By Drew Fox Jordan • August 31, 2021

    The 13 Cybersecurity Sins Of Working From Home

    The last year and a half has changed the way we approach work, and with many of us working from home for a majority of that time, we developed a number of habits that were entirely new to our daily lives. Because working from home was a new experience for so many people, cybersecurity was not something that employees were thinking about as they transitioned out of the office.

    The 13 Cybersecurity Sins Of Working From Home

    Luckily, it's not too late to identify what behaviors may be putting your organization's data at risk. Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective:

    1. Don’t send company data to your personal email accounts.

    As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some fundraisers may have had to resort to sending donor data to their personal email accounts in order to continue doing their job.

    We understand that doing so may have been viewed as the “only option”, but it’s important to note that this is not wise from a security perspective. While we have covered data exfiltration on email in the past, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts.

    2. Don’t share Zoom links or Meeting IDs.

    Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But there are precautions you must take in order to prevent attackers from infiltrating your calls.

    While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.

    Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join.

    Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox

    3. Don’t ignore warnings from IT and security teams or other authoritative sources. 

    Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them.

    But – importantly – these warnings are useless unless employees heed the advice. 

    Whether it’s an email outlining how to spot a phishing email or an announcement from your manager about updating your iOS, employees should take warnings seriously and take action immediately. 

    4. Don’t work off of personal devices. 

    While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device. 

    Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices.

    5. Don’t action email requests without double-checking their legitimacy. 

    Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are. 

    For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack, or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentials or other personal information, get in touch with them via phone or a separate email thread before responding. 

    6. Don’t use weak passwords. 

    Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data. 

    If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins. 

    7. Don’t lose touch with your IT or security teams. 

    Communication – especially during periods of transition and disruption- is key. 

    If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected. 

    8. Don’t use public Wi-Fi or mobile hotspots. 

    Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network. 

    The open nature of public Wi-Fi means your laptop or other devices could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network.

    With that said, you should only use networks you’re absolutely confident are secure. 

    9. Don’t download new tools or software without approval. 

    IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion.

    Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”. 

    10. Don’t leave work devices or documents in plain sight. 

    Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too. 

    Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or donor information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft. 

    Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing donors or prospects that the organization takes security seriously.

    11. Don’t give hackers the information they need to execute social engineering attacks. 

    When planning a spear-phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible. 

    Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points. 

    12. Don’t be afraid to ask questions about security policies and procedures. 

    When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place.

    IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request. 

     13. Don’t forget the basics of security best practices. 

    While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too. Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn't, here are some of the basics:

    Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization. 

    If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key!

    Are your fundraising systems secure? Sign up for a Gravyty demo today and learn how your team can keep its donor data safe while doing the best work of their lives:

    Posts by Topic

    see all