We are living a tough time due to the alarm caused by the coronavirus. Many public administrations and private companies are promoting remote work to ensure the continuity of their functions and services. However, teleworking can create significant risks if cybersecurity measures have been not planned, the staff has not been properly trained, and equipment and connections have not been securely configured. Given the current situation of emergency, these have not happened in many cases; for this reason, we offer a selection of the main measures of essential protection that can help you with teleworking minimizing security risks in the handling of the information in your organization.
The current situation is very tempting for criminal hackers to steal passwords and hijacking sensitive information in exchange for a ransom. Similar cases have occurred in recent months in public administrations with severe economic and reputational impact.
This is a practical and executive guide, aimed at non-expert users of medium and small public administrations, who do not have the resources to implement a complete and advanced security plan. We want to avoid over-information and make non-viable recommendations in the extraordinary circumstances we are now. For users who are interested in deepening this topic, we provide additional links at the end of the guide.
These are general recommendations. If your organization has a specific cybersecurity guide, pay attention to it.
1. Organizational policies
Follow the safety instructions of the IT manager of your organization
Make use of the tools and applications authorized by your organization. If you need to use other solutions, be careful, and use only trusted applications.
- Validate the backup procedure of corporate documents accessed from home
- Be aware of the channel of communication of incidences and resolution of doubts.
- Notify immediately any cybersecurity incident to your IT manager.
From home, you will have access to confidential information about your organization. Whether you are using a corporate or a personal computer, a series of protective and preventive measures must be considered. If you use corporate equipment, it is most likely that you already meet most or all of the recommendations through the security policies that your IT administrator has enforced.
Make sure your computer has an active anti-virus and anti-malware system.
> For Windows: activate Microsoft Defender Anti-malware
> For MAC: install some market solution with a free version: Kaspersky, Avast, AVG, Bitdefender, etc.
Apply the auto-lock screen after ten minutes.
- Create your operating system in a separate account for the family and telework. Avoid any unauthorized access to confidential information: Windows, MAC
- Activate a firewall on your computer: Windows, MAC
3. Internet connection and remote access
During teleworking, avoid accessing the Internet using unknown or not trustful WiFi public networks.
- Use, if available, the VPN (virtual private network) remote connection service recommended by your organization to access corporate information systems.
- Verify that your Internet connection Router does not use the factory default password. You will find many tutorials on the Internet and YouTube. For example, instructions by Netspot.
- Configure the Router password with secure encryption systems: WPA3 (preferably) or WPA2.
All the documents generated on your private computer probably are not stored on the corporate file management system. If so, they will not be backup automatically. Therefore, it is recommended that you make your own backups.
Backup locally generated documents through any of the following mechanisms:
> USB Flash Drives: you should have cleaned or formatted them beforehand to make sure they are safe.
> External hard drive.
> Cloud storage service authorized by the organization.
5. Passwords and authentication
Use, whenever possible, access to information systems with a personal digital certificate or a two-factor authentication (2FA) system to prevent theft of your password. (2FA are based on one-time passwords sent via SMS or to a mobile APP).
Use complex passwords with a combination of special characters, upper and lower-case letters, and numbers.
Do not write corporate passwords anywhere.
If you install a software digital certificate on your personal computer, choose the option “Write the Password for a private key.” Therefore, you will have the control that you are the only one that can use the digital certificate.
- If you have multiple accounts with different users and passwords, use a password management application for safety.
- Several solutions offer a free version: Lastpass, Dashlane, etc.
- Apple – iOS devices have a password manager integrated with the operating system.
6. Safe Internet browsing
Avoid browsing unsecured pages and avoid installing any questionable software or content.
- Media web browsers will need to be updated and configured with the latest release and software patches.
- Delete, periodically, your browsing history, cookies, reminders, and other temporary files. It will avoid potential spyware.
Phishing is a type of cybercrime that consists of sending fraudulent emails to steal your password or additional personal information. It is one of the most used scams by computer criminals. The operation of phishing is simple: you receive an email that looks legitimate, asking to update, validate, or confirm information through a link. After clicking on it, you will be redirected to a fake web page where they will steal your password or any other personal information.
Do not click on links or download any attachments from suspicious emails. They ask for unusual actions like resetting passwords or updating information. Check the sender’s address (not the alias) to validate the origin.
- When you connect to an online application, check-in the browser bar that the web address is correct. Cybercriminals can fully replicate a website and steal your password.
8. At the end of the day
Close all connections to corporate information applications and websites.
Backup all local documents you have been working on during the day that are not covered by the corporate backup.
- Eliminate browsing history, cookies, remembered passwords, and other temporary files.
Users who wish to know more about this information are encouraged to visit the following specialized web pages:
- Cybersecurity rules for the provision of services in the mode of telework: Catalonia Cybersecurity Agency.
- “Cybersecurity and data protection” online course: School of Public Administration of Catalonia.
- Safety guide in teleworking: ICT Security Center of the Community of Valencia.
- Teleworking Guidance: Best Practices, Sample Policies, and Cybersecurity University of North Carolina, School of Government.
- Teleworking Quick Reference Guide: California Cyber Security Integration Center.
- CN-CERT BP/18 Security Recommendations for Remote Work: Spanish National Cryptologic Center (advanced content).
- How to Implement a Safe Remote Access Policy : Spanish National Cryptologic Center (advanced content).
- Guide to Enterprise Telework and Remote Access Security: National Institute of Standards and Technology (advanced content).
This set of recommendations has been prepared by the Innovation Team of the Open Government of Catalonia Consortium, following the guidelines of the Catalan Cybersecurity Agency, the Catalan Association of Telecommunications Engineers (Telecos.cat), the consultants Genis Margarit and Cristina Ribas, and the documents in the “More information” section.
- This guide is open to suggestions, new ideas and corrections. Your comments will be very welcome.
- We have asked users of the free software community to help us complete the guide with specific recommendations for Linux-based operating systems.