One of the key preventive measures for the spread of Covid-19 is social distancing. Luckily, in this increasingly connected world we can continue our professional and private lives virtually. However, with huge increases in the number of people working remotely, it is of vital importance that we also take care of our cyber hygiene.
The following recommendations for maintaining an adequate level of cybersecurity when teleworking are divided into those for employers and for staff on teleworking.
Recommendations for employers
1. Ensure that the corporate VPN solution scales and is able to sustain a large number of simultaneous connections.
2. Provide secure video conferencing for corporate clients (both audio/video capabilities).
3. All the corporate business applications must be accessible only via encrypted communication channels (SSL VPN, IPSec VPN).
4. Access to application portals should be safeguarded using multifactor authentication mechanisms.
5. Prevent the direct Internet exposure of remote system access interfaces (e.g. RDP).
6. Mutual authentication is preferred when accessing corporate systems (e.g. client to server and server to client).
7. Provide where possible corporate computers/devices to staff while on teleworking; ensure that these computers/devices have up-to-date security software and security patch levels and that users are regularly reminded to check patch levels. It is advisable that a replacement scheme for failing devices is also in place.
8. BYOD (Bring your own device) such as personal laptops or mobile devices must be vetted from the security standpoint using NAC, NAP platforms. (e.g. patch check, configuration check , AV check etc.).
9. Ensure that adequate IT resources are in place to support staff in case of technical issues while teleworking; provide relevant information, e.g. on contact points, to staff.
10. Ensure policies for responding to security incidents and personal data breaches are in place and that staff is appropriately informed of them.
11. Ensure that any processing of staff data by the employer in the context of teleworking (e.g. time keeping) is in compliance with the EU legal framework on data protection.
Recommendations for staff on teleworking
1. Use corporate (rather than personal) computers where possible - unless BYOD has been vetted as per relevant point under Section 1 above. As far as possible, do not mix work and leisure activities on the same device and be particularly careful with any mails referencing the corona virus.
2. Connect to the internet via secure networks; avoid open/free networks. Most wifi systems at home these days are correctly secured, but some older installations might not be. With an insecure connection, people in the near vicinity can snoop your traffic (more technical people might be able to hijack the connection). That having been said, the risk is not that much higher than when using public 'open networks' except for the fact that presumably people will be in the same place for a long time. The solution is to activate the encryption if it hasn't been done already and/or to adopt a recent implementation. Note that this risk is somewhat mitigated by using a secure connection to the office.
3. Avoid the exchange of sensitive corporate information (e.g. via email) through possibly insecure connections.
4. As far as possible use corporate Intranet resources to share working files. On the one hand, this ensures that working files are up-to-date and at the same time, sharing of sensitive information across local devices is avoided.
5. Be particularly careful with any emails referencing the corona virus, as these may be phishing attempts or scams (see below). In case of doubt regarding the legitimacy of an email, contact the institution’s security officer.
6. Data at rest, e.g. local drives, should be encrypted (this will protect against theft / loss of the device).
7. Antivirus / Antimalware must be installed and be fully updated.
8. The system (operating system and applications used, as well as anti-virus system) needs to be up to date.
9. Lock your screen if you work in a shared space (you should really avoid co-working or shared spaces at this moment. Remember, social distancing is extremely important to slow down the spread of the virus).
10. Do not share the virtual meeting URLs on social media or other public channels. (Unauthorized 3rd parties could access private meetings in this way.
Phishing scams linkded to COVID-19
It is important to step up awareness of digital security during this time as we have already seen an increase in phishing attacks. Attackers are exploiting the situation, so look out for phishing emails and scams.
In the current situation, one should be suspicious of any emails asking to check or renew your credentials even if it seems to come from a trusted source. Please try to verify the authenticity of the request through other means, do not click on suspicious links or open any suspicious attachments.
- Be very suspicious of mails from people you don't know- especially if they ask to connect to links or open files (if in doubt phone your security officer).
- Mails that create an image of urgency or severe consequences are key candidates for phishing - in these cases always verify via an external channel before complying.
- Mails sent from people you know, but asking for unusual things are also suspect - verify by phone if possible.
Press release by ENISA
Publié le 25 mars 2020