This checklist sets out some guidelines and practical suggestions for optimising cybersecurity when staff are working remotely at short notice, for example in response to a business continuity event such as a pandemic. It is intended for in-house counsel and compliance officers supporting a commercial organisation and can be shared with staff at the commencement of an unexpected period of homeworking, or it can be used more generally when it is required that a member of staff work remotely.
General cybersecurity reminders for staff working remotely
- Be aware of and avoid phishing emails and websites. Some tell-tale signs of phishing emails include:
- Authority – does the email appear to come from someone that has some authority? Does it pretend to be from a government department?
- Urgency – Is there some urgency in the email? Do you have days or hours to claim the refund? (Fraudsters love to put you under time pressure, so you don’t listen to your common sense)
- Emotional reaction – Does the email make you feel anxious? Heightened emotions can lead to lack of cautious.
- Exclusivity – Does the email suggest you have an exclusive opportunity?
- Follow best practices when clicking links and downloading files, particularly from unsolicited and suspicious emails
- Lock computers and paper documents when away from the desk, even if the home seems secure
- Limit printing and shred paper documents if no longer needed, or lock the documents until they can be shredded
- Avoid use of personal email, file sharing or communication services, and always use business accounts
- Avoid saving passwords, work-related emails or documents to personal email accounts, cloud databases and devices
- Do not send sensitive information over email
- Only use work-approved software systems and communication platforms
- Ensure others in their surroundings cannot overhear confidential conversations in work-related telephone calls and video-conferences
- Do not leave devices and paper documents in vehicles, even for a short time, and even if the vehicle is locked
- Do not use unsecured or public Wi-Fi
- Do not engage in non-work web surfing or music and video streaming on the work virtual private network
- Verify the security of electronic devices by updating software frequently, ideally with automatic updates
- Ensure understanding of the organisation’s acceptable use policies and information security guidelines
Information security guidance
- Encrypt all hard drives and thumb drives
- Ensure compliance with relevant security requirements, including any security standards your organisation is subject to regulatory requirements and privacy legislation
- Ensure that anti-malware and anti-virus software are installed and up to date for all remote working staff
- Set up multi-factor authentication that requires remote users to enter multiple ‘factors’ to access a system and/or electronic devices. These factors may include, for example, logging in with a username and password and entering a special token or code issued by a smartphone application
- Where possible, implement data loss prevention tools to block saving files to local devices, access to data sharing sites and printing to home printers
- Use software that adds an ‘external’ notice to emails sent from outside of the organisation
- Send notices to service providers about expectations, including any specific security requirements of the organisation
- If your service providers are not be able to meet certain requirements (e.g. an express requirement that their employees do not work from home), and they ask for waivers from such requirements, carefully consider the implications of doing so and how appropriate security can be maintained in connection with any waiver
Cyber-incidents
Be prepared for a cyber-incident by:
- updating your cyber-incident response plan, printing a copy and storing it in a safe place. It is also a good idea to send a copy to your organisation’s legal counsel for safe-keeping. Take the same steps with any insurance policies.
- If you don’t have a cyber-incident response plan, establish one as soon as possible.
Explanatory notes
Cyber-attacks are always a risk for organisations. This risk increases during a pandemic as a result of the sudden increase of non-standard communications, the use of new and untested remote working arrangements, and a heightened level of stress and anxiety. Incorrectly addressed emails, theft of company devices and a massive increase in remote connections all increase the risk of a successful cyber-attack.
It is important to ensure that your organisation’s information is secure, and that staff have access to the right equipment and that all policies are updated (if needed) and rolled out to staff.
A cyber-incident response plan is set up by an organisation to address a suspected data breach. The key steps in the plan are: preparation, identification, containment, eradication, recovery and lessons learned.
In the event of a cyber-incident, your organisation’s response plan should start with an engagement of the organisation’s core response team, legal counsel, and any cybersecurity response consultants.
Related Links:
National Cyber Security Centre (NCSC) guidance on homeworking and cybersecurity
National Cyber Security Centre (NCSC) incident management
European Union Agency for Cybersecurity (ENISA): Top Tips on cybersecurity when working remotely