A large number of companies and institutions have in recent days introduced a compulsory policy of working from home — a “home office”. It is realistic to assume that the transition to a “home office” will become a new reality for many of us, also considering that, according to the World Health Organisation, the spread of the COVID-19 virus formally reached the status of a “pandemic” on 11 March 2020.
Some companies and organisations are starting to use the home office model to a large extent right now. However, in an effort to minimize the risk of infection, there are also problems that these entities will have to deal with – not only how to effectively measure and check their employees’ productivity remotely but in particular how to ensure adequate security of their infrastructure and data when a large number of employees are accessing internal systems and networks from outside the company environment.
Therefore, the National Cyber Security Centre SK-CERT has prepared several recommendations for companies about how to create a safe concept of work from home and not to endanger the operation of the company and the security of infrastructure by teleworking:
- if you are unable to ensure that employees will access internal networks only with devices that are sufficiently secure, you should provide them with such devices,
- if you allow your employees to use their own devices to connect to internal networks (BYOD concept – bring your own device), then remember:
- a separate VPN connection to the workplace must be established from each device in order to activate/deactivate individual connections, if necessary,
- tablets, mobile phones and laptops authorized for work at home must be updated and secured,
- devices must be protected by a strong password and have internal storage encryption enabled,
- the device may be used only by the employee himself and for work purposes only; usage by other members of the household, such as children, can compromise the device, or lead to its malfunction,
- if it is demonstrated that the device has been compromised, the employer must remove the device from the list of authorized devices,
- any unauthorized tampering or installation of software downloaded from illegal or suspicious storages must be prohibited,
- on all BYOD devices, the employer must be able to ensure technical enforcement of security rules and features, such as remote administration capability, device policies enforcement, external storage media (e. g. USB sticks) access control and enabling up to the level to delete the data of the employer from the device.
- use your home office model appropriately to ensure that your company’s key and critical services are not compromised; we also suggest to follow the recommendations we have already issued regarding the current situation: https://www.sk-cert.sk/en/security-recommendations-of-the-national-cyber-security-centre-sk-cert-for-operators-of-essential-services-regarding-to-covid-19-updated-measures/index.html,
- security of your infrastructure and data must be a priority – a remote work can create security risks, and therefore, please pay more attention to monitoring abnormal behaviour on your network and unexpected outages,
- prepare a guide for your employees on how to behave safely at home office – you can be inspired by our recommendations for individuals or by free-of-charge training programmes (for example https://www.sans.org/security-awareness-training/deployment-kit-videos),
- set up a secure VPN connection for your home office employees to access your internal networks; make sure your VPN technology has the latest updates and pay special attention to whether your technology has critical vulnerabilities,
- minimize access to critical systems for employees who work from home and define the privileges they need – if necessary, you can assign higher ad hoc privileges for a specific period of time, for example, for particular system tasks,
- ask your employees to use secure and unique passwords for each system separately,
- enforce two-factor authentication wherever possible; avoid two-factor SMS authentication,
- provide your employees with a secure method to back up the data; keep in mind that the processing of data that is subject to a specific mode (e.g. GDPR, data being subject to contractual restrictions, etc.) cannot be backed up to your employees’ home backup devices; in particular, personal data should be backed up only centrally and via a secure channel,
- create a secure communication platform, like a secure chat, for your employees working from home; this platform can be used not only for communication with other colleagues and better coordination, but also for reporting suspicious events, incidents, phishing emails or other compromising attempts; trusted online services can be used as well,
- instruct regularly your employees about the risks in cyberspace, especially about social engineering and phishing which are the most common techniques of attack and the first step to infiltrate the infrastructure successfully,
- evaluate regularly the risks associated with your home office and the limited operation of your organization and respond flexibly to any changes.
As we have warned several times (for example at https://www.sk-cert.sk/en/national-cyber-security-centre-sk-cert-warns-against-ongoing-harmful-activities-related-to-covid-19/index.html) at times of uncertainty and fear among people as a result of the spread of the COVID-19 virus, also attackers in cyberspace are being activated to exploit this situation not only for financial enrichment, but also for sophisticated attacks on organizations and companies. They are aware that most companies will work in a more limited mode, and exactly the home office may be an opportunity for them to infiltrate easily into the organization’s infrastructure.
« Späť na zoznam