Security Best Practices and Risks For Working Remotely

Working remotely presents unique challenges for information security because remote work environments don't usually have the same safeguards as working on-campus. When an employee is at the office, they are working behind layers of preventive security controls. While not perfect, it is harder to make a security mistake while at the office. However, when computers leave campus and people work remotely, new risks arise for the University and additional safeguards and vigilance is essential. For more details see the Fredonia Secure the Human Reference Guide.

Risks and Best Practices

• Social Engineering
• Protect your Accounts and Passwords
• Secure Your Home Network
• Protect Your Devices
• Secure Connections
• Protect University Data
• Family and Guests
• Policies

Social Engineering

One of the greatest risks remote workers will face, especially in this time of both dramatic change and an environment of urgency, is social engineering attacks.  Social Engineering is a psychological attack where attackers trick or fool their victims into making a mistake, which will be made easier during a time of change and confusion.  Keep in mind, social engineering attacks like these are not limited to phone calls or email; they can happen in any form, including text messages on your phone, over social media, or even in person. The key is to know what to look out for--you are your own best defense. Ultimately, common sense is your best protection.  If something seems suspicious or does not feel right, it may be an attack. 

• Always be alert for phishing emails and malicious scams. Phishing is a type of attack that uses email or a messaging service to fool you into taking an action you should not take, such as clicking on a malicious link, sharing your password, or opening an infected email attachment.  Be suspicious of any email or online message that creates a sense of urgency, has bad spelling or addresses you as "Dear Customer."
• The most common clues of a social engineering attack include:
  • Someone creating a tremendous sense of urgency. They are attempting to fool you into making a mistake.
  • Someone asking for information they should not have access to or should already know, such as your account numbers.
  • Someone asking for your password. No legitimate organization will ever ask you for that.
  • Someone pressuring you to bypass or ignore security processes or procedures you are expected to follow at work.
  • Something too good to be true. For example, you are notified you won the lottery or an iPad, even though you never even entered the lottery.
  • You receive an odd email from a friend or coworker containing wording that does not sound like it is really them. A cyber attacker may have hacked into their account and is attempting to trick you. To protect yourself, verify such requests by reaching out to your friend using a different communications method, such as in person or over the phone.
• If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. If the attack is work related, be sure to report it to the ITS Service Center right away. Remember, common sense is often your best defense.

Protect Your Accounts and Passwords

Weak passwords continue to be one of the primary drivers for breaches on a global scale. There are four key behaviors to help manage this risk, listed below.

• Always Use strong passwords or passphrases whenever possible. The key to strong passwords is to make them long; the more characters you have the better. These are called passphrases: a type of strong password that uses a short sentence or random words. For more about passphrases see https://fredonia-edu.atlassian.net/l/c/emyUmzvP
• Make sure each of your accounts has a separate, unique password. Never reuse passwords across multiple systems and do not share your password with others.
• Can't remember all of your passwords/passphrases?  Consider using a password manager to securely store all of them for you.
• Set up two-factor authentication whenever possible. The University utilizes Azure multi-factor authentication for many critical and sensitive systems. To learn about Azure MFA visit Multi-factor authentication (MFA) - FAQs at https://fredonia-edu.atlassian.net/wiki/x/EgBhaQ.
  NOTE: This is a good time to review your second factor devices to make sure you can login to your protected services remotely.
• Do not use your eServices credentials (email/password) for other non-work related services (e.g. Facebook, Dropbox, etc.).

Secure Your Home Network

• The most effective steps you can take to secure your wireless network at home is to change the default admin password, enable WPA2 encryption and use a strong password for your wireless network.
• Be aware of all the devices connected to your home network, including baby monitors, gaming consoles, TVs, appliances or even your car.  Ensure all those devices are protected by a strong password and/or are running the latest version of their operating system.

Protect Your Devices

• One of the most effective ways you can protect your computer at home is to make sure both the operating system and your applications are patched and updated.  Enable automatic updating whenever possible.
• Set up firewalls for your device(s) whenever possible.
• Use an antivirus software for your device(s) whenever possible. 
• Update the Mobile OS and applications in all of your mobile devices.
• Ensure that your mobile devices are encrypted. All University laptops are encrypted.
• Use a USB Data Blocker when charging up at a Public Phone Charging Station.
• Lock your device when it is unattended. 
• Do not leave your University mobile device (e.g. laptop, smartphone, tablet etc.) unsecured.

Secure Connections

• Use a Virtual Private Network  to protect sensitive information. The University provides this service for all faculty and staff. To learn about Fredonia’s VPN service go to Getting started with the Fredonia Virtual Private Network (VPN) Services.
• Avoid public Wi-Fi; if necessary, use personal hotspots or some way to encrypt your web connection. Only connect to trusted, private networks.
• Block the sight lines. If you are at a public place, pay attention to your sight lines. If someone is behind you, they can see everything you are typing. 

Protect University Data

• Keep University data on work computers or within approved University cloud accessible systems. Do not save Category II - Private or Category III - Restricted data to personal devices or cloud storage (e.g. Dropbox).
• Store your University data on your U:/ drive to ensure that it is fully encrypted and backed up regularly. 
• Do not email sensitive Data without encrypting it first.  
• Only those individuals with a need to know should be authorized to access sensitive information. Least privilege necessary is a good practice to stick with.
• Maintain an accurate inventory. Know where sensitive information resides and keep track of servers, workstations, mobile devices, back-up systems, etc.
• Secure information disposal. All paper documents with sensitive information should be shredded. Electronic media must be thoroughly reformatted or physically destroyed.
• Do not use personal email accounts for University business. Every employee of the University has a @fredonia.edu email address for conducting University business.  Don't use your personal email account (e.g. Gmail, Yahoo, etc.) for conducting University business. 

• While working at home, be aware that your work location and screen could expose members of your household to personal, private, or sensitive information. You need to be certain that no one except for authorized University personnel has access to or can view this data. 

• If you take a photo of your office home setup for any reason (e.g. social media), be certain that you do not have screens open with University private or restricted data on them.

Family and Guests

• Do not permit others to use your University mobile device or computer (e.g. family members or friends). Your University device is for business purposes.
• Do not leave your University mobile device (e.g. laptop, smartphone, tablet etc.) unsecured.
• Lock your personal computer or device when unattended during the time that you are working remotely. 

Policies

• Complete your required Annual Security Awareness Training. It is not only required of all employees and affiliates, it also includes valuable security awareness knowledge that can be used to safeguard you and your family. (https://training.knowbe4.com/)
• Remember our information technology and security policies as they still apply while working remotely. (https://www.fredonia.edu/about/offices/information-technology-services/policies)

Please contact the ITS Service Center through email at ITS.ServiceCenter@fredonia.edu, or by phone at (716) 673-3407 if you need any assistance or to report an information security incident.

Have a question? Check answers.fredonia.edu for more information!