Covid-19: NCSC issues secure remote working guidance

With hundreds of thousands likely to be working remotely for some time, the UK’s NCSC has issued best practice guidance to enable security teams to support them

The National Cyber Security Centre (NCSC) has published new guidance to support businesses and individuals transitioning to full-time remote working as part of social distancing and quarantine measures – also known as “flattening the curve”, designed to thwart the spread of the Covid-19 coronavirus.

The NCSC has taken this step in recognition that universal remote working presents cyber security challenges that organisations do not usually have to deal with, and to support its previous warnings that cyber criminal groups are now widely exploiting the coronavirus in phishing, malware and ransomware campaigns.

“While working from home will not be new to many organisations and employees, the coronavirus is forcing organisations to consider home working on a greater scale, and for a longer period of time,” said the NCSC. “You may have more people working from home than usual, and some of these may not have done it before. Working from home can be daunting for people who haven’t done it before, especially if it’s a sudden decision.”

The NCSC recommends that security teams take the time to carefully re-evaluate all the various software-as-a-service (SaaS) applications employees will be using, such as chat and collaboration apps, video conferencing services and document sharing, and plan for a large increase in usage. Its guidance on secure SaaS implementation can be found here.

Security teams will also need to consider the need to set up new accounts and system accesses for remote workers and take into account the need for strong password settings and the possibility of implementing two-factor authentication, which is strongly recommended. Its guidance on password management can be found here.

With virtual private networks (VPNs) an essential component of any remote working strategy, enabling users to securely access resources such as email and file servers via an encrypted, authenticated network connection, the NCSC also recommended taking the time to ensure that all VPN software is up to date and fully-patched to account for any recently-discovered vulnerabilities. The NCSC’s VPN guidance can be found here.

More generally, security professionals should consider that staff are more likely to lose their devices, or potentially have them stolen, when away from the office. Most modern devices have built-in encryption for when they are at rest, but attention must be paid to whether that has been turned on and configured.

Read more about Covid-19’s impact on IT

Remote workers will also need to know what to do if the worst happens and their device is lost or stolen. They should be encouraged to report this as soon as possible – so-called “blame free” security cultures can help with this – as this will minimise the risk to any data on the device.

It’s also important to give remote workers a refresher course in basic security best practice, taking time to make sure they know how to report any security issues; that they understand the importance of, and are empowered to, keep their software and devices up to date and patched; as well as how not to fall victim to many of the threats they may encounter, which is particularly important at a time of heightened stress.

Read more on Business continuity planning