#WorkFromHome Cyber Safety Guidelines
Social distancing is one of the main ways to contain the spread of COVID-19 and “flatten the curve”. This means that a lot of companies and governments have started to instruct staff to work from home. However telework can create cybersecurity risks. It is with this in mind that TT-CSIRT has compiled a list of telework security guidelines from several sister agencies and international organizations.
Tips for Remote Workers
- Only use WiFi you trust. With an insecure connection, people in the near vicinity can snoop your traffic.
- Use company sanctioned devices.
- Update antivirus software.
- Update all software and the operating system.
- Remember to back up periodically. All important files should be backed up regularly. In a worst case scenario, staff could fall foul of ransomware for instance. Then all is lost without a backup.
- Lock your screen if you work in a shared space. (you should really avoid co-working or shared spaces at this moment. Remember, social distancing is extremely important to slow down the spread of the virus).
- Make sure you are using a secure connection to your work environment. This means using a VPN or some other secure means like Teamviewer.
- Beware of phishing emails. Attackers are exploiting the COVID-19 global pandemic, so look out for phishing emails and scams. One should be suspicious of any e-mails asking to check or renew your credentials even if it seems to comes from a trusted source. Please try to verify the authenticity of any significant or suspicious request through other means, do not click on suspicious links or open any suspicious attachments.
Tips for Employers
- Focus on securing systems that enable remote access, such as VPNs. Ensure these systems are fully patched, firewalls are properly configured, and anti-malware and intrusion prevention software is installed.
- Never directly expose RDP to the internet (require VPN connection first).
- Implement multi-factor authentication wherever possible.
- Consider restricting access to sensitive systems where it makes sense.
- Send out phishing awareness emails to your employees
- The use of unauthorized software for official purposes (known as shadow IT) can increase when working remotely, raising security and privacy risks. Ensure staff are aware of the policy, privacy and legal obligations that apply to your organization’s information.
- Examine your incident response plans and, if necessary, update these to account for staff working remotely.
- Review your business continuity and contingency plans. Ensure these are up to date.
Tips for Video Conferencing and Chat Groups
- Ensure persons can join via invitation only.
- Require a password to join the meeting/group.
- Where possible, require administrator approval before someone can join the group.
- Do not post meeting/group links to social media.
- Ensure video conferencing and chat software is always up to date.
If there is anything you think should be added to the guidelines, please feel free to contact TT-CSIRT via email@example.com. As always, should your organization fall victim to a cyber attack, please contact TT-CSIRT immediately.
European Union Agency for Cybersecurity (ENISA)
U.S. Cyber and Infrastructure Security Agency (CISA)
New Zealand National Cyber Security Center (NCSC)
New Zealand Computer Emergency Response Team (CERT NZ)