Good Social Media Hygiene

We’ve all started to get used to our “new normal” of working from home. There have been a lot of posts about how to do this effectively, and some of you may even have used some of the guidance I recently published on here. (A big thank you if you have!)

A quick heads up is probably in order here. As with my previous article, this one isn’t necessarily intended for cyber professionals: rather, it’s aimed at those who don’t work in the industry and will hopefully give them some insight into how to help their online health.

We now know that this is going to be how we live and work for – probably – months to come, so we best settle in and make the best / most of it.

It’s been great to see how we are making more use of collaboration tools, and there are any number of posts and videos about the pros and cons of the different solutions, as well as the creative ways teams are coming together. I’m not going to talk about that in this post. What I do want to talk about is how we use social media.

We’ve all (hopefully) got the message from our government that washing hands for 20 seconds is a good starting point in our efforts to slow the transmission of the coronavirus. We’re seeing initiatives such as supermarkets provide antibac wipes and gel so you can clean the handles on trolleys before going in. On my rare forays away from the house I’ve noticed so many more people cleaning their hands, and that’s been very reassuring.

But it seems to me that all this time at home has also led to much more engagement on social media, with many more helpful and inclusive posts on neighbourhood forums for example. There seem to me to be so many more people joining in online conversations etc, which seems to be helping build more of a community spirit. (Yes, I still see the backbiting and trolling too, but much more infrequently recently.)

Talking of people being online, it seems like every day we’re hearing about new scams, new ways which the bad guys and gals (I’m going to call them bad actors from here) are trying to get access to our systems and to our details.

I believe that now is a good time to apply good hygiene to our online selves, as well as our physical selves. With all this additional engagement, but also increase in time spent online, I think now is a good opportunity to encourage people to check their privacy settings and reduce them where appropriate.

Just as antibac wipes and handwashing help protect your physical health against the pandemic that’s assaulting us, locking down your social media profiles helps protect your online health against the bad actors mentioned above.

Restricting who can see your friends lists, or your latest posts, reduces the open sources intelligence (OSINT) gathering opportunities for the bad actors: this in turn reduces the information they have to try to use against you in phishing and spear phishing attacks for instance.

How do you do this? For each of your social media accounts the process will be slightly different, and if you’re unsure where to start, open Google (or any other search tool) on your internet browser and search for “privacy settings” and the name of the app you’re using. It should then be a case of following the instructions, but bear in mind that these could vary depending on whether you’re accessing your account from a PC, a laptop, an Android phone, an iPhone or other devices.

For most applications, it’s worth bearing in mind that they automatically open up your account as much as possible and may reset your settings every so often without warning. In general terms, making sure you use two factor authentication on each account, and restricting who can view your profile / posts to people you know are good things to do. For information on what each setting does, check them out on the application’s web site.

For example, I use an iPhone, and the initial steps are:

  • Facebook – Open the app, click on the three horizontal bars at the bottom right of the screen (next to the bell icon that shows you you have notifications), scroll down to Settings & Privacy and then click on Privacy Shortcuts. Go through each of the topics there in turn and amend your settings.
  • Twitter – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), and click on Settings and Privacy. Again, go through each of the topics and amend your settings.
  • Instagram – Open the app, click on your account icon in the bottom right corner (the icon is a person, next to the heart icon), click on the three horizontal bars at the top right of the screen, then click on Settings. Go through each of the topics under Privacy and also under Security and make changes as necessary.
  • LinkedIn – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), click on Settings, then amend the relevant items under the Account and Privacy tabs.

Repeat the process for other apps, but by now you should get the idea I hope. I appreciate that these appear to be convoluted and time consuming, but in reality they don’t take long and they help to reduce the amount of information you share, and who you share it with.

Working From Home during the pandemic: a simple guide for companies and individuals alike

There’s a lot of talk at the moment about enabling staff to work from home due to coronavirus / covid19. There are probably a lot of organisations that would like to make this happen, but who don’t know how to do this securely. These organisations may also have staff who will be working from home for the first time, so they probably need to provide some guidance and support to those staff too.

The intention of this article is to provide some high level suggestions of things to look at, which will have the most impact in terms of reducing the risk of security breaches and helping employees stay productive.

What can the organisation do?

The following points may help those with little knowledge in information security, or with little access to anyone with knowledge, to know where to start in order to keep themselves secure. It’s not an exhaustive list, and you may need to talk to your IT provider / security team for assistance with some of these.

  1. Make sure that you have implemented two factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
  2. Make sure that all devices have been patched and have antivirus software installed and active. This is often achieved by using Network Access Control to carry out a health check on devices, only permitting access when they meet specific control requirements. Devices are held in quarantine while remedial action is carried out.
  3. Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties, and helps ensure remote access for legitimate users is maintained.
  4. Consider stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period where higher numbers than usual of remote users are going to be experienced.
  5. Make sure that users know whether they can print when at home / out of the office and, if they are permitted to do so, they need to know how to securely dispose of any sensitive documentation they print off. For example, using a cross cut shredder may be acceptable while putting confidential documents in a recycle bin at home is probably not the sort of behaviour you want to encourage.
  6. Review your business continuity and disaster recovery plans. Are there key personnel who have to have corporate devices, and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
  7. If users are allowed to use personal devices, consider enforcing Network Access Control in the same manner as in point 2 above. Also, make a risk based decision whether non-corporate devices can be used if they do not have full disk encryption installed. It may be that a temporary waiver can be granted for these extraordinary times, or it may be desirable to issue users with corporate devices if they don’t usually have one at home instead, even though the device may not have the full specification the user is used to. 
  8. Consider issuing staff with privacy filters, so that if there are other people in the house / room, confidential data is not visible on screen to all. These are relatively cheap, and are a good idea for staff who often work away from the office anyway.
  9. Check contracts with clients to conform whether remote working is permitted, and under what conditions. If it is specifically excluded, talk to clients to develop appropriate acceptable working practices while we deal with the initial outbreak.

As mentioned at the beginning, this is not an exhaustive list, but may help focus on the important things from a business perspective.

What about the individuals?

Now, what about the employees who are now potentially going to work from home for the first time? They will also need support and guidance. As someone who has worked from home for many years, I’d suggest that the following are all points which staff may benefit from knowing.

  1. If at all possible, create a separate dedicated workspace, ideally in a room where you can close the door at the end of the working day. This will help keep work and personal life separate. Not everyone will be able to do this, so an alternative of setting up somewhere which is out of the normal areas of high use / footfall within the house is perhaps the next best option. For example, it is a good idea not to set up in the kitchen if possible, because other people in the house will regularly come in for food and drink. This will disturb you and could possibly lead to a breach of security if unauthorised people (i.e. family and friends) can see what you are working on.
  2. Make sure you take regular breaks. In the office you probably don’t think about going to grab a coffee, and working at home is no different. The regular break encourages you to get up and move around, to stretch and perhaps speak to others in the house: this is healthy for you. Take care not to spend all day chatting, obviously, but it’s very easy to fall into the trap of sitting still for hours at an end. I have a smartwatch which prompts me to get up and move every hour, and I find that very helpful.
  3. Try to stick to regular mealtimes, as you would do in the office. Many people go out at lunch to sandwich bars, cafes etc, and it may be that you can’t do that when at home. It’s a good idea to know what your normal lunch break would be and try to repeat it at home, bearing in mind you may have to prepare your food in that time too.
  4. Make technology work for you. Have video calls / voice calls as necessary. Some people find that switching on video and connecting to several colleagues, then leaving the video running, helps feel like you’re still in the same office. You don’t necessarily have to talk to your colleagues, but some find it helpful just to see and hear other people in the background.
  5. There’s always a question of whether to have the TV, radio or music on in the same room, or as background noise. That’s a personal choice: some people work well with that additional sound, others don’t. I find that I can’t work when there are those distractions, and I’ve been in offices where the radio is on all day and people seem to be able to work fine with it. Whatever works best for the individual is the right answer.
  6. Make sure you finish when you normally would, or at least when you would normally get home. It’s really important to have a break between work and personal time, so try to stick to your normal routine in terms of start and finish times.

These are some of my thoughts. I hope they’ve been useful. What works for you?