Advice and guidance on reducing risk of Cyber Attacks
The National Cyber Security Centre (NCSC) has published advice for UK companies to reduce the risk of cyber attack on deployed devices including laptops, mobiles and tablets, and tips to help staff spot typical signs of phishing scams.
Working from home is new for a lot of organisations and employees. Even if home working has been supported for some time, there may suddenly be more people working from home than usual, some of whom may not have done it before.
The NCSC has outlined recommended steps for organisations in:
Preparing for home working
Setting up new accounts and accesses
Controlling access to corporate systems
Helping staff to look after devices
Reducing the risk from removable media
Within the guidance there is advice on dealing with suspicious emails, as evidence emerges that criminals are exploiting the coronavirus online by sending phishing emails that try and trick users into clicking on a bad link. If clicked, these links could lead to malware infection and loss of data like passwords. The scams may claim to have a 'cure' for the virus, offer a financial reward, or be encouraging you to donate.
The guidance offers advice on spotting those emails, as well as on how to respond in the event of falling victim to a scam.
The NCSC guidance on implementing Software as a Service (SaaS) applications can help you choose and roll out a range of popular services. If you are already providing such services, you'll need to plan for a potentially large increase in users, and any new services you provide will also need to be supported.
Here are some general recommendations to support secure home working.
Remote users may need to use different software (or use familiar applications in a different way) compared to what they do when in the office. You should produce written guides for these features, and test that the software works as described.
Depending on the experience of your staff (and the applications you provide), you should consider producing a series of 'How do I?' guides so that your already stretched support team isn't overwhelmed with requests for help. For example, you might produce a 'How to log into and use an online collaboration tool' guide.
Remember, many of your staff are already stressed, so they're not in an ideal position to learn new technologies. In addition, they might not be able to ask an office workmate for help, as they normally might. You should check how staff are coping; not just in terms of how to use new technologies, but also how they are adapting to having to work in very different ways.
Staff are more likely to have their devices stolen (or lose them) when they are away from the office or home. Make sure devices encrypt data whilst at rest, which will protect data on the device if it is lost or stolen. Most modern devices have encryption built in, but encryption may still need to be turned on and configured.
Fortunately, the majority of devices include tools that can be used to remotely lock access to the device, erase the data stored on it, or retrieve a backup of this data. You can use mobile device management software to set up devices with a standard configuration.
Make sure staff know how to report any problems. This is especially important for security issues (see looking after devices below).
Your staff might feel more exposed to cyber threats when working outside the office environment, so now is a great time for them to work through the NCSC's Top Tips for Staff e-learning package.
Controlling access to organisations systems
Virtual Private Networks (VPNs) allow remote users to securely access your organisation's IT resources, such as email and file services. VPNs create an encrypted network connection that authenticates the user and/or device, and encrypts data in transit between the user and your services.
If you are already using a VPN, make sure it is fully patched. Additional licenses, capacity or bandwidth may be required if your organisation normally has a limited number of remote users.
If you've not used one before, please refer to the NCSC's VPN Guidance, which covers everything from choosing a VPN to the advice you give to your staff.
USB drives can contain lots of sensitive information, are easily misplaced, and when inserted into your IT systems can introduce malware. When USB drives and cards are openly shared, it becomes hard to track what they contain, where they've been, and who has used them. You can reduce the likelihood of infection by:
disabling removable media using MDM settings
using antivirus tools where appropriate
only allowing products supplied by the organisation to be used
protecting data at rest (encrypt) on removable media
You can also ask staff to transfer files using alternative means (such as by using corporate storage or collaboration tools), rather than via USB. For more information, refer to the NCSC's Removable media guidance.
Using personal rather than work devices
If you are permitting people to use their own devices to work remotely, please refer to the NCSC's Bring Your Own Device (BYOD) guidance.
Spotting email scams linked to the coronavirus
Cyber criminals are preying on fears of the coronavirus and sending 'phishing' emails that try and trick users into clicking on a bad link. Once clicked, the user is sent to a dodgy website which could download malware onto your computer, or steal passwords. The scams may claim to have a 'cure' for the virus, offer a financial reward, or be encouraging you to donate. Like many phishing scams, these emails are preying on real-world concerns to try and trick people into doing the wrong thing. Please refer to our guidance on dealing with suspicious messages.