Cybersecurity Checklist for Remote Working

Risk Analysis and Governance for Flexible and Hybrid Working

As Hybrid working becomes established, the need for a secure zero-trust approach to everything is essential, as traditional working times have been extended through work anywhere approaches.

Alongside agile and flexible working practices, organisations should create a set of security policies that cover operational standards, cyber incident responses, and disaster recovery plans for all types of events, and these are especially significant for home working scenarios.

Highlighted below are some of the critical elements for a flexible working security checklist. We recommend a thorough review of remote access procedures to provide the protection and assurances needed in today’s digital economy:

Approved Devices and Software Security

• Firstly, ensure organisational data security policies and practices are up to date.
• Where possible, the organisation should provide all the necessary equipment for remote workers – This will ensure company policies are strictly applied.
• Ensure organisational data can only be accessed by a company or personal devices with approved and monitored levels of security.
• Devices should not be pooled, shared, or operated without time-based security locking.
• All devices accessing the corporate network should only be running software approved and sanctioned by the company.
• Company-supplied computers in a home office environment may not be “managed” in the same way as those on-site.
• Multi-factor authentication and access to networks and systems should be set up, and systems must not be set to public, or be accessible without a username, password (or other types of authentications).
• Account lockouts must be in place, disabling the account after a certain amount of failed login attempts.
• Block employees from adding forwarding rules to external email addresses or have a method in place to detect forwarding rules.

 Network Protection Working from Home

• IT departments are advised to run security checks on flexible home workers’ networks for end-to-end security assurance.
• VPNs and the most up-to-date accredited of remote access solutions are highly recommended for secure access to company systems and data.
• Only key staff should have full access to all systems and data, and employees should only be given access and permissions to the systems and apps needed for their roles.

 Importance of Data Protection and Backup

• It’s incredibly important to have clean backups that are stored in a secure off-site environment or location and where possible to have Immutable Backups.
• Clear policies, procedures, and guidance for staff who are working remotely are essential, including accessing, managing, and disposing of both company and personal data.
• Consider Desktop-as-a-Service as a practical option, so that all data is held centrally, and nothing is held locally.

 Employee Cyber Security Awareness

• Regular cyber security training and education across the workforce must be implemented using various compelling and engaging delivery methods.
• Awareness and training will help users to identify, and report suspected phishing emails and other suspicious activity.
• Implement NCSC guidance to defend against phishing attacks including malicious emails, spoof websites and more – all designed to steal valuable credentials, information, and data.
• Cybercrime is often very sophisticated, and it is important to have an advanced business continuity plan which offers protection from the adverse effects of system hacks and undetected phishing activity. This together with an automated and rapid response to incidents which are built into cyber security solutions.

Enterprise cyber security is an ongoing ‘arms race’ between criminals and IT business leaders. Constant and reiterative reviews of all security elements are an absolute must for organisations wanting to avoid the negative and devastating impacts of a cyber breach.