If you're setting up working from home at short notice - we've created a quick reference guide to help.
Setting up remote working - quick reference guide [PDF; 148kb] [PDF, 148 KB]
Some of your security measures in place at your workplace won’t protect you if you’re using different devices, networks or systems from another location. These include security measures such as web filtering, firewalls and data encryption. Before you open up access to your data and confidential information, consider how to implement other measures to cover those same risks.
Cyber security risk assessments for business
Allowing your employees to work remotely can be a useful tool in your business continuity plan. Like all aspects of emergency plans, make sure your staff test it before they need to use it.
Below is a list of recommended security measures. Refer to your cyber security policy to know which kind of security measures will work for you.
If you’re a bigger organisation, NCSC has cyber security advice on increasing your capability to allow staff to work from home.
Your staff will need mobile devices like laptops in order to work remotely. If you don’t currently provide them mobile devices, you will need to consider if you will offer them one or let them use their own. If you offer them one, you have more control over the security of the device and implement these measures:
- Configure the device to apply patches as they are available so it can stay up-to-date.
- Only allow certain programs to be downloaded and block known bad software.
- Configure regular backups.
- Configure hard-drive encryption.
Apple has a free hard-drive encryption tool for all users called FileVault. Microsoft offers a tool called BitLocker, which is free to several licences of Windows 10.
FileVault for Mac External Link
If you can’t afford to offer a company device to each staff member, prioritise giving devices to staff members who access more sensitive systems first.
If employees can use their own laptop, consider what rules you would like to put in place before they can access company systems. For example, you may tell them they need to:
- keep their operating system up-to-date
- use hard-drive encryption and a strong password to unlock it
- upload any documents they have saved locally to the network, and
- run their antivirus software regularly (and keep that up-to-date as well).
Accessing business systems
Remote access software
You will need to use remote access software, like a virtual private network (VPN), to connect to your organisation’s network. This creates an encrypted tunnel between your computer and your work’s network protecting the files and data you’re accessing from your home network. See our advice on which remote access software will work best for your needs.
Which remote access software is right for my business?
Strong passwords are the first line of defence in systems that are accessible on the internet. Reinforce to staff the importance of keeping passwords unique and long for every system and device.
Create a password policy for your business External Link
Enable two-factor authentication
Systems that require access from the internet, particularly important ones such as work-related systems, email or messaging apps, need to be protected. Enabling two-factor authentication makes sure that attackers can’t get in if they’ve guessed your password or stolen your credentials. Make it mandatory when accessing away from the network.
Using 2FA to secure your business
Advise your staff to use their home internet network for accessing business networks and systems. Not all WiFi and internet networks are secured in the same way. The best way to stay safe is the use the one that they have set up at home.
Travelling to and from destinations introduces security risks. Make sure work devices are encrypted. The hard drive of your device adds an extra layer of security should it be lost or stolen. The password to unlock the device should be strong and unique.
If they need to work out and about, consider offering a privacy screen to these staff which makes shoulder surfing a lot harder. When having a phone call, check who’s within hearing range and avoid talking about confidential information. Don’t leave your devices unattended when you are in public spaces. When you leave it unattended at work or at home, make sure to lock it.
If they lose their device, be sure they have an easy way to contact you or your IT provider. Mistakes happen, and it’s better to know immediately so the impact can be managed.
When your staff members are located across multiple locations, being able to easily communicate with your team and others is essential. Look for options have end-to-end encryption before choosing a tool to use. This applies for both your messaging options and any video conferencing you need to use for meetings. If the system you use doesn’t offer this – consider changing or make sure everyone knows to avoid sharing or talking about sensitive information. This is any information you wouldn’t want made public.
Sometimes people working from home may want to be a little more flexible in their working hours due to childcare arrangements, family needs, and personal appointments. Make sure there is someone they can contact if they need IT support, especially if they need to report an incident.
When you’ve got a moment, record these remote working decisions into a policy. This can be the go-to place for staff to understand how your organisation operates remotely. It’s also a good time to remind staff of any other related policies you have.
Create a cyber security policy
Create a flexible work or IT policy – Business.govt.nz External Link