18 March, 2021
Cyber Security Checklist for Remote Work Compliance & Safety
The COVID-19 situation has greatly impacted our everyday life, both personally and professionally. Existing business processes have been disrupted largely and working remotely has become the need of the hour.
While some of our clients already had a remote working policy in place, the ones who didn’t are finding it difficult to manage this change and the gaps formed because of it.
With panic and uncertainty dominating markets and industries across geographies, cybercriminals are scanning the situation, targeting businesses and their vulnerabilities to launch attacks on them and exploit them for a variety of benefits. Maze ransomware which recently attacked IT giant Cognizant is an example of one such major attack. This begs the question if IT giants who have controls and processes in place to protect their data are being attacked so easily, how can small and medium businesses protect themselves from such attack? Unlike a company like Cognizant, which can repair damages and get back on its feet, smaller businesses might not have any way of getting the business back to it post such an attack.
To ensure, that SMBs and our clients, specifically, are protected from such unscrupulous attackers, cyber-security and pen-testing experts at BreachLock have compiled a cybersecurity checklist. This checklist can help make sure that even when your entire team is working remotely, the possibility of cyber-attacks can be significantly reduced and prevented.
This checklist is divided into ten sections, and each section has a sub-list specifying action items.
- Remind employees about the need and importance of ensuring the confidentiality of data, at all times.
- Send regular reminders to employees asking them to restrict sharing their work devices with their family or friends, at any point in time.
- Remind employees that they are being monitored by the company as per the terms and conditions of employment. And the cybersecurity protocols that were applicable at the office are applicable at their home office, as well.
- Provide all employees with a VPN set up, as a remote working solution.
- Disable email forwarding. If enabled, monitor it carefully.
- Take appropriate measures to ensure that updates and patches are applied without delays for systems and applications installed thereof.
- Remind employees not to share passwords via SMS or email.
- Encourage employees to choose strong passwords. Passwords with first name, last name, birthdate, etc. should be automatically ruled out by the software itself.
- Ask employees to remember their passwords as no calls or emails will be made by the company to reset passwords.
- Make two-factor authentication for logins, mandatory.
3. Mobile devices
- Implement appropriate security measures if your business uses mobile devices to store company data.
- Ensure that employees using personal devices for official purposes are always aware of phishing and malware attacks.
- Remind employees not to download content from untrusted sources, irrespective of the device they are using.
4. Company policies and illegal activities
- Remind employees frequently about acceptable usage policies and other relevant policies as stated by the company.
- Remind employees that visiting websites that contain pornographic content is illegal.
- Employees must be aware that even when they tweet or use other social media platforms for personal use, they should follow the social media policy implemented by the company.
- Ask employees to use approved USB flash drives and cloud services only.
- Assure employees that they will receive support in case there has been a mistake. This will ensure that employees report in case there is an issue, or they have made a mistake.
5. Phishing emails and scams
- Remind employees not to open any kind of information (pop-ups) related to Coronavirus on their work devices. There have been many reports wherein the attackers are using Coronavirus to disguise their malware.
- Encourage employees to report malware and ransomware, immediately, in case they come across it on their work device.
- Increase awareness among employees on the different types of social engineering attacks.
- Remind employees to check the email addresses and ensure they are only receiving emails from their company’s domain or an otherwise trusted source whom they have received legitimate emails from earlier. Employees must ensure that they do not end up sharing confidential information with unauthorized individuals.
6. Online meetings and calls
- Remind employees that they should switch off smart devices such as Amazon Echo or Google Home when they are sharing confidential information during an online meeting.
- Encourage employees to mute their microphones during a meeting when they are not speaking.
- Encourage employees to exchange contact details and check on each other every morning to ensure no one is facing any issues that they haven’t reported.
- Ensure that employees are in the habit of blocking webcams, both physically and through the application.
7. Exceptions and Changes
- Ensure that an exceptions folder is made.
- Call meetings to review such exceptions.
- Make a Folder named “No way this is an exception” to direct the employee’s attention to what can in no way be an exception.
- Document and monitor all changes.
- Remind employees to respect client privacy, as the client or their representative is also working from home.
- Remind employees not to print the personal information of any client while they are working from home.
9. Cyber-attacks and incident response
- Streamline processes to report any kind of incident.
- In case of a new system in place, assure employees that this a new setup and issues may occur. However, they can be resolved as soon as issues are reported.
- Keep printed checklists at home in a place where it is not accessible to others.
- If the company does not have an incident response policy, appropriate resources should be dedicated immediately to frame, test, and implement such a policy.
- Remind employees to backup all types of critical or important documents. Working remotely can lead to the loss of information unknowingly; therefore, backup is very important.
- Employees must be continuously reminded that only approved hard disks can be used to back up their information.
We have tried to make this checklist as thorough and easy to follow as possible to ensure that your business is safe from cyber-attacks. One way of following through with this checklist is to assign two weeks as “Cyber Security Awareness Week,” in which you can share one section each during 10 workdays. By following cybersecurity best practices during these trying times not only can you ensure your business remains safe from cyber-attacks but also ensure that these actions turn into an everyday habit.