European Cybercrime Centre (EC3) have produced 2 sets of guidelines, one for employees and one for employers, summarizing the main points to take into consideration when teleworking.
Provide a clear policy on teleworking, including guidelines on accessing corporate resources and who to contact in case of problems. Set up a clear procedure in the event of security incidents. Apply extra measures regarding documentation to the attention of middle and senior management for signature purposes, approval/feedback and information.
Implement measures such as hard disk encryption, inactivity timeouts, privacy screens, strong authentication and removable media control and encryption (e.g. USB drives). Implement a process to remotely disable access to a device that has been lost or stolen.
Only allow your employees to connect to the corporate network through a company-provided VPN with multi-factor authentication. Ensure that remote sessions automatically time out and require re-authentication after a specified period of inactivity.
This will help mitigate the risk of cybercriminals exploiting unpatched vulnerabilities.
Enforce the use of multi-factor authentication to access corporate email accounts. Provide access to secure communication channels for employees to reach each other easily, as well as to communicate with external stakeholders.
Actively check unusual remote user activity and increase your alert levels for VPN-related attacks
Educate employees about the company’s policy on teleworking. Take the time to raise awareness of cyber threats, especially phishing and social engineering
Set up realistic goals, working schedules and follow-up mechanisms, being flexible where possible and taking into account personal circumstances.
Only use company-provided devices and software. Create strong passwords (use trusted/approved password managers if available), don’t write them down, and protect them from being seen when you are typing them. Avoid work-around options, even if they seem to provide just what you need.
Before starting teleworking, familiarise yourself with corporate devices, policies and procedures. Make sure you understand the equipment, the dos and don’ts of its use and where to go for help.
Connect to the corporate network only through the corporate VPN and protect the tokens (e.g. smart card) required for the VPN connection.
Do not allow family members to access your work devices. Lock or shut them down when unattended and always keep them in a secure location to prevent loss, damage or theft. Prevent shoulder surfing by using privacy screens and avoid angling screens towards windows or cameras.
If you see any unusual or suspicious activity on any device you are using to telework, immediately contact your employer through the appropriate channels.
Watch out for any suspicious activity and requests, especially financial related ones. This could be CEO fraud! If in doubt, call the requester to double-check. Do not click on links or attachments received in unrequested emails and text messages.
Never respond with personal information to messages, even if they claim to be from a legitimate business. Instead, contact the business directly to confirm their request.
Discuss work plans with your direct management and team members during the teleworking period, including the distribution of tasks, deadlines and channels of communication.
If using your personal device is the only option and your employer allows it, make sure your device OS and software is up-to-date, antivirus/antimalware included, and the connection is secured through a VPN approved by your company.
Avoid making personal use of the teleworking device.