, some may doubt the security status of such a job. The job is secure, but it all depends on your ability to create a security policy for remote workers. Even if you live far away from your clients, it is important to exercise caution as you work. The details you hold about your client should remain secure. Some customers will entrust you with their secret passwords, and intricate details about their private life. How do you handle this? How can you gain the trust of someone who has never heard your voice? How do you ensure there are no security breaches? All these questions need one answer: exercising caution at work.
(In this article, the word ‘security’ refers to information security.)
In the recent past, many people believed that high performance and security of various applications could only come from an isolated data center. The birth of the cloud resulted in people embracing performance benefits, and the low cost of managing our apps on an on-demand basis. This meant we did not need enclosed servers in a remote room. You need to know this: there is no physical cloud that exists. It is a computer belonging to an IT guru. Companies such as Stripe and Uber store and execute customer information and payment methods on a cloud server. They do this while keeping to the standard security laws such as Private Card Industry Data Security Standard (PCI DSS) compliance. Companies make sure they follow strict policies that safeguard the integrity of their data. If all companies ensure the production environment is safe in spite of other secret data centers, then your development can be secure through the use of remote teams. There are companies which operate remotely, such as Toptal.
What does security mean and how do you keep safe?
Information security refers to the act of safeguarding information systems and information from unsanctioned access, disruption, destruction, use, modification, or disclosure. Perfect security in information systems does not exist. The fact that you are secure means that you have taken measures to enhance information security. When you say you work in a secure work environment, it means that you have taken reasonable steps to secure your code, data, or any other private information at your disposal. You have also secured the privileges you use to access sensitive information. No unauthorized person can go against the rules of the organization and cause havoc in the company by finding confidential information.
Any team that works remotely faces a larger surface of attack, as opposed to the centralized team. In a centralized workstation, you can secure every piece of confidential information in a certain workstation, or behind a given firewall. If you are a remote worker, your employer will require you to have your device. Since you communicate with your boss online, you are more vulnerable to identity theft or social engineering. But if you have been careful, you will not experience a security breach.
Security does not have a silver bullet. A trade-off exists between convenience and security, and it will depend on how far you want to take security measures. You need to remember that the weakest member of your team determines the security of your system. Let’s go through some widespread security attacks, and how to defend yourself against them.
Common types of attacks
You cannot claim total preparation if you have no idea what awaits you. Your online adversary has numerous methods they can use against you. You can classify the attacks in three broad categories. This list is not exhaustive, but hackers use these three strategies:
There are many kinds of malware attacks. Some are annoying, while others are harmless. Others can turn out to be lethal. You need to be on the lookout for the most critical types of malware which are:
Remote Administration Tools (RATs): permits total control of your personal computer.
Spyware: records and installs your videos, audios, screen, and keystrokes.
Ransomware: encrypts every critical file on your computer, and asks for ransom before you receive a key to access your files.
If attackers want you to install custom malware on your personal computer, they apply social engineering:
An attacker drops infected USB drives in an employee’s computer to access the login credentials of staff.
A man whose resume has some coffee spills asks the receptionist to print another copy because of an upcoming interview. This makes the company’s computer open to receive malicious payload from a USB device. The art of human hacking uses this trick.
This is the most rampant method of stealing people’s credentials. Attackers use fake websites that look like the original site. Imagine a site that looks similar to Facebook. You log in thinking it is the actual site, and thereby hand over your login details.
Sometimes a hacker will attack by installing their website on your website domain. This kind of attack is called Man in the Middle (MITM) attack. This should not worry you since you will receive a warning from your browser.
Spear phishing is where you receive a page which the hacker has customized for you, or your company. When this kind of phishing combines with social engineering, it is easy to fall prey. You can browse security projects on Freelancer for more information.
This kind of attack also bears the name "human hacking". It is the art of manipulating unsuspecting individuals, and making them act against their own interests, such as disclosing private information. Social engineering tries to exploit your sympathy so you lose sight of good security practice. It may involve situations where the victim bypasses good practices for fear of receiving an unknown punishment if you do not comply. Social engineering does not discriminate between kids or adults. The most recent form of this focused on children. They received instructions from a certain person to play an online game. The game concluded in many kids losing their lives, because no one dared to leave before the game was over - they were told there would be dire consequences for anyone who attempted to exit before the end. Social engineering examples include:
An attacker sends a company’s CFO a message that approves a $2 million funds transfer.
A woman calls a support agent to a cellular company and asks the agent to change an individual’s account. The call happens as a baby cries on a YouTube clip in the background.
What strategies do you need to know?
Manage your password well
You may not like passwords because they are weak methods of user identification, but you cannot do away with them in this internet era. Since the mind is weak in generating complex passwords, you need to have a password manager, and use strong phrases for a password. A perfect password manager will create random passwords and store them for you. LastPass is a good recommendation.
Apply Multifactor Authentication (MFA)
Use several steps to authenticate your identity. Such things may include something you love, your former school, a place you visited, and something you own. Many websites require users to prove their identity before they can access the site. Your phone number is also unique.
When you are working remotely, be alert. If you are not a victim of a security breach today, the criminals could focus on you tomorrow. Constant vigilance is a virtue you should not ignore - you may think you have a safe system, but it is just a matter of time before they catch up with you. Do not open any suspicious emails, and don’t accept random friend requests on Facebook.
The tips highlighted here are not the only ones. If you have more, share them in the comment section below!