NCSC have come out with a guide to help businesses adjust to this way of operating. Here are some key takeaways.
Develop a working from home policy if you haven’t already.
Giving clear guidance and training to users is key to ensure the success and safety of this new way or working
Keep your remote workers devices unto date.
- Speak to your IT team/Provider ensure that devices that are remote from the office have a way to get updates in a timely manner (14 days for high risk and critical). There are some good services out there that can do this at a reasonable cost.
Turn on the device firewall
- Many devices have the firewall disabled while in the corporate network due to legacy issues or a miss trust of the windows firewall and a misconception that it isn’t needed inside the trusted network. Truth is the device firewall should be enabled at all times and tuned to allow those services and applications through that need it.
- Home users should definitely have the firewall enabled and file and printer sharing disabled.
Use a separate account
- If you allow staff to use their home computers, ensure they setup a separate user account to keep work and home separate. Not only does this help the user separate home and work but also should keep little fingers from accessing things they shouldn’t
- Remember this account should have a strong unique password, that should not be shared with little fingers or anyone else.
Watch for phishing
Home users will be more susceptible to phishing as their attention maybe split between work, home schooling and other distractions. Ensure they keep an eye out and report or delete those suspect emails. If an email is desperate for you to open something or click something it’s probably phish.
- Never give out passwords
- Princes do not want to share any money with you
- Banks will never ask for PIN numbers or passwords
- You are not that lucky
Have a plan incase a user does click on that link.
Backup and encrypt
If your home users are using a home device they should ensure that work data is backed up or only kept on the server or file share, one drive, dropbox, Sharepoint etc. Train and educate your home users to properly remove files from home devices and ideally not allow them to be downloaded in the first place. This will have a major impact on all sorts of compliance requirements, such as GDPR/Data protection act 2018.
Company controlled equipment should have disk encryption enabled to ensure that should the device become lost or stolen the company data is kept safe from those that should not have access to it.
Encourage your uses to report loss or data breaches as soon as they happen. This will enable the business to respond and recover quickly.
Please note that your Cyber Essentials certification will be impacted by working from home especially if you are allowing staff to use their own equipment. If these devices access the internet and access business data or services (note this includes Citrix, Office 365, Google Apps, etc) the device will be in scope for Cyber Essentials and you will need to ensure it meets the requirements. More information about Cyber Essentials here
If you want to read more click here to read the NCSC full post