Opinions and Legal Insights

Updated Advice on Cyber Security while working at home from the NCSC and the Law Society – 9 April. Time to review home working cyber security again to protect against increasing scams and attacks?




Most of your people are probably still settled in at home but this will continue for some time yet for lawyers and support staff, so it’s probably worth taking stock with the benefit of your experience to date.  I am happy to give half an hour of my time to discuss any questions you have or to help you put the guidance below into practice.  







Just call me,

Frank Manning

on  07778 572420 or


book a time with me here >>






Updated Advice on Cyber Security from the NCSC and the Law Society – 9 April 2020


Working outside a secured office presents some additional challenges. Staff might be more likely to have their devices stolen when they are away from the office.

  • Encrypt laptops and install a system to track and delete data

    from tablets and phones remotely if they are lost or stolen.  Someone who is not authorised to access a device or system should not be able to access in formation on it or use it to access working systems.

  • A suitable PIN or complex password

    will protect your device, and many devices include fingerprint recognition.

  • The NCSC give more detailed advice on


    how to protect mobile devices here >>


  • Use

    two-factor authentication

    for log-ins where possible:

    • Two factor authentication means systems that need two different methods to prove identity before they allow access, for instance a password combined with a code sent to a smartphone.

    • Make sure that you and all staff

      avoid predictable passwords

      , using longer strings of characters that cannot be easily guessed.

    • Make sure your staff have

      access to good guidance on choosing passwords

      that are easy to remember but hard to guess.

    • The NCSC give advice on


      how to choose a non-predictable password here >>


  • Be careful about

    who can see or overhear what you are doing

    when working with sensitive information.  We appreciate that it may be hard to avoid family members overhearing conversations while working at home. You should use your best efforts to avoid this.

  • Remember to a

    lways lock the screen when away from your computer

    .

If you are

using your own devices rather than work-issued machines

. These can be less secure.


  • Always make sure to log out

    of a shared device when you have finished using it to ensure nobody else can see confidential material

  • You will need to

    make sure that your security controls can be applied to any device

    your staff are using. This will increase the demands on your IT support.

  • The NCSC give


    advice on controlling the risks from staff using their own devices here >>


  • The Information Commissioner’s Office (ICO) give

    advice on the law relating to bring your own device policies

Remote users may need to use software and applications differently

.

  • It may be helpful to produce a series of

    basic written guides

    to help them work effectively.

  • This will be particularly helpful when introducing software that your staff do not ordinarily use in the office, such as online collaboration tools or video chat rooms.

The best way to make sure that your staff can securely access your IT resources is with a

virtual private network (VPN)

from a reputable provider.


Also …

  • Make sure that your systems are

    protected against ransomware and other malware

  • Backup your important data

    to protect it from loss due to an accident or a ransomware attack.

  • Make sure that

    access to your backup is restricted

  • Make sure that your


    backup system is not permanently connected to the device holding the original copy


  • Make sure that

    you know how to restore your system from a backup

For more information, the NCSC give


information on mitigating malware and ransomware attacks here >>




This might be a good time to encourage staff to take the e-learning courses provided by the

NCSC

 (and others like

Axelos

and

eAlliance

, where you can incorporate this training into wider, pro-actively managed and tracked training programmes for your people). This will help to update their knowledge and give them the latest information.


You should make sure that staff know how to report any problems or breaches to you.   


Make sure that staff know the importance of keeping software and devices up to date, and that they know how to do this.  


Use training to help build a positive and blame-free culture of reporting, where staff feel comfortable coming forward with issues that they have encountered.







More updated Law Society guidance here >>