With many of us working from home during the current pandemic we’re sharing some advice for organisations on how to ensure they remain protected from cyber security threats whilst staff are remote working.
It’s a good practice to create a mobile working policy which assesses the risk to data and systems which may be posed by remote working.
This policy should include:
Authorising users to work remotely – create a policy for authenticating users before granting access to systems and resources (including data). This should consider the following aspects of authentication:
User to device: User is only granted access to the device after authenticating to it.
User to service: User can only access services after authenticating to the service, via the device.
Device to service: Only devices which can authenticate are granted access.
Device security – develop and apply a secure baseline build and configuration for all types of mobile device and retain this for easy restore/configuration.
Information stored on devices – minimise the amount of data stored to only that needed to fulfil the activity. If the device supports it, encrypt the data at rest (all force laptops are password protected and encrypted).
Minimum security controls – increased level of monitoring on all remote connections.
Protect data in transit – when working remotely the connection will most likely use the Internet. All information exchanged should be appropriately encrypted.
Review incident management plans –Incident management plans should be sufficiently flexible to deal with a range of security incidents that could occur, including the loss or compromise of a device.
Of course, despite the best efforts of everyone it’s still possible that incidents will occur and it’s a good idea to have technical processes in place for remotely disabling a device that has been lost or denying access to a corporate network.
For more information and advice on protecting your business or organisation please email Derbyshire’s Cyber Protect Office.