As a community, as news organizations, and as individual journalists, we should now expect major systemic changes in how our workplaces are organized to protect each others’ health. Remote work is a necessary part of the strategy. As newsrooms consider how to support remote work, we need to also think through our plan to work securely beyond the corporate firewall.
Most news organizations already have some policies in place for handling sensitive data, or accessing compartmentalized newsroom resources remotely. But often, much shared infrastructure is lacking. It’s time to make some changes.
At Freedom of the Press Foundation we have some thoughts about practical ways to work together securely as a distributed team, but we also want to learn from, and call attention to the community’s wisdom. Send us a message on Twitter at @FreedomofPress or contact us here to let us know what practices your newsroom has adopted to enable remote work securely. We may ask if we can expand this article with your tips.
In our ideal world this would include some shared infrastructure, and some basic training for all newsroom employees to use the following…
- Virtual private networks (VPNs). A VPN is a great way to securely tunnel your computer’s internet traffic to a remote location. Many newsrooms have internal newsroom resources only accessible within their building, and will use VPNs to allow workers to connect remotely. If your newsroom has resources only accessible through a specific range of IP addresses, now might be a good time to look into an internal VPN to ensure everyone has continued access.
- A shared password management solution. We know that many newsrooms have shared docs full of passwords, and other fun/concerning ways to keep track of their passwords. However, if you haven’t done so, now might be the time to invest in a team-friendly password manager — a piece of software designed to securely store passwords, and give selective access to others in the organization. For teams, good choices include 1Password and LastPass. Consider reading about choosing a password manager to learn how we came to those recommendations.
- Two-factor authentication for shared accounts. To make accounts more secure when logging into a website, many sites allow you to set up a second piece of information — a second “factor” — beyond the password. When you enable two-factor authentication, typically you will be asked to enter a short-lived code (e.g., a six-digit number) sent to a device you own, such as your phone. This is great for individuals, but isn’t ideal for teams, because not everyone can access the device.
If you’ve already set up a shared password management solution, you’re in a good position to add two-factor authentication to accounts shared by more than one person. Some password managers will allow you to store two-factor authentication codes, allowing anyone on the team to access them remotely. For example, 1Password will provide this functionality, making logins simpler for everyone. Consider reading about the security trade-offs of on-device and remote two-factor authentication solutions.
Work at home means you can’t assume the same security benefits of sitting at the office. Your newsroom may have stronger digital and physical security practices in place than your home office, so it might be time for some adjustments.
- If applicable, keep tabs on IT team guidance. Your IT team may provide new software (e.g., password managers, VPNs) to help maintain remote access to newsroom resources at a distance. They are likely scrambling to keep your day as simple as possible, so keep tabs on any guidance they provide in the weeks ahead.
- Inventory items to bring home. If you have passwords, contact lists, written notes, or anything important for your work written down at your desk, bring it home. This also includes hardware, such as security tokens. We’ve come to take access to our desks for granted, so consider what you need.
- Tighten your wireless security. At home, you might have to be your own IT department. To ensure you have the safest network possible, it’s time to think about updating your Wi-Fi router’s firmware, and ensuring the Wi-Fi and router administrator passwords are complex and unique. Updating your router’s firmware will help defend against many remotely exploitable vulnerabilities common in household routers. Likewise, weak Wi-Fi router passwords can be picked right out of the air without too much effort, but a complex and unique passcode is much harder to steal. Again, a password manager is a great way to generate, and keep track of these unique passwords. Like a real IT professional, make a quick search for the name of your router to learn how to navigate its interface.
- Update your connected devices. Every device connected to your network may have vulnerabilities that place the entire home network (and your work) at risk. While maintaining updates is generally a good practice, it’s now more critical than ever. Take an inventory of your connected devices — phones, tablets, voice assistants, computers, internet-connected cameras — and check to see if they have any available updates. This is especially important for any new devices you’re now adding into your workflow.
Note that while some connected “Internet of Things” devices (e.g., Amazon’s Alexa) have a big security team to push updates, many more devices (e.g., connected cameras, lightbulbs) will never get updates. It’s safer to avoid putting out-of-date devices on your network, but if you’re going to use them, consider placing them on a guest Wi-Fi network with a unique, complex password to keep these devices quarantined from the rest of the network. This will prevent them from making network-based connections to other devices.
- Be vigilant — now’s an opportune time for phishing attacks. One of the most common ways hackers steal credentials is through phishing messages, typically deceptive emails crafted to trick you into clicking a link to a file laced with malware, or to a phony login page. Sometimes a phish will manufacture a sense of urgency (e.g., “We need you to sign this immediately.”) Why? People with “stress brain” aren’t critically looking at what comes into the inbox. Unfortunately right now you are likely experiencing a lot of stress brain, and hackers are already taking advantage.
If you receive a link in your email to an apparent login page, hit pause and consider navigating directly to the page yourself rather than clicking the link. Remain vigilant, and while you’re getting in the habit of washing your hands for 20 seconds, consider also learning more about phishing hygiene. The Electronic Frontier Foundation also released a primer on identifying COVID-19 phishing scams.
- When you are away, shut computers all the way down. Stepping out for a breath of fresh air or making a last-dash run for toilet paper? Power down your computer so it’s encrypted. Hopefully your work laptop has full disk encryption enabled with FileVault for Macbooks, or BitLocker for Windows users. But disk encryption won’t stop someone from taking data off the device once you’ve decrypted the device upon startup with your password. It’s important to shut the device all the way down when not in use, especially if it contains data on confidential sources or any other highly sensitive data. (e.g., anything related to your SecureDrop instance).
- Learn about security tradeoffs between video conferencing tools. Sometimes you won’t get to choose the video chat tools for your meetings (e.g., when your colleagues choose a specific platform, such as G Suite or Office 365). But in your personal capacity you’ll nonetheless join remote meetings with many different needs. Sometimes you’ll need support for dozens of participants. Sometimes this is less important, and in sensitive conversations, you’ll need end-to-end encryption. There’s no “right” way; only what’s right for you, your sources, and your colleagues. Consider learning about security and usability tradeoffs between several video chat tools.
- Tighten your protocols for accepting leaks at home. When you’re at home, you may not have access to your desk phone, and potentially other newsroom tip channels. With that in mind, you may need to take steps to accept tips more securely from home. First things first: If you haven’t already, your newsroom should ensure one or more people can bring home the relevant hardware, and triage tips over Signal, SecureDrop and other channels from home. It might be a good time to read about how to lock down Signal or upgrade WhatsApp Security for your personal and newsroom communications. Freedom of the Press Foundation has released a remote working advisory with recommendations for SecureDrop administrators.
- Share this with your colleagues. Consider also sharing these resources with your colleagues. It’s not sufficient to immunize only yourself. We also need to ensure our colleagues operate safely.
And as always, please reach out to our digital security training team if you need any help.
We’d love to help others learn from your experience by adding your tips above! What are some long-standing practices your organization has employed to protect journalists working remotely? How about new practices you’ve never had to consider until now? Contact us privately here or reach out at @freedomofpress (DMs open). We look forward to learning from, and working with you.
- Freedom of the Press Digital Security Training Team