In response to increased requests from companies to their employees to work from home brought about by the Covid-19 outbreak, Cyprus’ national Computer Security Incident Response Team (CSIRT) issued on Friday its guidelines on how to do so safely, as remote work entails some security threats especially for people who are not accustomed to working outside the office.
Here are some guidelines on how you can work more safely at home and ALWAYS through your office computer (NOT personal devices such as mobile phones, laptops, etc.).
1. Security Policy
Each organisation must have a security policy that fully defines the process of remote access to the organisation, at the responsibility of the administrator.
2. Proper location selection
Choose your workspace taking into account not only comfort but also the safety that it provides:
- Choose a site that gives you as much confidentiality as you need for your work. If you work from home it can be easier than working in a cafeteria or library. Select a place where other people cannot see the screen of the device you are using. We recommend installing a Privacy Film.
- If you use videoconferencing make sure that the platform you are using is secure and that other people around you are not watching your videoconference.
- Do not allow your family members to use your work devices. If you must leave your device, lock your device to prevent others from accessing it.
- Use only encrypted Wi-Fi to connect to the Internet. If you work from home, make sure your home’s Wi-Fi network uses the latest updated security settings.
- If you want to access servers or tools hosted at your organisation’s premises, use VPN (Virtual Private Network) to connect to your organisation’s network. VPN creates an encrypted tunnel for the flow of traffic on your network and makes it difficult for others to steal the data that is exchanged during the transfer.
3. Data security
There are some customisations you can apply to your devices to reduce the data that attackers can access or if your device is stolen.
- Use strong authentication to access your device, such as Windows Hello, or a PIN or face recognition, if your device supports it.
- Use Two-Factor Authentication (2FA) to access any cloud-based tools. 2FA uses two “agents”, such as a password and a PIN that will be sent to your mobile device, or a PIN and a face scan or fingerprint to verify your identity (if supported by the device)
- Now is the time to think about your passwords. If you use simple passwords, this is the time to upgrade them to safer passwords.
Password Selection Guidelines:
-10 characters minimum
-At least one number
-At least one special character )[email protected]#$%^&*(
-At least one capital letter
- Make sure local drive encryption, such as BitLocker, is enabled. This way, if your device gets lost or stolen, it will be difficult to access local data.
- Make sure your device is up-to-date with all security updates and that you have a malware protection program, such as Windows Defender, that is actively running.
4. Open communication with the organisation
- Stay in touch with your organisation while working remotely. The IT department can provide instructions or make new security tools available to you. If you suspect that your device or data has been tampered with in any way, alert those designated by your organisation so they can investigate the situation and take action to prevent further damage.
- Now, more than ever, resist the temptation to use unauthorised tools or store data outside your organisation’s guidelines. If you need a tool that you do not have to get your job done, contact the managers designated by your organisation. It is quite possible that you will discover systems that do not work as you would expect when you are in the office. Now is the time to let those in charge of your organisation know before you take action.
- Be alert for phishing emails. Malicious users try to exploit fear and uncertainty by sending emails that appear to come from known authorities or executives in an attempt to entice you to click on malicious links or to transmit your personal information. Never open attachments that you didn’t expect to receive, even if they appear to come from someone you know. It is always advisable to check with the person who sent you the file to verify its validity.
- Suggested tools for checking web pages and files:
UrlScan – https://csirt.cy/tooling/#urlscan
VirusTotal – https://csirt.cy/tooling/#virustotal
HaveIbeenPwned – https://csirt.cy/tooling/#haveibeenpwned
DomainTools – https://csirt.cy/tooling/#whois-domaintools
BitLocker – https://csirt.cy/tooling/#bitlocker
- Remote users should not have administrator privileges.
- Turning off all USB ports used by users is not only necessary for device security, but also an essential prerequisite for safe infrastructure operation.