Ir para conteúdo

Objective: Ensuring the Cybersecurity of Telework or Distance Working

How?

Take care of the devices:

  • Preferably use devices authorised by your organisation and if you lose them, inform the cybersecurity officer;
  • Be the only one using them - prevent others from using them;
  • Use only reliable USB sticks;
  • Enable automatic device locking and use PIN or password;
  • Use filter on laptop screen.

Take care of systems and data:

  • Ensure with your organisation that devices are up to date and have antivirus and firewall enabled;
  • Make regular backups to an external device.

Take care of navigation:

  • Avoid using Wi-Fi in public spaces and always use your organisation's VPN;
  • Always browse HTTPS websites;
  • Change the home Wi-Fi password after installation;
  • Ensure your home Wi-Fi has a strong, secret password and change it regularly;
  • Change the name of your home Wi-Fi so that it is not easily identified as yours;
  • Choose the strongest encryption mode for your Wi-Fi network;
  • Ensure your organisation's network is segmented to protect the internal network.

Take care of communication:

  • Do not open emails or SMS, or click on unknown links or attachments;
  • Encrypt sensitive communications;
  • Don't share professional information on social media.

WHAT GOES WELL WHEN YOU ACT WELL

  • Help keep your organisation protected from cyberattacks;
  • Your organisation's sensitive or competitive information is more secure;
  • Avoid being responsible for a cybersecurity incident.

WHY CARE

Because by working outside the physical context of our organisation we make systems and information management more vulnerable, as we are more exposed to third parties, both in physical and digital terms.

DID YOU KNOW

Employees, voluntarily or involuntarily, are sometimes primarily responsible for cyberattacks affecting their organisations (insider). In fact, this responsibility is often the result of carelessness rather than malicious intent. This is why in cybersecurity so much importance is given to the human factor. No matter how organisations are equipped with the best technical protection infrastructures, a human error is enough to put cybersecurity at stake, namely through actions such as clicking on a link with malicious software, sharing sensitive information with malicious agents or on insecure websites, losing unlocked devices, using compromised pens, accessing public Wi-Fi or not having home Wi-Fi with a secure password.

Employees of some organisations, whether public or private, can be prime targets for cyberespionage activities. When the organisation is private and for-profit, the motive is usually economic and related to industrial espionage, aiming to obtain privileged information for competitiveness. However, in other cases, generally linked to public organisations, the motives may put national security at stake.

The information, professional or private, that workers expose on the Internet can be used against them, in acts of social engineering, such as phishing, smishing, vishing or deep fake in order to make these workers, isolated in telework, to act benefiting the offender, such as providing credentials, making bank transfers or transmitting other sensitive information. In many situations this social engineering acts by simulating the identity of the CEO or other management (CEO fraud) in order to become more credible and authoritative.

A cybersecurity attack chain begins with a moment of recognition, which can involve simply gathering information about possible social engineering targets. It is therefore important to prevent this type of situation by being conservative when sharing personal information online. In public spaces care is also needed, as much privileged information can be gathered by discreetly viewing an incautiously visible monitor (shoulder surfing).

When travelling, the condition of isolation and exposure are intensified and can be vulnerabilities perceived by those with malicious intentions. During these periods, it is very important to keep an eye on the devices in order to prevent theft or loss.

DATA

In a 2018 global survey (Cyberedgegroup), 50.6% of healthcare organisations and 47.3% of SMEs reported that their main security concern is the insider threat.

Another study (Forcepoint), in 2018, shows that in 77% of data breach cases, an insider is responsible.

In 2018, 54% of companies (Alertlogic) recorded an increase in the insider threat.

A study (Broadcom), also from 2018, shows that the data most vulnerable to insider threat is confidential business information (financials, customers, workers). The most vulnerable Information Technology assets are databases.

(ENISA Threat Landscape 2018 (2019):
https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018)

Note: for more technical depth on cybersecurity best procedures for telework, remote work, and bring your own device (BYOD), see NIST Special Publication 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device(BYOD) Security.
(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf)

Last updated on 19-07-2022