Below we offer a checklist to perform a self-assessment on your company's preparedness for smart working or telecommuting from an IT security perspective.
This is not a complete list, but a useful summary of the most important elements to be better prepared for external and internal attacks.
Remember that you can always contact us if you need specific advice at sales@isgroup.it
Interactive self-assessment test for smart working security
Fill out the form to unlock the checklist and subscribe to our bi-weekly newsletter. If you are already subscribed, enter the data you previously entered, the system will not subscribe you twice.
| What to Do | Done |
|---|---|
| Cybersecurity | |
|
Ensure that laptops and mobile devices use hardware (or software) data encryption |
|
|
- Internal memories (Hard Disk, SSD, NVME, ..) |
|
|
- External memories (USB sticks, ..) |
|
|
Use privacy screens to avoid shoulder-surfing |
|
|
- on laptops |
|
|
- on mobile devices |
|
|
Make two-factor authentication (2FA) mandatory |
|
|
- for email access |
|
|
- for system access |
|
|
- for application access |
|
|
Encourage the use of Password Managers |
|
|
Remind staff |
|
|
- not to open documents related to the Coronavirus |
|
|
- to always update the antivirus |
|
|
- to always update the operating system and company software |
|
|
- to protect the confidentiality of information |
|
|
- to report violations and suspicious events |
|
|
- not to postpone critical software updates |
|
|
- to always lock the computer if they move away from their workstation |
|
|
- to connect only to password-protected networks |
|
|
- to avoid keeping company data locally but always upload it to the company cloud |
|
|
- to browse with Firefox with Noscript and HTTPS Everywhere plugins |
|
|
- to use Telegram with encrypted communication for exchanging messages in the company instead of WhatsApp |
|
|
Remind staff that company policies apply to Smartworking, therefore |
|
|
- send a notice on the use of company devices for personal purposes |
|
|
- send a notice on browsing prohibited sites (e.g., pornographic ones) during working hours and/or with company tools |
|
|
- send a notice on downloading and using illegal content (e.g., movies, games, and software) that can be a vehicle for malware and ransomware, as well as saturate company resources (e.g., VPN) |
|
|
- not to lend company systems to children or other family members |
|
|
- not to share passwords, especially on messaging systems (e.g., Skype or WhatsApp) |
|
|
- not to install software for personal purposes |
|
| Privileged Users | |
|
Ensure that all privileged users |
|
|
- are clear about their responsibilities |
|
|
- do not log in with elevated privileges for daily tasks where it is not necessary |
|
|
- report any errors immediately so that action can be taken to resolve any issues |
|
| Phishing Emails | |
|
Remind staff that mistakes can happen, the important thing is to report them |
|
|
- if they accidentally clicked on a link |
|
|
- if they opened a suspicious file (e.g., PDF, Word, or Excel with macros) |
|
|
- if they contracted malware or the antivirus found infected files |
|
|
Constantly remind staff |
|
|
- to be aware of potential phishing emails and other attempts that may compromise or steal company account data |
|
|
- to report any phishing emails or suspicious activities |
|
|
- to contact their superiors for problems |
|
| Cyber Attacks and Error Response | |
|
Ensure to always have a company VPN connection |
|
|
Security personnel must be very vigilant and actively look for suspicious activities (given user habits, this could be operationally expensive) |
|
|
Ask IT and security personnel (including external companies) to call directly for important issues rather than relying solely on emails (also use insecure apps like WhatsApp if communications are very urgent) |
|
|
Keep a printed copy of procedures and the checklist at home and ensure they are not easily accessible |
|
| Backup Backup Backup | |
|
Provide staff with software that backs up important documents |
|
|
Ask staff |
|
|
- to back up their data on an authorized external device that is not permanently connected to their computer |
|
|
- not to use unauthorized external cloud systems |
|
|
- to propose any system or cloud service that they think might be useful |
|
| Calls and Online Meetings | |
|
Remind staff |
|
|
- to mute their microphone when not speaking in a meeting |
|
|
- never to leave their devices unlocked, especially during a call |
|
|
- not to work in public places (if possible), especially if they are having strictly confidential meetings |
|
|
- to block the webcam by default |
|
|
- to check that there are no guests or unknown people before discussing confidential information in a call |
|
| Exceptions | |
|
Create a register of exceptions |
|
|
Record exceptions by date and examine them carefully |
|
|
Create a list of items excluded a priori from exceptions |
|
Checklist created using content from Amar Singh and Aditi Uberoi
