Teleworking Guidance: Best Practices, Sample Policies, and Cybersecurity
Type:
Handout
March, 2020
This resource page includes the materials designed to help local governments navigate teleworking, including sample policies, procedures, best practices, and cybersecurity. Additional items will be added regularly to assist our clients. If you have questions about the technical aspects of teleworking, feel free to contact Shannon Tufts (tufts@sog.unc.edu; 919.962.5438).
Top Tech Tips for Working Remotely and Securely
Public Records Reminder: Recognize that if you are communicating about public business over non-enterprise tools, then you are likely creating a public record and you (as the sender/receiver of the record) need to determine how you will keep the record according to the North Carolina Local Government Records Retention requirements.
- Check with your IT department prior to starting teleworking. They should have protocols in place to assist you with securing your environment and data access/transfer/storage.
- If you are working from home on your home network (on work or personal devices), ensure that your home router is properly secured.
- First, make sure you change the factory-preset password. Many people do not do this, and it leaves their home networks vulnerable.
- Ensure firmware updates are installed to patch any security vulnerabilities.
- Set your router’s encryption to WPA2 or WPA3. WEP is not sufficient.
- Use this guide for more advanced practices, like restricting inbound and outbound traffic: https://www.comparitech.com/blog/information-security/securing-your-wireless-router-and-your-wifi-network/
- Avoid public WiFi if possible as these are unsecured. If you are working remotely but from public locations, use personal hotspots (like your smart phone or a MiFi device). If you are using a public WiFi network, make sure to use VPN for accessing work applications and data.
- Use a Virtual Private Network (VPN) to help protect your Internet traffic. Please note this only protects the data to and from the VPN provider, not to the destination, so a VPN alone is not enough.
- Do not use personally owned computers for work purposes if at all possible. It is unlikely that your personal computer has sufficient antivirus software, customized firewalls, and automatic backup tools running, compared to devices deployed by your employer.
- If your organization uses a portal or remote access environment like Office 365, this will help alleviate some of the concerns related to use of personally owned computers, but ensure that you only work online and do not download or store any items to your machine locally.
- If your organization uses a portal or remote access environment like Office 365, this will help alleviate some of the concerns related to use of personally owned computers, but ensure that you only work online and do not download or store any items to your machine locally.
- Ensure firewalls are set up. Your device’s operating system should have a built-in firewall, but there are other options to add more protection on your personal devices if needed. Your IT department will have handled firewalls for work devices.
- Use antivirus software on your personal devices. In the case of work-provided devices, this software will already be installed and running.
- Ensure that your updates are being installed regularly. Patches for security vulnerabilities are essential for both work and personal devices. It is easiest to set these updates to run automatically during non-waking hours.
- Always use strong passwords for all accounts. If your IT department allows it, use a password manager to ensure that you can leverage strong passwords without worrying about forgetting them.
- Use two-factor authentication whenever possible.
- Always back up your data.
- Watch out for phishing emails, voicemails, text messages, and even Facebook Corona virus maps. As people transition to teleworking, we are seeing a huge spike in these attempts. If you receive a message that purports to be from a known associate, doublecheck the email address, never open attachments or click on links until you have confirmed that the sender is legitimate. Personally, I use the telephone or software like Microsoft Teams or another messaging service to verify with the purported sender before I open or click anything that I was not expecting to receive.
- Use encrypted communications for all sensitive information. Your organization may have this communication channel established already through Office 365 or some other enterprise solution. You can also use mainstream applications like Signal or Telegram, which leverage end-to-end encryption.
Public Officials - Local and State Government Roles
Topics - Local and State Government