Need advice to step up my cyber security due to working remotely - Colleagues have recently been hit with malware and session hijacking

[Unexplainable Lag]

I've been working remotely for a couple of years on my normal home Win10/11 desktop, I've tried to be as careful as I can but recently my colleagues and I have been targeted with a lot of phishing emails and calls, scams through compromised emails from legitimate clients, and most recently malware disguised in we think it was PDFs or maybe videos.

Part of my job is frequently being sent PDFs, pictures, video... and having to download from people's Gdrives or Dropboxes, but these are all random customers from all over the world.

 

Even if a customer wasn't intentionally sending me something nasty, I know you can have an infected system without knowing it and send files to other people unknowingly infecting their systems.

So I'm working out what my best options are and I have a few questions I'm hoping some kind people can help me understand.

1. If I bought a second computer dedicated to work, it would be connected via Wi-Fi or ethernet to my main WAN connection and the same router.
   If the work computer was on the same connection connected to the same router but was Not on a home network connected to any other computer or phone, if the work computer got infected with something nasty could it spread to other devices because they are on the same internet connection and router, or is it safe because they are not on the same network and don't have a physical file sharing capability?

2. Another option I thought of is to continue using my main desktop but running a Virtual Machine every day when I'm working.
   If I understand correctly this isn't a completely 100% secure method but it would be mostly good at protecting my physical OS and files, however, I don't know how a VM works, do I have to install all the apps I need to use each time or do I have to configure each app every time?

3. I use a password manager for my personal accounts, and I naturally just started using that for my work logins as well. Is there any benefit to using a different password manager for anything to do with work or does it not really matter?
   On my main account, I do already use a huge complex password that I change regularly, and also 2FA every time I open a browser.

4. Is there anything else I could be using other than Windows Defender and Malwarebytes?

I would really appreciate any help or advice, thank you

[Unexplainable Lag]

Please explain like I'm 5yo, I'm really not savvy on things like VM's and most security

[Electronics Wizardy]

This really feels like a talk to your IT type of problem. What do they say about this?

 

I'd say work should supply the system for your to use here, you shoudln't have to buy one.

 

 

[OddOod]

First, this is 100,000% something your work should handle. Their IT team/service should set you up with realtime protection and a dedicated machine.

As for your listed options:
1. 2nd PC: Depending on your router, you should be able to set up a Virtual LAN network which only has that machine on it. Nothing on that machine should be able to be see anything on your main network. I can't really explain how to set up a VLAN because it varies by router (lower end ones sometimes don't even have the option). That isolates your stuff from any nastiness
2. You can run a VM, it's pretty easy in Windows, and no, you wouldn't have to re set up everything every time. You can even hand it an entire independent SSD. I think you could even pass in a VLAN, though you might have to buy a PCIE network card and it does get a bit more complicated, but great learning opportunity
3. App based 2FA should keep the passwords safe unless the computer is infected at which point as soon as you've unlocked the vault they can scrape it in its entirety. As for password complexity goes.... meh, you could have a 4000 character fully random password and still get it hacked. Complexity is to slow down crackers, but they need access to the stored password to even attempt it anyway. It's more of a risk if there is a physical attack vector (someone connects to your wifi)
4. Most antivirus programs are operating off the exact same virus signature database. The next step is an organization wide realtime threat protection which given that yall are being targeted means it should have been implemented a while ago

[Unexplainable Lag]

14 minutes ago, Electronics Wizardy said:

This really feels like a talk to your IT type of problem. What do they say about this?

 

I'd say work should supply the system for your to use here, you shoudln't have to buy one.

 

 

The company I work for is small and does not have any IT department or security specialist. 

 

They won't buy me a system but I don't mind buying a second one as the job is very good, but I don't know how much that helps me if I do buy a second one. As I mentioned in my first question if it's connected to the same Wi-Fi/route via ethernet, is it still going to compromise my other systems if anything nasty gets on it.

[Electronics Wizardy]

4 minutes ago, Unexplainable Lag said:

The company I work for is small and does not have any IT department or security specialist. 

 

They won't buy me a system but I don't mind buying a second one as the job is very good, but I don't know how much that helps me if I do buy a second one. As I mentioned in my first question if it's connected to the same Wi-Fi/route via ethernet, is it still going to compromise my other systems if anything nasty gets on it.

I normally want to keep work systems different so the personal and work data doesn't get mixed.

 

As far as an attacker breaking out of the work system to others, it certainly could happen. Using the guest wifi mode on your router can basically stop this from happening pretty easily.

 

Is this a super small company with sub 10 people? This feels like the company should put more work into IT here, cause this is gonna bite them if they don't improve this.

[Unexplainable Lag]

7 hours ago, OddOod said:

First, this is 100,000% something your work should handle. Their IT team/service should set you up with realtime protection and a dedicated machine.

As for your listed options:
1. 2nd PC: Depending on your router, you should be able to set up a Virtual LAN network which only has that machine on it. Nothing on that machine should be able to be see anything on your main network. I can't really explain how to set up a VLAN because it varies by router (lower end ones sometimes don't even have the option). That isolates your stuff from any nastiness
2. You can run a VM, it's pretty easy in Windows, and no, you wouldn't have to re set up everything every time. You can even hand it an entire independent SSD. I think you could even pass in a VLAN, though you might have to buy a PCIE network card and it does get a bit more complicated, but great learning opportunity
3. App based 2FA should keep the passwords safe unless the computer is infected at which point as soon as you've unlocked the vault they can scrape it in its entirety. As for password complexity goes.... meh, you could have a 4000 character fully random password and still get it hacked. Complexity is to slow down crackers, but they need access to the stored password to even attempt it anyway. It's more of a risk if there is a physical attack vector (someone connects to your wifi)
4. Most antivirus programs are operating off the exact same virus signature database. The next step is an organization wide realtime threat protection which given that yall are being targeted means it should have been implemented a while ago

As I just mentioned in the other reply, the company I work for is small and does not have any IT department or security specialist. 

 

Regarding the answers to my questions:

1. Thank you for the info, the router I have I believe is reasonably decent, entry-level enterprise, from Teltonika  - RUT950
   I will look into a virtual LAN as I'm sure that is something this route supports. 
    
2. I do really want to learn at least the basics of how to do VM as there are plenty of times I'm even a bit nervous with things friends and family have sent me, because I know my knowledge of cyber security is not great at all, but most of my friends and family haven't even heard the word malware or computer virus.
    
3. To make sure I understand correctly: if I had a completely separate account or a different 2FA vault for work, and a separate computer that is not on the same network, maybe on a VLAN... Then my personal 2FA vault should be safe, right?
   Even if the second work computer was compromised it wouldn't have any access to my personal 2FA vault as I would never use it or log in on the work computer.
    
4. I just found out about VirusTotal, I saw a huge number of people recommending this as a good option for uploading files as well as scanning them with Malwarebytes.
   As the company I work for is very small and doesn't have any proper IT/security specialist, and I can't see them hiring anyone either.
   Would something like Malwarebytes realtime protection be any good, or do you mean something more specialist and actually having someone on staff?

Thank you so much for taking the time to provide this information and helping me.

[Unexplainable Lag]

11 minutes ago, Electronics Wizardy said:

I normally want to keep work systems different so the personal and work data doesn't get mixed.

 

As far as an attacker breaking out of the work system to others, it certainly could happen. Using the guest wifi mode on your router can basically stop this from happening pretty easily.

 

Is this a super small company with sub 10 people? This feels like the company should put more work into IT here, cause this is gonna bite them if they don't improve this.

Thank you for the information.

 

The way everything is set up is pretty crappy in all honesty. There is only one employee and that is the CEO and owner, everyone else including me is just a contractor so they can fire us at any point and we have no employee rights, that sucks but to compensate I can work whenever I want, keep the hours I want, and when they told me the salary it was more than double what I was expecting.

 

We basically have the CEO/Owner, 6 sales and support contractors, a friend of the CEO who helps him with the website, automation, and SEO. That is pretty much it.
I could try to request some real-time protection but with the way the economy is at the moment things have not been going great, we have had to tighten some belts so requesting something that will cost, I actually have no idea how much that sort of thing costs, It might be seen as problematic.
As there is no job security at all but the pay is incredibly good, everyone is terrified to rock the boat.

[OddOod]

5 minutes ago, Unexplainable Lag said:

Regarding the answers to my questions:

1: A decent router isn't usually too expensive and learning about networking can be fun and it tends to be an evergreen skill

2: Heck yeah! Dive in! As for friends and family, yeah.... I keep a burner laptop around for this. Not hard to nuke and reinstall on the off chance it's infected.

3: You have that correct. Make sure to never have data on that independent machine that would hurt you personally if it fell into the wrong hands and even if it gets infected, you're safe
4: Yeah! VT is an amazing project. Malwarebytes leaves a bad taste in my mouth. They use scummy tactics. I'm not informed about how well or poorly their realtime stuff works. Windows' built in RT protection is pretty decent. I was referring to more specialist software that is sold primarily to businesses. There are a TON of them and the good ones need to run on a lot of computers to understand what is normal for who.

[Unexplainable Lag]

23 minutes ago, OddOod said:

1: A decent router isn't usually too expensive and learning about networking can be fun and it tends to be an evergreen skill

2: Heck yeah! Dive in! As for friends and family, yeah.... I keep a burner laptop around for this. Not hard to nuke and reinstall on the off chance it's infected.

3: You have that correct. Make sure to never have data on that independent machine that would hurt you personally if it fell into the wrong hands and even if it gets infected, you're safe
4: Yeah! VT is an amazing project. Malwarebytes leaves a bad taste in my mouth. They use scummy tactics. I'm not informed about how well or poorly their realtime stuff works. Windows' built in RT protection is pretty decent. I was referring to more specialist software that is sold primarily to businesses. There are a TON of them and the good ones need to run on a lot of computers to understand what is normal for who.

Huge thanks for this, I immediately have a big starting foothold and know which direction I need to go in. Again, I really appreciate you taking the time to help, thank you