How to design a secure home office

How to design a secure home office
(Image credit: Pixabay)

Remote working has gone mainstream with large parts of the world, including the UK, now telecommuting. The data bears this out - for example, Microsoft saw users on their collaboration platform Teams generate 2.7 billion minutes of online meetings worldwide in a single day in early April, a new record and just under five times the amount generated just four weeks earlier.

About the author

Chris Lin is the Vice President of IT at Mozilla.

While it is incredibly important to stay connected and keep physically distant, there are serious privacy risks that need to be addressed. Working from home can increase the risk of unauthorized data transfers and sharing. The privacy of users can also suffer if suddenly many new unfamiliar tools have to be used to get the job done. This is compounded by the fact that home networks are rarely as well secured as corporate headquarters. 

As an organisation, Mozilla has been focusing on the aspects of security and privacy in the home office for quite some time. Even before the crisis, half of all Mozilla employees (and 69% in the UK) were working permanently from home. Employers need to help their employees establish a secure home office environment to mitigate risks for both the individuals as well as the company. 

When it comes to security, there are three core areas that should all be given equal attention in designing a home office - IT security, data security and connection security.

IT Security

Large and small companies alike often prohibit the use of private hardware for work, be it a computer or just a USB stick. In the home office, however, people can quickly stop adhering to these strict rules. Private computers and devices are also more at risk as they are unlikely to have the same level of security measures in place as work devices. The latter tend to be supervised by an IT professional who has the right expertise to identify good antivirus software and firewall systems and ensure regular updates.

Therefore, it’s best to only use the devices provided by employers that have been secured in advance by the company’s IT department with common protection software. Business devices need to be protected in the home office - this means not using private USB sticks coupled with other private devices (via Bluetooth, for example) or private surfing on dubious websites during lunch breaks.

It’s wise to be especially careful when checking private emails at this time as well. Criminals are increasingly phishing and trying to spread malware in inboxes, both work and personal. This also highlights the importance of making sure your working device is up to date to protect against vulnerabilities - the browser and any other pre-installed software should always be kept up to date to do so.

Making sure you are password savvy is also important. Weak passwords can be more easily guessed or cracked through brute force attacks on networks, and if work passwords are the same or similar to the ones used privately, that could prove catastrophic for your place of work.

As such, when setting up work accounts, it is highly recommended to use strong, work-context only passwords that are different from those used for private browsing and personal online life. Some of our specific tips on this can be found here.

Data security

Given many of us will be accessing company resources from home at this time, one of the primary considerations for data security is the location of where data is stored. Especially as it’s expected that companies have access to their employees’ data at all times.

A strict separation of work and private computing devices, from laptops to smartphones and beyond, is therefore highly recommended. If it’s not possible, then data should be stored separately at the very least. Many companies already rely on secure cloud storage solutions such as Dropbox, Box, Onedrive or iCloud. For those, users must consistently observe the company's internal regulations, especially if they use a private device. Businesses should be encouraging users to take care when storing documents, and in particular not to store them on their private devices.

This also applies when transferring data to third parties, for example clients or service providers. Failure to use secure platforms such as professional email accounts, WeTransfer or Firefox Send can risk your data leaking into the wild and jeopardizing business continuity.

Connection security

Since working remotely means that people often have to exchange even more data with their colleagues than before, the way that data gets transferred is extremely important. Many companies use a business VPN, a virtual network, for access to the internal company network, which stores all documents and programs. This is particularly well-protected against the interception of data - which is critical when working from home.

At home, people usually access the internet via their private home Wi-Fi. In most cases, this is not very well protected against attacks. While free networks (in cafés, train stations, etc.) are known for being very vulnerable to attacks if not secured by a VPN, the home Wi-Fi is also a weak point. Most people use their routers after purchase by plug & play, with the standard provided password and a weak Wi-Fi key. This isn’t ideal for private usage, but definitely insufficient for professional work.

A secure connection strategy for a home office is multi-pronged. In terms of your home network, it’s recommended to use at least WPA2 encryption for your WI-FI router, or WPA3 if you have access to it on your device. Making sure all related software and firmwares are up to date is also useful here. As is making sure you only access company data via a VPN and avoiding the use of public Wi-Fi networks unless a VPN is used.

Designing a secure home office, above all, is about consciously de-risking as many potential privacy and security factors as possible. Whilst not an exhaustive list, focusing on the above three areas will help employees and employers alike to have greater peace of mind and focus on the things that are business critical during this challenging time.

Chris Lin

Chris is the Vice President of IT at Mozilla. He is responsible for the strategy, execution and operations of Mozilla’s business technology, information security, data management, network and infrastructure services. He is the Head of enterprise applications, data, information security, infrastructure services, SRE, cloud DevOps, and IT services for the mission-driven tech company.