This article offers a checklist about security and working from home during COVID-19. It is intended for two groups of people.
While many eLearning developers have been working from home from the to time over the years, many others have only ever developed eLearning and related apps from an office, on a desktop computer. As a result, some developers will already be aware of many of the guidelines and suggestions here. As you read this article, consider whether your current practice, setup, and corporate guidelines cover the situational awareness and security that are now elevated in importance.
Many employees will be working from home, including learning from home, for the first time. They probably have a mindset about online threats and security shaped by their consumer experience. Provide your organization’s employees with content, job or learning aids, and even training (if necessary) to cover essential details and corporate policy.
Why bother?
Most people, when online at home during the end of year holidays, never gave much thought to the possibility that their personal information or their privacy was at risk unless they got a warning from a credit card company or a bank. Even so, only one person in five ever received such warnings. Awareness was low. Scammers and thieves made fortunes. With the coronavirus outbreak, things have changed for the worse.
You can expect that hackers, scammers, and spoofers will be more active during this pandemic. They know many people are working from home, without the cybersecurity protection they would have when working from their offices. There is more opportunity to cause trouble and steal sensitive information.
That’s why this is a big deal.
The checklist
Here are some issues that you—as an instructional developer working from home—and that the people who use the eLearning you create from their homes should keep in mind. As I suggested at the top of this article, this will seem really basic to most Learning Solutions readers , but it will be news to others, especially employees working from home for the first time.
Situational awareness
Let’s start with an attitude adjustment. In the military services, law enforcement, and among security professionals, situational awareness means being aware of your surroundings, identifying potential threats, and spotting dangerous situations. Why? Because there are people “out there” who want to harm you, take advantage of you, steal from you, or at the very least make you look foolish. There are no hard “right or wrong” rules about identifying these people, it’s just a mental frame through which you try to view the world.
Chris Willis, senior product manager, off-the-shelf courseware at eLearning Brothers, said in a recent interview, "We have a course in our curriculum called 'Think Like An Attacker.' Situational awareness is one of the things we talk about in it. When you leave your house, you check that the doors are locked and the windows are closed. When you leave your car, you hide your valuables and take your phone with you. You do those things because you are aware of the fact that there are people out there that want to take your valuables from you. When you're working from home, you have to think about access the same way. The data that you have is very valuable. And there are things that you're doing for your organization that are very valuable. Cyber criminals are trying to access those. Situational awareness is what cybersecurity is all about."
There is a strategy, also known as social engineering, that serves as a tool for the efforts of cybercriminals. This is the use of deception to manipulate people into revealing confidential or personal information that the bad actor can use for fraudulent purposes. Social engineering relies at least in part from the tacit assumptions that people make about other people and their reasons for doing certain things.
The social engineering bag of tricks includes several techniques, all of which rely on the victim’s tendency to assume that communication from strangers is honest. You probably know the names of these tricks:
- Phishing
- Spear Phishing (Here's an example specific to the COVID-19 pandemic.)
- Vishing
- Pretexting
If the way any of these work are unfamiliar, research them on Google. Make sure your employees know about them and about any protection they will still be getting (or no longer getting) at home through the employer’s web site, apps, and policies.
There is one basic rule for security online. That is: Expect trouble.
Now let’s look at some ways to stay out of trouble.
Basic security
Working from the office, our employers and the IT department did a lot to protect us in ways that meant we didn’t have to think too much about this. Working from home, the office support team may not have our back the way it once did. Each of us is now responsible to a greater degree than before for our personal security online and for organization security. As Willis said, "You might be working on a marketing project, you're tunneling in using VPN back to your company. It doesn't matter what you are working on, you are a target because you have a link back to your organization."
Everyone really should know about these measures already, but don’t assume that they do. Give your employees the actionable information (how to do them) that they need. Here are some more suggestions from Chris Willis and other cybersecurity experts.
- Change your passwords. Do not use the same password for multiple sites. Use a password manager; it will make life much easier.
- Make sure your home Wi-Fi is secure so your neighbors (or anyone else) is not using your router. Eighty percent of the US population is currently under stay-at-home guidelines, but just in case you are not: Do not use public, unsecured Wi-Fi. That's the Wi-Fi in coffee shops, stores, or transportation hubs (when the day comes back that you may be able to sit in a coffee shop or store or fly, take a bus, or a train). See the note below about VPN.
- Enable automatic updates to router, software, and operating system. This is an extension of the previous bullet. Work with your corporate IT to find out what to do.
- BYOD (Bring Your Own Device): This is not a new concern, but it is still relevant. Many organizations have a BYOD policy, and it should be/have been updated to cover working from home. If you are an independent eLearning producer, these are some things you should do for yourself. If you are a corporate employee, make sure that any of the next four items you may have installed or subscribed to meet your IT department’s guidelines or BYOD policy.
- Use software that will detect and defeat malware. This may include installing anti-viral software in addition.
- Depending on your IT department policy, you may need to install a file system defense or a backup such as Carbonite, which will enable restoring your software and files if you are the victim of ransomware.
- Use two-factor authentication. It takes a little longer to log on, but you’ll be glad you added it.
- VPN (Virtual Private Networks): You may have been on one from your corporate office. Your company may be providing VPN coverage for you from home for your corporate activity. You should also be using a VPN for your personal usage. Talk to your IT department about setting this up.