Professional works remotely from home

As public and private organizations across the globe turn to remote work and remote learning to address and fulfill their missions and goals, cybersecurity hygiene is an important practice to revisit. Individuals should continue to be vigilant in the face of criminals and bad actors, who are always looking to steal data, disrupt systems or undermine an organization’s reputation and credibility. Review and confirm that the following cybersecurity hygiene areas and actions are in practice to protect individuals, the organization and the organization’s data in a remote environment. Just like washing your hands is good personal hygiene, continue to practice sound cyber hygiene.

Alert

1. LOOKOUT! For suspicious emails, texts, phone calls, apps

  • Question communications about COVID-19; criminals are using this crisis to craft malicious communications about COVID-19, attempting to steal your information
  • Pay attention to the website addresses; criminals are creating malicious websites with addresses similar to official trustworthy sites (e.g., fake Johns Hopkins COVID-19 outbreak map website)
  • Block suspicious phone numbers sending texts or robocalls on your mobile phone
  • Beware downloading new apps, especially ones coming through suspicious communications

2. KNOW! The proper email addresses, phone numbers (home, cell) for key contacts (e.g., supervisor, IT helpdesk, information security team) and organization systems (e.g., emergency notification system)

  • Helps you easily spot suspicious emails, texts, phone calls
  • Allows you to contact individuals directly to confirm communications
  • Provides multiple methods to contact individuals

3. CHECK! Your organization’s official website(s) daily for updates

  • Bookmark/favorite in your browser these sites; use these bookmarks/favorites instead of typing the website addresses or clicking suspicious-looking similar links

4. REPORT! To your organization’s IT and/or information security functions, via the approved channels, any suspicious communications or events, as well as any systems that are not working properly

  • Allows IT and information security professionals to know what is happening and take action
  • Helps protect others from similar attacks since organization can potentially block attackers or send notices to the whole organization

Act

1. Use multi-factor authentication (MFA) for all possible applications, websites, and devices; where MFA is not available, use long unique passphrases (12+ characters) for applications and websites, and use long PINs (6+ characters) for devices

2. Use your organization’s virtual private network (VPN) connection to securely access organizational systems

3. Use unique access codes for every web meeting or conference call; alternatively, if you must reuse the same access code, use a passcode to limit access to the meeting/conference call, especially for sensitive matters

4. Update all software on devices regularly, including operating systems (e.g., Windows, macOS, Android, iOS) and apps

5. Back up all critical files on your devices using organization approved systems, such as online file sharing apps (e.g., Box, OneDrive, Google Drive)

6. Lock your device when you step away, requiring a password to unlock the device

Avoid

1. Don’t click on any links in suspicious emails or texts

2. Don’t send/reveal personal, financial, or username/password info in emails or texts

3. Don’t share organization-owned devices with family and friends

4. Don’t use public Wi-Fi; if you must only connect for a minimal time and always connect via VPN

5. Don’t use free tools (e.g., free Gmail/Google Docs) for official sensitive matters

6. Don’t use social media (e.g., Facebook, TikTok, Instagram, WhatsApp) for organization work and communications (unless explicitly approved by your organization)

7. Don’t download new apps on your devices without proper vetting

8. Don’t use personal devices to access organization systems and data (unless explicitly approved by your organization)

9. Don’t use USB drives (e.g., thumb or jump drives) unless acquired from or approved by your organization

Advanced

1. Change your Wi-Fi network password from the default provided by your ISP or router

2. Create a separate Wi-Fi network at home for your organizational devices to use

3. Keep organizational devices stored in a separate secure location in your home

Programmers work on computers
Next up

Academic continuity and integrity: oversight for online course delivery