Due to the alarm condition caused by coronavirus, many administrations and public bodies are promoting telework to ensure the continuity of their functions and services. Teleworking, however, can present cybersecurity risks if it is not planned in time, staff has not been adequately trained, and equipment and connections are not properly configured.. Given the current context of emergencies, this may not have been the case in many cases; for this reason we offer you one selection of the main basic protection measures to take into account that can help you to tele-work minimizing the security risks in the processing of the information of your organization.
It is essential to keep in mind that the current situation is very attractive for criminal "hackers" to steal passwords and hijack confidential information in exchange for a ransom. Cases of this type have occurred in recent months in public administrations with serious economic and reputational damage.
This selection was made with the aim of facilitating a practical and executive guide, aimed at non-expert users of medium and small public administrations, who do not have the resources to apply a complete and advanced security plan. We want to avoid over-information and make non-viable recommendations in the circumstances we are in. For users who are interested in delving into this topic, we provide additional links at the end of the guide.
These recommendations are general in nature. If your organization has its own cybersecurity guide, pay attention to that one.
Organizational aspects
Follow the safety instructions of the technological manager of your organization
Make use of the tools and applications authorized by your organization. If you need to use other solutions be careful and use only trusted applications.
Further…
- Validates that corporate documents that you will work from home are backed up.
- Be very clear what is the channel of communication of incidents and resolution of doubts.
- Immediately notify any cybersecurity incident to your entity's technology manager.
Work team
From your home work team you will have access to the confidential information of your organization. Whether you are using a corporate computer or a personal computer, a series of protective and preventive measures must be taken into account. If you use a corporate work team, the most common is to comply with most or all of the recommendations through the security policies that the administrator has forced.
Make sure that your system and applications are up to date with the latest version of each of them and that automatic version updating is enabled.
- For Windows
- For MAC
Verify that your computer has an active anti-virus and anti-malware system.
- For Windows: active Microsoft Defender Anti-malware
- For MAC: install a market solution with a free version: Kaspersky, Avast, AVG, Bitdefender, etc.
Apply the screen lock automatically after ten minutes.
Further…
- Create a separate account for your family and for teleworking in your operating system. Any unauthorized access to confidential information should be avoided.
- For Windows
- For MAC
Internet connection and remote access
Avoid using unfamiliar and trusted WiFi public networks to remotely access the organization's services.
Further…
- Use, if possible, the VPN (virtual private network) connection services recommended by your organization to access corporate information systems.
- Configure the Router password with secure encryption systems: WPA3 (preferably) or WPA2.
Backups
All the office documentation that you generate on the private computer that you use for tele and are not stored on the server of the organization, surely will not have an automated backup system. Therefore, it is recommended that you take the precaution of backing up.
Back up the documents generated locally through one of the following mechanisms:
- USB sticks: You should have previously cleaned or formatted the device to ensure that there is no risk
- External hard drive
- Cloud storage service authorized by the organization
Passwords and authentication
Use, whenever possible, access to digital certificate information systems or dual factor authentication systems to prevent theft of your password. (Dual-factor systems are based on one-time codes that are sent via SMS or to an APP)
Use complex passwords: combination of special characters, upper and lower case letters and numbers.
Don't write corporate passwords anywhere
Si you install digital certificates in software on your personal computer (TCAT-P, idCAT Certificate) uses the "Enter Password for private key" option: this way you can only use the digital certificate if the password is known.
Further…
- If you have to use many accounts with different users and passwords, use an application to securely manage different passwords. There are several solutions that offer a free version (LastPass, Dashlane, etc.). Apple - iOS devices have a password manager integrated with the operating system.
Safe Internet browsing
Avoid browsing unsecured pages and avoid installing any questionable software or content.
Further…
- Media web browsers must be updated and configured with the latest software patches and patches.
- Periodically delete your browsing history, cookies, reminders and other temporary files. This avoids potential spy elements.
Phishing
El Phishing is a type of cybercrime that consists of sending fraudulent emails with the aim of stealing your password or other personal information. It is one of the most used scams by computer criminals. The operation of the phishing is simple: it receives an email, with a legitimate appearance asking to update, validate or confirm information through a link. After clicking on it, you will be redirected to a fake web page, where the password or other data is stolen.
Do not click on links, or download any attachments from suspicious emails. Suspicion of emails asking for unusual actions to reset passwords. Check the sender's address (not the alias) for seemingly legitimate emails.
Further…
- When you connect via web check in the browser bar that the web address of the destination is correct. Cybercriminals can completely replicate a website and steal your password.
When you're done working
Close all connections to information systems and corporate websites.
Back up any local documents that you worked on that are not covered by the corporate backup.
Plus…
- It removes your browsing history, cookies, reminders and other temporary files.
More information
Users who wish to extend this information are encouraged to visit the following specialized websites:
Acknowledgements
This set of recommendations has been developed from AOC's own resources, from the guidelines of the Catalan Cybersecurity Agency, the Catalan Association of Telecommunications Engineers (Telecos.cat), consultants Genís Margarit Contel and Cristina Ribas Casademont, and the documents in the “More information” section.
From AOC we would like to thank all the selfless and proactive contributions we have received and which are very useful and valuable at this time to guarantee the security of public sector information systems.
Notes
- This guide is open to suggestions, suggestions for improvement and corrections. Your comments will be very welcome: You can send them to us innovacio@aoc.cat
- We have asked users of the free software community to help us complete the guide with specific recommendations for Linux-based operating systems.