The need for employees to work from home has increased for most companies. IT solutions need to be used as securely as possible.
The ICO has produced the following checklist to help you identify some common IT vulnerabilities.
General principles
- We have clear policies, procedures and guidance for staff who are remote working. These include topics such as accessing, handling and disposing of personal data.
- We are using the most up-to-date version of our remote access solution.
- Our staff have been reminded to use unique and complex passwords.
- We have checked if multi-factor authentication is available and configured it where possible.
Bring your own device (BYOD)
There are different approaches to facilitate home working and each has its own security considerations. See our comparison to help you decide which is the best option for your organisation.
Cloud storage
Corporate cloud storage solutions allow users to access data away from the office on any device. They can also help prevent staff from using their own personal storage or messaging services, which can present additional risks.
- Our cloud storage is not set to public or accessible without a username or password (or other type of authentication).
- Only key staff have been given full access to the storage area. All other staff have been given read, write, edit or delete permissions where appropriate.
- We are not using any default root or administrative accounts for any day-to-day activities, and they are appropriately secured.
Remote desktop
- Attackers will often try to access remote access solutions using well-known privileged accounts, such as an administrator account.
- We have created generic usernames for our privileged accounts and disabled any built in or default administrator accounts where possible.
- We only allow remote access connections for staff that require it.
For long-term strategies you should consider if your remote access solution should be behind a gateway or virtual private network (VPN). Short-term fixes can be applied, for example by changing the listening port of your remote access solution, but this should only be viewed as a temporary measure.
Remote applications
Remote application solutions give staff access to the corporate applications they need whilst working from home. This can help prevent staff from using their own personal applications to process personal data.
- Our remote application solution does not allow access to Windows administrative tools such as PowerShell or Command Prompt.
- Our remote application solution does not allow access to shortcut keys or help keys that could be used to open non-authorised applications or features.
- Plain text usernames and passwords are not included in any files, folders or scripts.
For long-term strategies, as with any solution, you should look at best practices and guidance in the field. Many of the manufacturers’ best practices can be applied universally to any solution, for example server hardening and network segmentation.
Emails
As more staff will be working from home there will inevitably be an increase in email as a method of communication.
- We have reviewed and implemented the NCSC guidance on defending against phishing attacks. You can access it here.
- We have either blocked the ability to add forwarding rules to external email addresses or have a method in place to detect forwarding rules.
- We have advised staff to use corporate email solutions and not rely on their own email or messaging accounts for the storage or transmission of personal data.