COVID-19 is affecting us all. The way we live, work and socialise has changed dramatically. The National Audit Office is no different, our staff are working from home and we will also have an important role to play in reporting on the government’s response to COVID-19. We’re resharing some of our knowledge on how organisations can make a success of working remotely at this time.
Technology is a great enabler for working from home, but there are pitfalls to avoid. In September 2017, we issued a guide to cyber security for audit committees and now is an appropriate time to revisit some of the key points.
Policies and procedures
The most important point to note is that your organisation’s information security policies and procedures still apply – they exist for good reason. Security shouldn’t be sacrificed, even during difficult and uncertain times.
If your organisation doesn’t have a homeworking policy, now could be an opportunity to think about what it might look like. But don’t be forced into a knee-jerk reaction because of the current situation; take the time to get the approach right and build it into your longer-term business continuity arrangements.
Using personally owned IT
If your organisation routinely provides laptops to staff which are securely configured and set up for remote access, then you’re in a good place. If not, Bring Your Own Device (BYOD) is a possibility, but inevitably this approach brings risks that need to be considered. The main risks are around unauthorised access and data loss.
A popular BYOD approach for smartphones and tablets running Android or iOS is the ‘managed container application’. This means all corporate data is accessed via one or more designated apps (for example, Microsoft Office). This allows strong controls to protect and isolate corporate data from the user’s personal apps and prevents copying and pasting of data across the container boundary.
Use of personal PCs is a more difficult area. Technology such as remote desktops minimises the risk of data loss as the apps and data stay on the remote server. Most IT departments will be familiar with remote desktops, and the main barrier to their more widespread use is having the necessary infrastructure to support the volume of users required.
Allowing users to access work data through a web browser over an internet connection from their own PC might seem an attractive option, particularly with more services becoming available in the ‘cloud‘. However, NCSC are clear that this is a risky approach.
They advise that it’s difficult to gain confidence in the security or configuration of the PC, and there are limited technical controls you can enforce to reliably prevent data loss or access from insecure or out-of-date devices. And, from a legal perspective, responsibility for protecting data and complying with GDPR and the Data Protection Act 2018 rests with the data controller, not the device owner. You may also have commercial arrangements that restrict running of business software on or accessing business data from personally owned devices.
There are many established software tools for videoconferencing and collaborative working. Common apps include Microsoft Teams, Skype for Business, Google Hangouts, Cisco WebEx, GoToMeeting and Zoom. Do bear in mind that these should be securely configured, their privacy policies and settings reviewed, and used appropriately in relation to the sensitivity of the meeting content being discussed.
Where you are meeting with a third party, it would be wise to set agreed expectations around call recording and screen sharing and request explicit permission before capturing any information discussed during the meeting, for example screenshots.
There are also considerations relating to the home working environment itself. Devices outside an office environment are more vulnerable to theft or loss. This can be mitigated by physical security measures and by encryption – but do check that each device is turned on and set up correctly.
Also consider your policy around printing from home and whether it’s necessary. Information in physical form needs to be protected in the same way as information in electronic form. Forwarding information from work to personal email accounts for printing is a big confidentiality risk, so where there is a legitimate need to print, you will need to make suitable arrangements.
In shared accommodation, you should also be aware of who might be able to overlook your screen or overhear your teleconferences. There are reports that some organisations are advising people to turn off smart speakers and voice assistants during working hours when sensitive matters are being discussed.
Preventing unauthorised access to devices is another obvious but essential consideration – NCSC has recently issued guidance on good password policy, including practical suggestions for reducing password overload for end users.
Be aware of phishing scams, whether by email or text message. This advice applies generally, and some security companies have reported seeing a large increase in phishing attacks as a result of the current pandemic. NCSC has good advice on spotting suspicious emails.
It’s important to promote and maintain a strong security-minded culture, even when your people are trying to collaborate and work flexibly.
Obtaining IT equipment and services
The Crown Commercial Service (CCS) has published information on a number of agreements that can enable the public sector and related organisations to quickly and easily procure technology products and services to allow employees to work more flexibly.
CCS also note that a number of providers of collaboration software are offering introductory or extended trials of their products. These include Microsoft (Office365), Google (G Suite, Hangouts Meet) and Cisco (WebEx, Duo, Umbrella, AnyConnect).
The current situation is putting unprecedented pressure on individuals and organisations alike but try not to lose sight of the security basics. If you’re struggling to get a fully-fledged remote working strategy in place I’d recommend focusing on the fundamentals. Find the right approach for your organisation and gradually build it into your longer-term business continuity arrangements.
We’re all having to adapt to these new ways of working, but don’t worry there’s plenty of support out there to help you protect your corporate and customer data.