[This post is part of our COVID-19 response. Click here to see all posts on this topic]

As we help our clients and community respond to an increase in remote working, we wanted to share this remote working cybersecurity checklist which we hope will help keep everyone secure when working remotely.

General Cybersecurity

  • Ensure laptops/devices have hardware encryption
  • Where possible, ask that screen filters are used to make shoulder-surfing harder
  • Make 2 factor authentication (2FA) mandatory for all remote workers, Including email and when accessing any critical systems or applications
  • Encourage staff to use password managers
  • Remind staff NOT to open links or documents with Coronavirus information. Ask them to report these
  • Remind staff about the need to protect confidentiality
  • Ask staff NOT to defer critical updates to software
  • Remind staff that they should avoid objectionable websites and material (gambling, pornography, illegal streaming sites) as if they are in the office and in line with IT policies
  • Remind staff NOT to lend their machines to their children or other members of the family
  • Stress the IMPORTANCE of NOT sharing passwords (remote working can lead to more password sharing)

Phishing Emails

  • Remind staff that it’s ok to make a mistake and that they should own up if they have:
  • Accidentally clicked on a suspicious file and or link
  • Opened a suspicious PDF or Word, excel file with a macro
  • Staff MUST report malware/ransomware infections immediately

Online Meetings & Calls

  • Remind staff to MUTE the microphone when they are not speaking in a conference call
  • Educate all staff to check webcam settings
  • Remind staff NOT to leave their machines UNLOCKED, especially during a call or when visiting the loo
  • Ask staff NOT to work from coffee shops or public places (if possible) – especially if they are on confidential calls or working on confidential documents

Privacy

  • Remind all staff of their responsibility to respect the privacy of your clients and your staff
  • Remind IT and cybersecurity folks to be extra vigilant for possible malicious activity on user accounts
  • Staff must be reminded NOT to email personal information via email OR store personal information in non-approved locations
  • Staff members may be exchanging personal phone numbers and or emails. If possible avoid this OR ask staff to prepend “delete-later” to the name of staff if they save these details
  • Check Exceptions (Get ready to grant exceptions left, right and centre)
  • If you don’t have one yet, create an exceptions register
  • Create a review by date and put multiple calendar reminders for you/your team to review them
  • Where possible, have a “No way this is an exception” list

Cyber-attack & Incident Response

  • Constantly remind staff to be alert for phishing emails and other attempts to compromise/steal account details Staff must report these emails and malicious activity
  • Encourage them to call certain stakeholders if they want to
  • Security staff must be extra vigilant and actively seek out suspicious activity (given the remote working habits of users this may be operationally expensive)
  • Ask IT and security staff (including outsourcers) to pick up the phone and call if it’s important rather than solely rely on email. (use a separate out-of-band app or something as simple (not very secure) as WhatsApp groups for urgent communications
  • Keep a printed copy of your procedures and checklists at home stored safely
  • Remind all staff that it’s ok to make mistakes (like sending emails to wrong recipients, clicking on a malicious link, causing an outage etc) and that they MUST own up immediately. Stress that in most cases there will be NO repercussions for admitting a mistake, but likely will be for not flagging an issue (breach).

Backups

  • Provide staff software to ensure their critical documents are backed up to the cloud.
  • Ask staff not to use unapproved external cloud storage services
  • Ask staff to reach out to discuss any cloud storage or cloud service solution that they want to use