Government employees nationwide are moving to at-home work locations as social distancing in response to COVID-19 (the “coronavirus”) increases. The ever-present cyberthreats that concern governments, however, don’t disappear when employees go home.
Public sector staff can follow these top tips to mitigate risk and protect both public and personal networks and information.
1. Understand you are a target.
In this new age of working from home, phishing attacks are on the rise. Be especially cautious of emails that take advantage of COVID-19 news and proport to provide coronavirus alerts, request donations, or request urgent action.
As we move more and more to email communication, increased vigilance is necessary. Just because the “From” address contains your boss’s name, for example, doesn’t make it real. Emails that mimic an in-house address are known as Business Email Compromise (BEC) scams. They often include instructions for redirecting funds.
More BEC scam information can be found at this AARP site, and tips on avoiding phishing scams are available through the Federal Trade Commission (FTC) and the National Cyber Awareness System.
2. Follow your employer’s security practices.
Security rules still apply, regardless of your location, especially when you’re on a work-issued laptop. Just as in the office, do not use your work laptop for personal web surfing, email, chats, videos, or podcasting. In other words, only do work. Similarly, do not allow your family members, roommates, or others to use your work laptop. Use the VPN connection provided by your office for all access to your department’s network, resources, and the internet, if necessary. If your administrator issues patching orders, verify their authenticity and follow them to keep pace with new vulnerabilities.
The use of personal laptops to access an organization’s network is a significant security risk. Only use personal equipment if you have permission and be sure to use a secure VPN connection or virtual desktop. If you must use a personal laptop, make sure it is current with security patches and anti-virus software, and encrypt the hard drive. (Your network administrator can help you do this.) As with an office laptop, only do work at work. Minimize personal web surfing and email to create the most secure environment.
Whether your laptop is work-issued or personal, never leave it unattended in public or visible in a car. If you must travel with your laptop, store it in the trunk while you’re out of your car. And, just like we routinely shred sensitive information on paper, no sensitive files should be stored on any laptop unless your agency’s policy permits it. Do not transfer sensitive information to a USB drive or cloud service unless directed to do so by your employer and purge sensitive information from your laptop once it is no longer needed.
3. Secure your home network.
Handling network, computer, and IT issues will be new to most employees working remotely for the first time. To create the most secure environment, turn on encryption (WPA2 or WPA3) and make sure your router is updated with the most current security patches. Some routers update patches automatically. Reach out to the person who installed your home network to check. That person should also tell you if they have changed the default administrator password on your router.
For more guidance in this area visit the FTC site for Securing Your Wireless Network and Securing Remote Access.
4. Follow basic cybersecurity hygiene.
We are all washing our hands and following hygiene protocol with rigor. The same should hold true for your digital health. Basic cybersecurity hygiene revolves around passwords. Use strong passwords that follow your company’s policy and consider using passphrases over 15 characters in stead of the usual eight. For example, use: IwishMyCarWasa69BabyBlueDuneBuggy instead of: Ah$Y9z&Z.
Using a password manager recommended by your IT department to generate strong passwords takes the guesswork out of it. Visit the National Cyber Awareness System for more password tips. Finally, enable multifunction authentication if possible.
Working from home brings new challenges and new risks. Cyberthreats can be kept at bay by following the tips above. For additional information visit these sites:
- National Cyber Awareness System: Home Network Security
- Federal Trade Commission: Online security tips for working from home
Test your cybersecurity preparedness with a series of fun quizzes from the FTC here.
Meredith Trimble is a GovLoop Featured Contributor. She is a former municipal official and Town Council Acting Chair, who focused on strategic planning, annual budgeting, and bonded infrastructure projects. Her government experience also includes posts in both federal and state-level executive branch agencies: Associate Editor of the U.S. Federal Election Commission’s FEC Record; and Director of Education for the CT Office of State Ethics. In her current role as a Senior Content Specialist with Tyler Technologies, Inc., she writes content to help empower those who serve the public. Her current focus is to help facilitate data-enabled organizations as well as to create connections between governments and those they serve. You can read her posts here.
Thanks for these, Meredith! Especially the first tip, to understand you’re a target. Being cybersafe really starts from there I think.
Thank you!
Of course, for #4 it is important that a system allow longer passwords – I’ve come across a number of them that limit the password length or limit what special characters you can use.
Good point, Steve – thank you!