Why Working Remotely is Different
Working at home presents unique challenges for information security because remote work environments don't usually have the same level of safeguards as working in the CSUCI environment. When CSUCI faculty and staff are on the CSUCI campus, they are working behind layers of preventive security controls. While not 100% bullet proof, it is harder to make a security mistake while in the CSUCI environment. However, when computers leave the CSUCI protected perimeter and faculty and staff work remotely, new risks arise and additional protections are essential.
Threats to Working Remotely
Unsecured Wi-Fi Networks: Not everyone has a secure home network with strong firewalls. Public Wi-Fi networks, such as those in coffee shops, are also unsafe for conducting business. Unsecured public Wi-Fi networks are prime spots for malicious parties to spy on internet traffic and collect confidential information.
Using personal devices and networks: Many faculty and staff will be forced to use personal devices and home networks for work tasks. These home computers can lack the safeguards built in to business networks such as anti-virus, firewalls, and backup tools. This increases the risk of malware finding its way onto devices and both personal and work-related information being breached.
Scams targeting remote workers: Hackers have been known to target remote workers computers, because they are aware of the lowered security measures.
Security Musts When Working Remotely
These are some additional precautions that must be taken by employees when working remotely.
Never use public Wi-Fi
Public Wi-Fi introduces significant security risk and must be avoided. Instead of public Wi-Fi use a CSUCI or personal hotspot from a dedicated device or your phone. Use eduroam to connect to Wi-Fi if visiting participating campuses and institutions worldwide (map of eduroam partner institutions). Connect using your CSUCI credentials.
Secure Your Home Wi-Fi
Change your home router password. Make sure firmware updates are installed so that security vulnerabilities can be patched. The encryption on your router should be set to WPA2 or WPA3. Make sure your Wi-Fi has a strong password. Restrict inbound and outbound traffic, use the highest level of encryption available, and switch off WPS.
Use a CSUCI Maintained Laptop
CSUCI techs ensure your work station and laptop have anti-malware, encrypted drives, licensed software and the latest patches. Your home computer likely does not. If you have a CSUCI laptop use it at home for work. Your home computer introduces risk to CSUCI’s data. User's of Level 1 data must use a CSUCI maintained device if accessing Level 1 data.
Use CSUCI VPN with Two-Factor Authentication (2FA)
CSUCI VPN encrypts and tunnels your all of your internet traffic, so that it is unreadable to anyone who intercepts it. This keeps it away from the prying eyes of any hackers and your Internet Service Provider (ISP). CSUCI VPN protects your data and password. Use VPN even if you are checking your email, accessing CI Records or storing a file on Dropbox. You will be prompted by CSUCI’s 2FA when accessing VPN as an additional security measure.
Keep Work Data on Work Computers or CSUCI Approved Storage
If you don’t have a CSUCI laptop or workstation at home, the next best thing is to access your CSUCI workstation remotely. While certain remote access tools have security vulnerabilities, using the CSUCI VPN with 2FA will mitigate those issues. CSUCI also has several virtual workstation options available. Contact your tech or ITS to see if this option is available to you. Do not store CSUCI files on your home computer. Use your work computer or Dropbox to store your CSUCI files.
Do Not Share Your Device
If you are working from home and are forced to use your personal device, makes sure you are the only one using your device. CSUCI data cannot be shared with family members and allowing others to use a device that is being used to access CSUCI data violates CSUCI policy by potentially sharing it persons that have no right to see CSUCI data. Including your spouse.
Patch All of Your Software
Updates to device software and other applications can sometimes take a long time. But they really are important. Updates often include patches for security vulnerabilities that have been uncovered since the last iteration of the software was released. Patch your home computer.
Set up the firewall on your computer
Firewalls act as a line defense to prevent threats entering your system. The firewall creates a barrier between your device and the internet by closing ports to communication. This can help prevent malicious programs entering and can stop data leaking from your device. Your device’s operating system will typically have a built-in firewall. Turn it on.
For Windows: Windows Defender Firewall For Mac's: macOS Firewall
Use antivirus software
Although a firewall can help, it’s inevitable that threats get through. A good antivirus software can act as the next line of defense by detecting and blocking known viruses or malware. Even if viruses or malware does manage to find its way onto your device, an antivirus may be able to detect and, in some cases, remove it. Use anti-virus/anti-malware software to scan portable storage devices, e.g., USB drives or external hard drives when you first plug them in (Malwarebytes Anti-Exploit is loaded on all CSUCI issued computers). Turn on antivirus and keep it up to date.
Download Malwarebytes for free here.
Never Leave Your Devices or Laptop in the Car.
Never leave their work computers or devices in a vehicle. It’s a best practice to keep work laptops and devices on your person at all times. The trunk of your car is not any safer. There may be criminals watching the parking lot from afar, waiting for their next victim. Putting valuables in the trunk may make life a little bit easier in the short-term - but why take that chance? If a device containing CSUCI information is lost, stolen, or compromised report the incident to the appropriate delegated authority.
Look out for phishing emails and sites
Phishing emails, as well as voicemails (vishing) and text messages (smishing) are used by cybercriminals to “phish” for information. This information is usually used in further schemes such as spear phishing campaigns (targeted phishing attacks) and account takeover fraud. There are plenty of cybercriminals looking to cash in on the Coronavirus crisis. To spot a phishing email, check the sender’s email address for spelling errors and look for poor grammar in the subject line and email body. Hover over links to see the URL and don’t click links or attachments unless you trust the sender 100 percent. If in any doubt, send the email to infosec@csuci.edu and we will check it out. If you do click a link and end up on a legitimate-looking site, be sure to check its credibility before entering any information. Common signs of a phishing site include lack of an HTTPS padlock symbol (although phishing sites increasingly have SSL certificates), misspelled domain names, poor spelling and grammar, lack of an “about” page, and missing contact information. Never send Level 1 information (confidential data) in an email message and be on alert for phishing scams. Report any suspicious emails by emailing infosec@csuci.edu.