These days many companies are asking their workers to work remotely. Working remotely can introduce a few new security concerns, especially for people who aren’t accustomed to working away from the office.
Here are some tips on how you can work from home (WFH) more securely.
Pick a good workspace
There’s a lot of good advice out there about picking a space that’s ergonomically comfortable, and where you can minimize distraction, but there are some security considerations as well.
Pick a space that’s private. If you’re working at home this may be easier than if you’re working at a coffee shop or library. Select a place where people can’t “shoulder surf”; look over your shoulder at what’s on your screen.
Tip: Be aware of having your back to doors or windows where strangers could peer in.
If you can't find a private place to work, consider getting a privacy filter. This is a shield, of sorts, that attaches to your screen and makes it difficult to read what's on your screen unless you're right in front of it.
If you’re having conference calls or video meetings, be aware of whether other people might be able to eavesdrop, even inadvertently. Even if (sometimes especially if) you’re wearing headphones. Other people may still be able to hear your voice when you speak. Make sure you're using video meeting software with advanced security features like Microsoft Teams. Learn more
Don’t allow family members to use your work devices. If you have to walk away from your device to go to the kitchen or bathroom, lock your device to prevent others from seeing what you’re working on. Press Windows logo key + L on a Windows device, or Control + Command + Q on a Mac, to quickly lock your screen. When you return, you’ll have to do a quick sign-in, and everything should be right where you left it.
Only use encrypted Wi-Fi for business. Wi-Fi encrypted with WPA-2 is more secure than Wi-Fi that is open for all to access. If you’re working from home, make sure your home Wi-Fi network is secured – all home routers support encryption. Learn more
If you need to access resources, such as servers, that live at your company’s location, use a VPN (Virtual Private Network) to connect to your office network. A VPN creates an encrypted tunnel for your network traffic to flow through and makes it harder for others to intercept your traffic. If you aren't sure if your company offers a VPN, or how to connect to it, check with your IT support person. Learn how to Connect to a VPN in Windows.
Tip: Even if you're not connecting to company resources, using a VPN for your internet activity can be more secure.
Keep your data secure
If your device does get accessed or stolen there are some things you can do to help reduce the data they can get.
Use strong authentication to access your device, such as Windows Hello. Either a PIN, fingerprint, or facial recognition, if your device supports that. Learn more
Use multi-factor authentication (MFA) to access any cloud-based resources. MFA utilizes multiple “factors” such as a PIN sent to your mobile device and a password; or a PIN and a facial or fingerprint scan, in order to authenticate you. Usually you only need to use the multiple factors the first time you sign in from a specific device. MFA makes it much harder for others to sign in as you. Learn more
Tip: Most online services, like banks or social networks, also support MFA. You should enable it on those services too, for increased peace of mind.
Now is a good time to think about the passwords you use. If you’re using simple passwords like “lovely” or “password1” it’s a good time to upgrade them to more secure passwords. Length is more important than complexity, though both have a role. Your password should be at least 12 characters long, and not an English word or your dog’s name. Consider using a phrase like a favorite song lyric, movie quote, or poem to create a password that’s long and complex but easy to remember. Learn more
Make sure local drive encryption, such as BitLocker, is enabled. That way if your device is lost or stolen any local data will be difficult to access. Learn more
Make sure your device is up-to-date on security updates and that you have an antimalware program, like Microsoft Defender Antivirus, actively running. Learn more
Use a modern browser, like Microsoft Edge, and make sure you're running the latest version.
Store your files in a secure cloud location rather than on a local drive or removable media. Secure cloud storage, such as SharePoint or OneDrive for work or school, means that even if your physical device is lost or stolen, your data is still available to you and your company. Also SharePoint and OneDrive make it easier to recover your data if you get infected with ransomware. Learn more
Whenever possible use the web version of your apps, such as Word, Outlook, or Excel. Another benefit to storing your files in a secure cloud location is that when you use the web version of apps your data stays on the server and isn’t downloaded to your local device. Learn more
Keep in touch
Stay in touch with your company while you’re working remotely. Your IT department may have special requests or make new tools available to you. If you suspect that your device or your data has been compromised in any way, notify your IT people immediately so they can investigate and take steps to prevent unnecessary damage.
Now, more than ever, resist the temptation to use unapproved tools or store data outside of company resources. If you need something you don’t have in order to get your job done, ask your IT department or escalate through your management. It’s entirely possible that you’ll discover systems that don’t work well when you’re not at the office. Now is the perfect time to let IT know so you can work through those issues together.
Be alert for phishing emails or phone calls. Criminals try to take advantage of fear and uncertainty by sending email that appears to be from authorities, or company officers, in an attempt to lure you into clicking on malicious links, or providing your private information.
Never click an attachment you weren’t expecting, even if it appears to be from somebody you know. Always best to check back with that person to make sure the attachment is legitimate before you open it.
If you get an email asking you to sign into a site, open a new tab in your browser and type the URL in yourself (or access it via a trusted bookmark) rather than clicking a link in the email. Learn more
If you get an unexpected phone call from somebody you don't recognize claiming to be from your company's tech support, get their name, then hang up and call your company's tech support directly. If you get an unexpected phone call from somebody claiming to be from Microsoft support you should hang up immediately. Microsoft support never calls customers directly unless you've reached out to us to ask for support.