Remote Working is the practice of an employee working at their home, or in some other place that is not an organisation’s usual place of business.
Remote working brings an increased reliance on technology. It is therefore important to have good security controls and clear policies and procedures that help staff minimise the risk of a cyber breach and practical steps to take should something happen.
Off-site working means that rather than being connected to the internet
via an organisation’s secure networks, employees and volunteers are connecting their devices to home networks or other untrusted networks with unknown levels of security.
All controls must still be met in line with the Cyber Essentials Requirements for IT Infrastructure for remote workers to help reduce the risks.
Network firewalls act as the first line of defence against potential cybersecurity vulnerabilities, and charities should have installed them at their network boundary.
In addition, host based firewalls, installed on your device must be turned on and configured to meet Cyber Essentials requirements. Where you do not control the network firewall, for example, in a coffee shop, hotel or conference centre, the host-based firewall on your device will act as your boundary.
Opening ports in the firewall should only happen when there is a documented business case for doing so, for example, to allow access to a public facing website for clients. A documented business case means that the reason for opening a port must be discussed and recorded. The requirement should be reviewed regularly and when the ports no longer need to be open, they should be closed as soon as possible. When working remotely, thought needs to be given regarding open ports and settings may need to be adjusted on individual devices.
A Corporate VPN is a Virtual Private Network solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.
The use of a corporate VPN would be recommended if available, as this will transfer the remote workers boundary back into the control of the charity.
All software including Operating Systems should be licensed and supported. Automatic security updates should be automatically applied where possible. Where it is not possible, all high and critical security updates need to be applied within 14 days.
Identifying users and restricting access is good practice for all businesses. The more access, the more risk, so it is recommended that access privileges are only given to those that need them. These privileges should be regularly reviewed.
Staff should use a standard user account to carry out their normal day to day work. A separate administrator account should be used to install and remove software, and other administrative tasks.
Multi Factor Authentication (MFA) is a second form of authentication. The factors are traditionally defined as something you know, something you have and something you are. A password would be an example of something you know and a mobile device that you could receive a one time PIN code via SMS text message would be an example of something you have. A fingerprint or facial recognition scan would be an example of something you are.
User identity should be confirmed with MFA wherever this is available. This is even more important for remote workers who are potentially logging in via an untrusted network. You are not required to purchase an MFA solution if the services you are logging into do not have the option as standard.
One of the biggest human-factor risks to organisations is staff re-using their passwords for multiple accounts. If a volunteer uses the same password for their work account as their social media account, potentially a breach of that account or any account where the username-password combination has been used, could equal a big security problem for your organisation.
Cyber Essentials asks organisations to hold robust password policies. These include being able to confirm that passwords are changed if compromised. In order to answer ‘yes’ to this question, charities need to be aware of what constitutes a *breach and be confident that staff members would recognize and report one.
*A data breach occurs when information held by an organisation is stolen or accessed without authorisation. This can include destruction, loss, alteration or unauthorised disclosure of organisational data or lead to further unauthorised access to other organisational services.
Passwords should be a minimum of 8 characters and difficult to guess. Passwords should not be made over complex or be changed regularly as this will add to the burden on a user and may lead to them needing to write down their passwords which could lead to a breach.
A password policy should inform users how to avoid choosing obvious passwords (such as pet names, and personal information that would be easy to discover). It would also notify users to avoid reusing the same password and where and how they can store passwords if needed, eg using a Password Manager.
Whilst cloud services prevent the need for remote desktop access, cloud services do need to be correctly configured and users need to have training to understand how to use them securely.
During the pandemic, many charities have increased their use of Microsoft 365 and G Suite, and used tools such as Teams, and Zoom to connect remotely.
Cloud platforms are not secure by default and organisations are responsible for protecting the data and applications they use.
Remote Working Procedure and Policy
If you are allowing users to connect remotely, ensure security requirements are explicitly referenced in any agreements and that the policies reflect behavioural expectations and security expectations, even in the home environment.
Organisations should ensure that policies and procedures that support remote working are reviewed regularly.