Step 1 - Define a clear remote working policy
It's now more important than ever to make it clear to staff what they can and can't do when working from home.
Are staff allowed to use their own devices?
Also known as Bring Your Own Device (BYOD). If staff don't have work-issued devices they can use to work remotely, will the school allow staff to use their own personal devices? Work-issued devices should always be used where possible as they're more likely to have security controls in place. As these devices already have the school's software on, they also reduce the likelihood that staff will use software not already approved.
If personal devices will be used by staff, here are some steps they can take to reduce risks:
i) Check that anti-virus software is installed and up-to-date
ii) Check that the operating system (Windows or Mac) is up-to-date
iii) Ensure that the device has a strong password, passcode or PIN
iv) Check that the device has a firewall enabled
v) Check that the device's storage is encrypted
We've developed a School Remote Working Staff Self-Checklist Pack to help schools with this. Available at the moment at no cost.
Step 2 - Determine appropriate communications channels
Staff that work remotely don't have the opportunity to have discussions verbally, in-person. They have no physical staffroom, yet there are inevitably still sensitive conversations that will need to take place with varying levels of confidentiality.
It's common for staff to find creative ways of doing their job using new technologies; often ones used personally. These technologies can be ill-suited for work purposes and can present cyber security and data protection risks.
By determining which technology will be used for each type of communication, schools can avoid sensitive data being placed on inappropriate platforms.
For example, a school using Microsoft Office 365 suite may determine:
School provided Microsoft Outlook is used for email
(strictly confidential messages sent using encrypted email)
School provided Microsoft Teams is used for meeting, video meetings & chat
School provided Onedrive and Sharepoint is used for file sharing
It would be unacceptable in this case for staff to use personal email accounts and personally-owned file sharing accounts such as Dropbox.
Step 3 - Brief staff on new threats and risks
Crises create opportunities for cybercriminals to exploit vulnerabilities in human nature and processes that haven't been carefully considered or practiced.
Covid-19 is no different. There have already been numerous malicious campaigns from criminals to exploit this situation, reported on by the BBC: