Don’t Use Personal Browser Profiles At Work
Assume that on your work computer, your company can see everything that you do. That’s not always the case, but some IT departments do actively deploy monitoring software to see employee activity. Even if they don’t, your company has the right to see it and could ask you at any time, or even get IT to change your password to log in as you.
In another scenario, some businesses, when staff leave, rather than setting up new accounts for the replacement may simply change the name on the existing account. That means that your replacement would potentially have access to all your browsing history and saved passwords if you store them on your company device!
Don’t Mix Business and Personal Browsing From The Same Profile
Here’s a perfect example of why you should not mix up your work and personal browser profiles:
Okta is a single sign-in tool that is used like a password manager and can sign you in to sites with one click. Very useful!
Unfortunately for them, one of their staff signed into their personal Google account in their browser and they then saved their Okta password in that account.
Hopefully all your business online accounts are protected by MFA which should be enforced, but that’s not the case with personal accounts which you need to set up yourself. Here the employee’s personal Google account was compromised and with it, all the employees personal passwords they had stored in their browser, including their administrative login to the Okta system. This gave the attacker access to their Okta account and with it, the accounts of the companies the employee managed.
The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.
How To Balance Work and Personal Browsing
Everyone needs to take a break at work, and that might mean using the internet for personal browsing on your company device, and most of the time this is going to be fine. If you’re reading the news, maybe even watching YouTube, there’s not a lot that can seriously go wrong (but do check your company’s IT Policy about that).
Assuming that this is all OK, I would still recommend that you take a few extra precautions to protect your company and personal data from cross-contamination.
Use Private Browser Sessions
Private browsing doesn’t mask or hide what you access on the internet and this is still visible to the ISP, and possibly your company IT Department. But, it does delete the browsing history when the browser is closed. This stops it appearing in the history of the main session.
It’s also very useful if you have multiple accounts on the same platform, such as Microsoft 365, allowing you to use your preferred browser for multiple concurrent sign ins.
How to Open Private Browsing Windows – Macnamara ICT
Use Multiple Browsers
Use Private BrowUsing private sessions doesn’t prevent you saving personal passwords in your company browser, or vice versa. If you have multiple browsers installed, use a private session on another browser you don’t use for work. For example, if you have Edge for work signed in with your M365 account, use a private Chrome session, without a signed in profile, to browse during your lunch break.
Never Save Personal Passwords at Work, Or Work Passwords At Home
Just get in the habit of not saving any personal passwords in your work browser. If your company allows you to work from a personal device, have a work profile set up and keep your activity separate.
How to Sign in to Edge Browser – Macnamara ICT
Setting Up A Sync Account in Firefox and Chrome – Macnamara ICT
Set Up MFA On Your Personal Accounts
MFA is not just there to protect company data, it’s there to protect you! Make sure all your personal email accounts, bank accounts, and anything else that you use has MFA enabled. If anyone ever gets hold of your password, they won’t be able to access your account without your phone. If you store passwords in your browser, make sure at the very least that account has MFA enabled so at least you’re not exposing your saved passwords.