NCSC issues new cybersecurity guidance on working from home

On Monday 17 March, the UK’s National Cyber Security Centre (the NCSC) issued its practical guidance, Home working: preparing your organisation and staff, in light of the new cybersecurity challenges presented by many organisations now encouraging their staff to work from home as a result of COVID-19 (coronavirus). The NCSC notes that there has also been an increase in the numbers of cyber criminals sending ‘phishing’ emails and trying to take advantage of the current coronavirus turmoil.

The guidance is separated into two key areas of focus: (1) guidance on the general cybersecurity issues to be considered in connection with homeworking; and (2) useful tips for identifying and managing phishing emails. We have set out below some of the key points which we identified from the guidance.

1. General cybersecurity considerations in connection with working from home

Although home working may already be commonplace within many organisations, it is unlikely that this has previously been the case on such a large scale and for the anticipated period of time that this will need to be the case for, and the NCSC advises that businesses take the following steps:

a) Account and access set-up: Where new accounts / accesses need to be set up in order to enable staff to work from home:

• Passwords: Ensure strong passwords are used – see NCSC guidance for system owners responsible for determining password policy.
• Two-factor authentication: You should implement two-factor authentication (2FA) if available – see implement two-factor authentication (2FA).

b) General secure home working recommendations:

• Different software: Produce and share guidance (eg. “How do I?” type guides) on new software that might need to be used and test that software.

• Lost and stolen devices: The NCSC considers that devices are more likely to be lost or stolen during this period and therefore urges organisations to taken the following steps:

  • ensure that devices encrypt data while at rest (the functionality of which may need to be switched on);
  • where possible, use mobile device management software to remotely lock device access / erase data on a device / retrieve device data backup;
  • ensure that staff are aware of the risks in leaving devices unattended, particularly in public spaces; and
  • ensure staff know what to do if their device is lost / stolen, such as early reporting.

• Reporting channels: Ensure employees know how to report security issues in particular.

c) Virtual Private Networks (VPNs):

• Already in use: Where you are already using a VPN, you should make sure that this is fully patched.
• Not already in use: Where you are using a VPN for the first time, the NCSC asks organisations to refer to the NCSC's VPN Guidance.

d) Removable media (eg. USB drives):

• Malware: Limit the likelihood of malware by:

  • using antivirus tools appropriately;
  • disabling removable media by using MDM settings;
  • encrypting the removable data; and / or
  • allowing staff only to use products which have been supplied by the organisation.

e) Personal devices:

• The NCSC refers organisations to Bring Your Own Device (BYOD) guidance where staff will be using their own (rather than work) devices for home working.

2. Identifying and managing ‘phishing’ emails

The NCSC refers organisations to its guidance, spotting and dealing with phishing emails.