Social distancing is one of the key ways of limiting the spread of the the rush to remote working can create additional cybersecurity threats., which is leading to more and more organisations asking staff to work from home. However,
Now the UK's National Cyber Security Centre (NCSC) has published its guidance around protecting data when staff are working outside of their normal office environment.
NCSC warns that staff needing new accounts or access to systems will require strong passwords and two-factor authentication, if available.
Employers should also consider new applications that staff may need to work -- new collaboration tools in the form of chat rooms, videoconferencing or document sharing, for example: NCSC has separate guidance on implementing cloud services.
NCSC's general recommendations include:
- Create written guides and how-to documents for new software that staff will be using, or existing applications that will be used in a different way, or even more basic elements like 'How to log into and use an online collaboration tool'.
- Make sure devices encrypt data at rest, to protect data on the device if it is lost or stolen. While most modern devices have encryption built in, it may need to be switched on and configured.
- Use mobile device management (MDM) tools to set up devices with a standard configuration, and also to remotely lock devices, erase data or retrieve a backup.
- VPNs: Make sure that VPNs are patched, remember that additional licenses, capacity or bandwidth may be required if your organisation normally has a limited number of remote users.
- Make sure that staff know what to do if their device is lost or stolen. That includes who to report it to: staff who fear getting into trouble are less likely to report lost devices quickly, so make sure it can be done in a blame-free way.
USB drives can contain lots of sensitive data, but are also easily lost and can be an easy way for malware to find its way onto PCs. NCSC said companies can reduce security risks by:
- disabling removable media using MDM settings
- using antivirus tools where appropriate
- only allowing products supplied by the organisation to be used
- protecting data at rest (encrypt) on removable media
- ask staff to transfer files using alternative means like cloud storage or collaboration tools
The agency warned that cyber criminals are preying on fears of the coronavirus and sending 'phishing' emails that try and trick users into clicking on a bad link. Open your antivirus software if installed, and run a full scan. Follow any instructions given. If you've been tricked into providing your password, you should change your passwords on all your other accounts. If you're using a work device, contact your IT department and let them know.
Europe's cybersecurity agency has also provided some tips for working from home securely.