24 Mar Cybersecurity Tips for Teleworking
By Dan Chandler, CISO
Security is becoming a greater challenge as more people work from home due to the coronavirus (COVID-19). One of the key measures to reduce the spread of coronavirus is social distancing, which for Criterion along with many other companies means encouraging or instructing staff to work remotely. But moving at short notice from a trusted office environment to teleworking will create cybersecurity risks. Here are some of the tips we are using at Criterion to minimize these risks. You will see a list of sources at the end of the article for further information.
- Find out if your organization has rules or policies for telework, and if so, make sure you read them and comply. For example, it may be okay for you to use your own computer for reading company email but not for accessing sensitive customer data
- Ensure your home Wi-Fi connections are secure so your computer communications are protected from eavesdropping. While most Wi-Fi is correctly secured, some older installations might not be, which means people in the near vicinity can snoop your traffic. Make sure your network is set up securely by ensuring it is using “WPA2” or “WPA3” security and using a password that is hard to guess. If you are unsure how to do this, you should be able to find a how-to video or checklist online by doing a search for your Wi-Fi router brand and model.
- If you are using your own computer or mobile device for telework, make sure you have enabled basic security features. Simply enabling the PIN, fingerprint, or facial ID feature will prevent people from getting on your device should you walk away from it. Any PIN or password you use should be hard to guess.
- Ensure anti-virus is in place and fully updated with current signatures. Regularly review and check all computers, mobile devices, and security software to ensure that it is up to date with all applicable updates and patches including personal firewalls, privacy tools, add-ons for browsers, etc. Most operating systems provide an option to check and install updates automatically. Enabling that option can be a good idea if you do not want to check periodically for updates.
- Have a back-up strategy and remember to do it. Important files should be backed up regularly. In a worst-case scenario, such as ransomware, all could be lost without a backup.
- Computer screens should be locked if you work in a shared space. (Remember, however, you should avoid co-working or shared spaces. Social distancing is extremely important to slow down the spread of the virus.)
- If you see unusual or suspicious activity on any device you are using to telework (computer, mobile device, or home network), you should ask for help by contacting your organization’s help desk or security operations center to report the activity.
- Be on the lookout for social engineering attempts such as phishing emails or phone scams related to telework. If you get emails from unknown accounts with strange file attachments, if people call claiming to be technical staff asking for your passwords or telling you to go to a website to “scan” your computer, if your get unusual web meeting requests—you should not hesitate to ask questions and verify things by phone or other means before proceeding.
- Provide initial and then regular feedback to staff on how to react in case of problems. That means information on who to call, hours of service, and emergency procedures.
- Give suitable priority to the support of remote access capabilities. If the organization has a VPN (virtual private network), use that on their telework device for stronger protection. If not, employees should consider using their own VPN: They can find numerous providers online. Employers should consider implementation of at least authentication and secure session capabilities (essentially multi-factor authentication and encryption).
- Provide virtual solutions. For example, the use of electronic signatures and virtual approval workflows to ensure continuous functionality.
- Ensure adequate support in case of problems. This may require setting up special rotations for staff.
- Define a clear procedure to follow in case of a security incident.
- Consider restricting access to sensitive systems where it makes sense.
- ITL March 2020 Bulletin: Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions
- NIST Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security