The Remote Worker’s Guide to Privacy and Security
Safety threats can be unfamiliar and come from all angles when you’re working remotely.
In the office, the necessary online security protocols are already in place, as long as you avoid clicking on suspicious email links. You may be right--but working remotely is a completely different animal, and security is often up to you. Cyber attacks on your devices or attempts to steal your personal information can come from unexpected places --especially if you are in an a novel environment, such as a foreign country.
As more than 40% of Americans say they spend at least part of the time working remotely, security concerns are more pressing than ever. In this guide, we’ll give you the rundown on the steps to take to ensure that you are protected as a remote worker: essential privacy tips, how to safely deal with remote employers/employees, what to do if you *suspect* that a cyber criminal has accessed your personal info, and a FAQ section.
While there’s no guarantee that you’ll come under attack on the internet, it’s best to be prepared for everything.
Fundamental Online Safety Tips for the Remote Worker
Use a VPN
If you work anywhere using a shared wifi network --and even if you work from home-- using a VPN is integral to online security. Since remote workers are more likely to be on their laptops in coffee shops and other places with public wifi networks, logging on the VPN before you get working is as obligatory as pressing the power button.
Here’s a quick list of the benefits of using a VPN in regards to online security:
- Remain anonymous. When working through a VPN, you are granted a provisional IP address and nobody can know your actual location. You could be in a tea shop in Beijing accessing the internet by means of a server in Madrid.
- Access your files remotely. WIth a VPN you can access files from your home desktop without the fear of being watched.
- Bypass blocks and view restricted websites. Some businesses and even entire governments (i.e., China with Google and Twitter) place locks on certain websites and content. Your VPN allows you to bypass them with ease.
- Avoid bandwidth throttling. Sudden halts on your allotted bandwidth can be frustrating if you are racing to finish an assignment. Avoid them entirely through VPN use.
There are scores of VPNs available, and they aren’t all created equal. Check the resource guide below for some recommendations.
Protect your personal information, files, and data
Being a remote worker means that you likely use a lot of different apps and make quite a few online transactions, therefore taking precaution when protecting your personal data and privacy are uniquely pressing.
- Perform all transactions on a secure, password-protected network. Even if you are using a VPN, it’s better safe than sorry. Never send money over the internet using a public, or shared network: save them for when you can be sure nobody can see your activity.
- Use different passwords for every account. If--somehow--a hacker were to get ahold of the password to your email or facebook account, the first thing they’ll do is try and use it for the rest of your accounts. Prevent this by using unique passwords for everything. Of course, it can be difficult to remember so many passwords, that’s why it’s a good idea to use a password manager such as LastPass or Dashlane to help you do this.
- Use chat apps with strong encryption. Apps like Whatsapp and Signal have extra security that prevent people from spying in on your conversations.
- Log off when you’re done. Always log out of every online account when you’ve finished using them.
- Be aware of your social media privacy settings. It can be a hassle to read through those epic privacy agreements, but get the gist of them and only enable what you prefer to be shared, i.e., as little as possible.
- Encrypt your data. Doing this means that even if a hacker were to somehow get access to some of your data, they wouldn’t be able to read it without the encryption key.
Recognize phishing emails
One of the biggest threats to the remote worker is phishing emails: scam emails hoping to get you to send over your personal information. Here’s how to recognize and avoid them:
- Poor grammar and syntax. Phishing emails are often written by criminals for which English is not their first language. Poor wording or numerous misspellings are a dead giveaway.
- Vagueness. If the subject of the email or any attachments are suspiciously nonspecific and don’t reference any project you are working on, leave them alone.
- Recognizable email address but weird content. It’s easy for a phisher to fake the email address of someone you’re already in contact with. If the message seems out of character and asks for your personal info or for you to click a strange link, then it's probably a phishing attack. As a remote worker, you may not have personally met many of your professional contacts in person, but a little intuition and noticing other tell-tale signs should help.
Secure your phone and tablets
When it comes to hackers, not only is your laptop at risk, but your smartphone and tablet as well. Follow these tips to secure them.
- Switch off bluetooth. Some hackers use malware to attack bluetooth compatible devices, so turn off the function if you aren’t using it.
- Double check which permissions you give apps. It pays not to allow all apps the default permissions they request, sometimes they are more than invasive than you’d care for.
- Disable push notifications. Some apps--like health monitoring apps--will share private data within push notifications. If you don’t that info popping up on your screen, disable push notifications with those apps.
- Update ASAP. Even minor updates to operating systems and apps may contain vital security enhancements that deal with the latest malware and viruses. Always update to the latest software as soon as you can.
- Password protect your devices. Lock your phone with a six-digit pin, or use touch ID to keep others out. Two-factor authentication is best.
Safeguard your personal items while on the go
Many remote workers are also cyber nomads, meaning that in addition to working out-of-office, you may also be working out-of-country in a faraway country where pickpockets and other scammers pose a threat. Not only is your data at risk, but your possessions, as well. Follow these tips to safeguard against thieves:
- Use a travel-safe, anti-theft backpack or bag. Travel safe bags are padded, lockable and contain inner pockets to prevent against slashing and other forms of theft.
- Never let go of your valuables. If you are on a bus, in a taxi, or just working at a coffee shop: don’t store your stuff in a compartment or at your feet.
- Keep USBs, credit cards, etc in a money belt (along with your money). It sucks to lose money, but it might be worse to lose valuable data or information stored in a flash drive, so protect them as you protect cash and payment cards.
- Be on guard at all times. Don’t talk to suspicious strangers or fall for common scams where one thief distracts you while another runs off with your valuables.
Prevent remote access to your computer
Remote workers will often use a remote desktop set up to do work/access files with a host computer back home. If you use this configuration, limit the users allowed to connect remotely in settings, or even restrict all but a few chosen IP addresses from connecting. You can also limit the number of password attempts before a user is locked out.
How to Practice Online Security in Shared Working Spaces
Remote work often means sharing a co-working space or public area with other people you don’t know or entirely trust. These handy tips will ensure peace of mind in such a scenario.
- Use that VPN. It’s been said, but using a VPN in a shared workspace is tantamount to online security.
- Enable your operating system’s firewall. Certain apps will automatically connect to other people’s devices if you don’t. Here is how to turn on your Windows 10 firewall.
- Lock your computer. In a shared working space that feels like your office, you *may* feel comfortable leaving your computer to go to the bathroom or get some water. If so, lock your computer so nobody can go on and view your files and personal information.
- Be cautious when printing. When over 20 people are sharing the same printer, documents get mixed up and can end up in the wrong hands. If you print, guard over the printer like a hawk until you’re sure you have all your papers in hand.
- Consider using a monitor privacy screen, like these from 3m, to shield others from peering over your shoulder at your personal information.
- Don’t forget your USB. Leaving a USB in a shared computer: we’ve all done it. However, the circumstances can be different in a space filled with strangers. Take extra care to pack all of your stuff and log off from all of your accounts before leaving a shared workspace.
- Don’t write things down on post-it notes. Scribbled passwords or phone numbers on post-its are easy to disregard, leaving room for others to pick them up later.
Online Security Precautions in Remote Work
Establish privacy guidelines with employers
Before you agree to do work for a company remotely, there are privacy concerns you should address.
- Agree to set “on-call” times. Getting calls/emails at inappropriate times can be seen as an invasion of privacy. Make sure you and your employer agree on appropriate times when you will be reachable for work-related stuff, that way you won’t get an “urgent” phone call during off-hours.
- Make sure you know what your work is being used for. Avoid an embarrassing situation where your contract work is used for a very different project than you originally thought.
- Don’t share more info than necessary. Your employer might need certain information, like your social security number, for tax purposes, but they don’t need your social media passwords or checking account number.
- Use secure apps for work-related messaging. Your employer should be using Slack or Asana Troop Messenger--not Facebook Messenger--for work-related posts and assignments. These apps have strong security and explicitly made for professional use--unlike casual chat apps. Be familiar with which users are able to view your posts, as well. Messages sent on Facebook Messenger are unencrypted (although they do have a “secret conversation” option that can be switched on, offering end-to-end encryption), and can be read by Facebook. With all of the recent scandals plaguing the tech juggernaut, better safe than sorry.
- If you accept work through Upwork, don’t agree to payment outside of the service. Receiving or sending payment through Upwork is secure, but when a client wishes to send you payment via other means, it’s a huge red flag and possible scam.
- Know who can view your Dropbox and Google Drive uploads. Data stored on these cloud platforms is generally very safe, using heavy encryption on stored data to ward off hackers. Yet, your employer may have allowed untrustworthy employees access to the same folders you are uploading to. Be familiar with everyone shared on the folder to avoid the theft of your work, or personal info.
- Avoid dodgy online invoicing software. Use a platform with a good reputation like Freshbooks rather than dodgy, *free* invoicing sites and pdf converters that pop up on the third page of a Google search as they may not comply with PCI security standards or use adequate encryption in storing your data.
Privacy and remote employees
Many of the same guidelines for accepting remote work also go for those giving it out, with a few additional rules to follow.
- Inform workers of your security expectations. Your employee may have a more laissez faire attitude than you do regarding online security. Make sure they are educated on what you expect of them. Many companies have strict policies in place regarding their telecommuting employees, requiring them to clock-in using a time clock app like Tsheets that also includes a GPS function to see where your employee is at any given time. If this sounds like a necessary step for you, then go for it.
- Provide the employee with a secure work computer. If possible, have employees only work through a laptop set up as you see fit, with the latest software updates and antivirus software. Obviously, if your employee is on another continent, this may not be convenient, but for those who have employees telecommuting from a home not far from the office, having them work on devices that are verified to be secure is optimal.
- Ensure that remote employees work through a secure connection. If an employee doesn’t use a secure, password-protected network when accessing company accounts and drives, he or she is jeopardizing your data along with their own.
- Instruct your employees to use unique, 8-character-plus passwords when signing into work accounts. The perils of reusing passwords cannot be stressed enough! A weak password is one of the main ways hackers gain access to a multitude of accounts. Keep them informed on login and logout protocol, as well. The 2012 Dropbox breach is an example of an employee not having a strong enough password in place.
- Let it be known that company property is company property. Make it clear in the contract that employees may not repurpose work done for the company in other ways.
Privacy in video calls
Skype is generally safe, but there are always risks when remote workers engage in video conferences over the internet. These tips will keep you safer.
- Use up-to-date hardware. Older video call setups are more at risk of security threats. Don’t let your video solution get too long-in-the-tooth.
- Make sure the video conferencing software uses encryption. 128-bit Advanced Encryption Standard (AES) protection is necessary, at the very least. Skype uses 256-bit encryption.
- Keep your camera and microphone switched off when you aren’t in a video conference. Better to control everything that comes out of your end.
- Ask in advance whether the call will be recorded or not. You don’t want to find out later that an employer has hours of recorded audio and video of you.
- Have a policy in place with employers or employees. Certain sensitive information should never be discussed on any video call platform.
What to Do in Case of a Data Breach
If your data or account(s) have been compromised, its not the end of the world. Follow these steps to avert a crisis.
- Figure out what was stolen or accessed. Perform an assessment to figure out what was taken: phone numbers are not a huge deal, but credit card information is.
- Change your passwords. It’ll be hassle to go through and create novel passwords for every account or service all over again, but it’s more than necessary.
- Inform all those affected. If you believe that others’ private information or company property was accessed, let the necessary parties know. This will be difficult, but it’s your obligation.
- Contact banks, credit card companies, and credit-reporting bureaus. Even if the hackers didn’t necessarily obtain your bank account info, its good to inform your bank of the possible breach so they can look out for suspicious activity.
- Follow this guide. So it doesn’t happen again.
Remote Work Privacy and Security FAQs
Does sharing confidential information via Box, Dropbox or Google Drive prevent stuff from being leaked?
These services use high-end, 256-bit encryption and two-factor identification for internal systems, rendering them highly secure and nigh-impossible to hack. However, we advise that you still refrain from uploading confidential information to them--or any cloud storage service--as nobody can guarantee 100% security.
Dropbox experienced a rather public breach in 2012 when hackers gained access to an employee’s password through a prior Linkedin breach and used it to obtain user email addresses and passwords. Fortunately, the hackers were unable to crack the hash-protected passwords.
The principle means that your confidential files and information could be accessed and misused is by people granted legitimate access to the company drive or folder with shady motives. Generally it’s unwise to upload a document with your social security number--or other personal information--to Google Drive or Dropbox as you can never be certain who has has the keys to the company folder. Use file hosting services for assignments and projects, only.
Is my tax information safe if I upload it to Google Drive, or Dropbox?
As in the previous question, the chances of these services being hacked is very small, but if it’s not your personal drive, don’t do it. You just can’t vet everyone with access to company cloud storage. As a remote worker, if your employer needs your filled-out w-9, send it as an email attachment.
Are online invoicing platforms secure?
Yes. Reputable online invoice sites like Freshbooks and Due protect your information with state of the art encryption and Cisco firewalls. Due is fully compliant with PCI security standards, while Freshbooks uses PCI compliant partners to store credit card data. Again, your invoice material is stored in the cloud, and if that makes you nervous--regardless of the heavy security employed--keep files offline or send invoices through the mail.
Should I be concerned about the security of my remote desktop setup?
Using a remote desktop can be very safe if you set them up correctly: always download and install the latest Windows updates, enable network level authentication and set a strong, unique password for your administrator account.
To enable high level encryption:
- Open group policy.
- Go into Computer Configuration: Administrative Templates: Windows Components: Terminal Services: Encryption and Security and click “Set client connection encryption level”
- Set encryption level to “High”
Can bosses see everything that I write on Slack?
Mashable explains that while direct messages are only visible and searchable between those included in the conversation, companies using Slack’s Plus plan can file a compliance report to open up the archive of all messages sent, including those from “private channels and direct messages.” So, when in doubt, don’t say anything in a Slack DM that you wouldn’t be comfortable saying directly to your boss.
To see if your company has the Compliance Exports feature enabled, type in “https://[insert your team name here].slack.com/account/team” and scroll down to the bottom to check.
How secure are video messaging services?
The big ones are very secure, and privacy issues usually result from user carelessness, such as forgetting to disable a webcam or microphone. Again, using a strong, unique password is crucial to your security.
How can remote workers in industries such as health care and tax service--where confidentiality is of utmost importance--be assured that their work being done securely?
Remote work is less common in industries like healthcare where patient confidentiality is tantamount. According to advisory.com, healthcare leaders like the Mayo Clinic and Moffitt Cancer Center that do allow some employees to telecommute set strict rules in order for them to do so. They both force workers to undergo a probationary period to see if the situation is working out, and mandate employees to send photos of their home offices. If employees wish to move their office, they have to notify their company. Neither company allows workers to print documents at home.
How does remote worker security vary between industries?
Remote work is a broad term: it can mean clocking in from a home office a couple miles away from an employer, or from a coffee shop halfway across the world. As mentioned above, industries where secure transfer of data is extremely important have very stringent guidelines about where and how their employees telecommute, while in other fields, such as writing or graphic design, the restrictions are naturally looser.
How does remote worker security vary from region-to-region? Country-to-country?
Generally, the security safeguards that a remote worker has in place, i.e., a VPN, strong passwords, etc., should remain the same no matter which country they sign in from. Though countries like China have stronger controls on internet access and even spy on native internet users, they mostly turn a blind eye to foreigners using VPNs, and won’t care about the work you are doing--unless you are trying to sabotage the government in some way.
Resource Guide: Tools to Boost Remote Worker Security
A variety of software and services are available to enhance your remote working security solution. Here are some of the essentials:
- ExpressVPN - Industry standard VPN with over 1700 servers in 148 locations, great customer support, and affordable prices. Security features include 256-bit encryption and DNS leak protection.
- StrongVPN - Offers five simultaneous connections so you can use all of your devices, and never makes logs of your activity.
- NordVPN - Boasts over 3500 servers, high upload and download speeds, and a 3-day free trial.
- LastPass - Remembers all your passwords for you--forever--and you only need to keep track of your uber-strong master password. Local-only encryption ensures that your data can’t even be viewed from the LastPass servers.
- Dashlane - Available for free, Dashlane sends you instant security alerts in the case of unauthorized entry into any of your accounts.
Data encryption tools
- Bitlocker - Included with higher end versions of Windows, Bitlocker allows you to encrypt your whole hard disk with 256-bit encryption and access it with a PIN.
- Folder Lock - Includes a variety of encryption tools and features, like the ability to lock files and folders, and create online backups.
- CertainSafe Digital Safety Deposit Box - A cloud storage platform that is at the top of the industry in terms of encryption and security.