Cyber Security

What is the general idea of the service?

DistanceLab-project will develop a cyber security tool that will be useful for all the organisations that have remote workers and for those who want to digitalize the businesses. This pilot will be developed together with SME´s and public sector to find the best practices.

Why are we piloting it?

DistanceLAB-project aims to develop tools that enhance stakeholders’ resilience and adaptability by improving their skills in remote activities. With the increasing digitalization and remote work, the risks of data leaks and cyber-attacks are heightened. Therefore, cyber security awareness and data security skills are integral components of every organization’s risk management and resilience.

Why is your organisation invited to join?

This tool will be particularly useful for SMEs and the public sector. The challenge lies in the fact that cyber security risks vary depending on the industry and the size of the organization. That’s why we need to engage in discussions with various stakeholders in order to develop a tool that can be utilized by individuals and organizations.

What do you get?

You will have the opportunity to participate in interactive workshops where current cyber threats will be discussed, engage in discussions with experts, and share best practices. You have a unique chance to be involved in an EU–funded project, where you can share your ideas and learn from others.

Checklist for a employer

Security Training

Provide regular security training with the focus on remote work-related security issues.

Ensure that the employees are aware of the latest threats.

Physical Security

Provide guidelines to employees for securing their home work environment.

Consider lockable cabinets for sensitive information if necessary.

Passwords

Encourage employees to use strong passwords and change them regularly.

Provide tools for password management if needed.

Email

Ensure employees have clear instructions for identifying suspicious emails.

Provide tools for verifying email authenticity if necessary.

Workspace

Encourage employees to keep their workspace tidy and protect confidential information. Provide secure storage options if needed.

Backup

Ensure that backups cover remote employees.

Provide company services for backup.

Remote Work

Provide the secure remote working tools and ensure that the employees are familiar with their proper use. Also regularly check the security of remote connections.

Mobile Devices

Provide company-approved mobile apps.

Ensure that the employees use mobile devices properly.

Malware Infection

Establish clear procedures for how to deal with malware infections.

Provide support services and stay in contact with security officers.

Culture of Continuous Improvement

Encourage open communication and reporting of security observations.

Continuously assess and update company security practices to address the work environment and the changing threat landscape.

Customize these guidelines to fit the specific needs of your company.

Security is a responsibility for all.

Checklist for a remote worker

Security Training

Be an active participant in regular security training sessions. Understand security aspects related to remote work and stay informed about new threats.

Physical Security

Create a calm and secure work environment at home.

Secure sensitive documents in a lockable cabinet and keep your workspace private.

Passwords

Use strong passwords and change them regularly. Do not share your passwords with anyone, and keep them secure from other family members.

Email

Exercise caution with suspicious emails. Always verify the authenticity of a message, especially if personal information is requested.

Workspace

Lock your computer whenever you leave your workspace.

Keep your home environment tidy and protect confidential information.

Backup

Ensure that important files are stored securely, and regularly backup data.

Use company-provided cloud services if available.

Remote Work

Always use a strong password and enable multi-factor authentication for remote connections. Use secure remote work tools provided by the company.

Mobile Devices

Protect your phone with a passcode and ensure your device is always updated and secure. Avoid unnecessary apps and download only from official app stores.

Malware Infection

If you suspect a security issue, stay calm.

Disconnect and contact your security officer or supervisor.

Checklist for the provider of digital services

Cybersecurity Strategy

Develop a comprehensive cybersecurity strategy that addresses potential threats and vulnerabilities in your digital services.

User Data Protection

Implement robust measures to protect user data, including encryption, secure storage, and access controls.

Compliance with Data Privacy Laws

Ensure strict compliance with data privacy regulations, such as GDPR, and regularly audit data handling practices.

Regular Security Audits

Conduct regular security audits to identify potential weaknesses in your digital services.

Stay informed about threats, and participate in cybersecurity communities.

Incident Response Plan

Establish an incident response plan to handle and mitigate cybersecurity incidents.

Employee Cybersecurity Training

Provide thorough training for employees on cybersecurity best practices to minimize the human factor in security incidents.

Third-Party Security Assessments

Conduct regular security assessments of third-party services and tools integrated into your digital services.

Continuous Monitoring

Implement continuous monitoring tools to detect and respond to security threats in real-time.

Secure Development Practices

Incorporate secure coding practices into the development process to prevent common vulnerabilities.

Free cybersecurity tools

Remote workers can use scanning to identify vulnerabilities in their home network. Scanning can be used as part of cybersecurity measures to ensure that home networks are protected, and potential threats are detected and addressed promptly.

Nessus Essentials is one of the free cybersecurity tools available that can help enhance online security. It provides the ability to conduct security scans on a computer or network. Nessus Essentials offers reports on detected vulnerabilities and suggests actions to fix them. Tools such as these are an excellent way to identify and address security issues without requiring in-depth technical expertise.

By scanning devices and the network, potential vulnerabilities and security gaps can be identified. This helps prevent possible attacks and safeguards information. Through scanning, a remote worker can check which devices are connected to their home network. It´s important that all devices are known and secure. Using up-to-date software is crucial for maintaining security, and scanning can reveal if devices have outdated software.

The frequency of using a scanner depends on various factors, including the specific security requirements of the individual or organization, the nature of the devices and networks involved, and the level of potential risks.

Lets talk about cybersecurity

LET´S TALK ABOUT CYBERSECURITY

Conversations over the coffee are most enjoyable when they are interactive. This is also the case when it comes to cybersecurity. It is quite typical that someone talks about cybersecurity and others listen. But that does not have to be the case. Coffee breaks in the working places are a great opportunity to take everybody into account: ask questions and listen.

It’s also easier to notice if something is not understood, and to explain in more depth:
“What in the earth I´m going to do with the VPN?”
The discussion will help you to understand what people really want to know about cybersecurity.

Often, cybersecurity issues are far from the minds of ordinary people. People don’t really know how things relate to their lives. Why should they need to understand how multi-factor authentication works or how to protect their email account –
“I don’t have anything important there!”
It is important to show how cybersecurity is relate to the world of even the most ordinary person. What could happen to him if he can no longer access his email, why anyone can become a cybercrime victim, what things are of value to a hacker..

Coffee breaks in the working place are important for the well-being of employees. And remember, when working remotely, chatting with colleagues is just as important.

This guide was also built through joint discussions and interaction. See the link tips on the last page!

Pictures in this guide:
Adobe Stock, Canva, DistanceLab team

WHAT IS CYBERSECURITY?

Cybersecurity covers both the software and the operations that keep devices and information secure.

it refers to the actions needed to protect

network
information systems
network users

from cyber threats.

Data security, information security and data protection are also used in everyday language.

How do they differ from cybersecurity?

Cybersecurity ensures

the security of information,
the security of information systems and devices in a networked environment.

MIRJAM

LIZA

Data security, information security and data protection are also used in everyday language.

How do they differ from cybersecurity?

data protection & privacy laws:

relate to the proper collection and use of personal data.

You have the right to know what information is collected and stored about you by online services and you have the right to request its deletion.

I don't have to worry about data security because I HAVE NOTHING TO HIDE!

Think again!

People usually lock the door of their house when they leave home because they don't want thieves to get in.

Nowadays all kinds of information are stored in the digital world, and it's a good idea to keep the doors leading to it locked.

LAURA

LEENA

Maybe I should make a list of all the digital doors and windows I have...

Good idea! Do you have an email to log in to online services? What would happen if someone took over your social media account?

Don't forget that you also have online banking credentials. Is your credit card number public information?

Your health information and your prescriptions are also information you don't want others to see.

Which online services have information about you?

UH, I CAN'T EVEN REMEMBER MANY DIFFERENT PASSWORDS!

Hackers need passwords and usernames to take over accounts.
Login credentials are stolen in data leaks all the time.

Hackers use passwords and usernames to try to hijack other online accounts as well!

They can simply try different passwords. Computer programs can go through billions of passwords per second.

NICK

LILLY

I hate our IT-Team: they always require me to change my password.

IT-Team is your friend! Ask them for a trusted password management app!

It helps you to store your passwords for different online services. You only need to remember the master password!

Write here examples of lousy passwords
nobody should ever use!

What is a good password policy in an organization?

Complexity requirements

Complex passwords make it harder to guess or crack through brute-force attacks
Always include a mix of UPPERCASE and lowercase letters, numb3rs, and speci@l characters.

Minimum length

Set a minimum password length to ensure passwords are harder to crack
Longer passwords are generally more secure, for example minimum 12 characters.
A strong password might include a phrase to enhance security and to be easier to remember.

“IUSEDtoRUNwithMYDOGat0900!”

Regular password changes

Encouraged or mandatory regular password changes help maintain security and reduce the
risk of compromised passwords, e.g. requiring employees to update their passwords every
3-6 months.
Don´t ever reuse the passwords or pass phrases.

Multi-Factor Authentication (MFA)

can e.g. be a combination of a password and a temporary code sent to your phone.
implement wherever possible, especially for accessing sensitive systems or data.
adds an extra layer of security by requiring users to provide multiple forms of verification.

Provide ongoing education and training to employees
about the importance of password security and best practices.

CRIMINALS CAN OBTAIN LOGIN INFORMATION BY PHISHING.
That simulation our IT department organized was an eye-opener. It's astonishing how easy it is to fall for a scam!

Indeed!
Now that I've learned to recognize phishing emails, it feels like I encounter them constantly!

I almost clicked on a link until I noticed the URL was wrong. Can't be too careful with these things!

And I got a mail about a delivery of a product I never ordered!

It's concerning how phishing attempts come from so many different channels now. Hackers can ask unsuspecting victims for their login details by email, SMS, scam sites or even by phone.

CARMEN

JASMIN

Ask your colleagues about what kinds of phishing attempts they have noticed:

How to recognize an online scammer?

Unexpected messages

Scammers may contact you unexpectedly via email, social media, or phone.
Be cautious with messages from unknown or unexpected sources.

Too good to be true offers

Offers promising large sums or unreal deals may be scams.
Verify the legitimacy of such offers through reliable sources.

Urgency and pressure

Scammers use urgency to rush victims into decisions.
Be wary of limited-time claims or threats and evaluate situations calmly.

Request for personal information or money

Avoid sharing personal info or money with unknown sources.
Legitimate organizations verify before requesting sensitive information.

Poor communication and presentation

Look for unusual URLs, mismatched logos, or poor grammar as scam signs.
Some scammers use AI for more sophisticated presentations.

My dear colleague, may I point out that THE SCREEN SHOULD BE LOCKED WHENEVER YOU LEAVE YOUR DESK!

Oh! But I just went to the bathroom, and besides, there's nothing interesting open on my computer.

Locking the screen is a good habit, sometimes you might go away for a bit longer and if you don't lock the screen anyone can read your email.

PETER

LAYLA

We can find cybersecurity check-lists on the DistanceLabproject website!

I would really need some reminders and a poster about safety behavior in cybersecurity...

Remember
Cyberhygiene!

Tool usage and security

File Sharing

Use tools to encrypt data on devices, USB drives, and cloud storage.
Encryption ensures only authorized users can access data.
Encryption improves security, especially if the device is lost or stolen.
Protect files from unauthorized access or interception during transit, encrypted file-sharing platforms ensure that files remain protected.

Data access

Implement multi-factor authentication (MFA) to protect data from
unauthorized access and breaches.
Apply the principle of least privilege to limit data access to necessary
personnel.

USB Device Management

Establish policies and procedures for USB device usage within the
organization to mitigate the risk of data leakage or malware infection.
Scan for malware.

Regular Security Audits

Conduct audits to identify vulnerabilities in file management and security
processes.
Address discovered weaknesses proactively to enhance security

It's crucial to maintain security while WORKING REMOTELY. I've heard that remote connections can be easier targets for accessing company data.

True! I've started using twofactor authentication even when working on my home network. The protection might not be as strong as in the office.

How do we ensure that all data remains secure when people are working remotely from different locations? VPN, right?

I also use VPN! I've installed the companyprovided security software on my home computer too, to avoid accidentally sharing confidential information.

Working remotely,
I worry more! I feel alone with my concerns and I feel there are more threats than opportunities.

JULIA

GREGOR

It's worth discussing the issue! Working remotely loneliness, busyness, and stress decrease your wellbeing and may make you more vulnerable to cyberattacks. There is also a chance to fall into social engineering: those attacks that try to appeal to your emotions!

Invest on wellbeing and make sure also the remote workers feel included in the working community. This way they are also more committed to the company instructions and practices.

Remote work and cybersecurity

Secure Remote Access

Ensure that remote access to company systems and data is secure.
Use virtual private networks (VPNs).
Use multi-factor authentication (MFA).

Device Security

Implement policies to secure remote devices such as laptops, tablets, and smartphones.
Install antivirus software, enable firewalls, implement device encryption.
Remember regular updates.

Data Protection

Establish guidelines for handling and storing sensitive data while working remotely.
Encourage the use of secure file storage and sharing solutions, such as encrypted cloud
storage or company-approved file-sharing platforms, to prevent data breaches.
Do not discuss confidential matters out loud on the phone in public transportation or
cafes.

Awareness Training

Provide remote employees with cybersecurity awareness training about common threats.
Empowering employees to recognize and respond to security threats can help prevent security incidents.

Regular Security Assessments

Assessments and audits evaluate the effectiveness of remote work security measures.
Identify potential vulnerabilities: includes assessing remote access controls, device
security configurations, and compliance with security policies and procedures.
Proactive approach allows organizations to address any weaknesses.

1. Who can enter your workspace?

2. Do other people hear your calls?

Yes No

3. Do you use public networks?

Yes No

4. Who do you turn to with your cybersecurity questions?

I FEEL POWERLESS, I NO LONGER DARE TO USE THE INTERNET!

Many worries can be minimized by taking a little time to plan ahead. For example, you can prevent malware and viruses by using antivirus software and keeping your software up to date.

Routines and regular checks create security. I try to get into the habit of updating my computer whenever it asks for it.

Good! No more pressing that
“Later” button!

ANNE

DANIEL

"MAN IN THE MIDDLE" ATTACK

Your Internet traffic goes through many servers before connecting to the site you are using. someone might intercept your traffic along the route and sees what you do on the Internet, including your password. Beware of public and unsecured Wi-Fi networks and protect yourself with reliable VPN software.

Why are updates important?

Security updates

They often include security patches that fix vulnerabilities discovered in the software.
Reduce the risk of cyberattacks and data breaches.

Bug fixes

Updates also frequently include bug fixes that address software issues or disruptions.
Outdated software may lead to performance problems, crashes, or other usability issues.
An outdated software can disrupt productivity and user experience.

Compatibility

Compatibility issues may arise when using older versions with newer operating systems or
hardware configurations.
Newer versions of software often introduce compatibility improvements with other
programs or devices.
By staying updated, you ensure that your software can work seamlessly with the latest
operating systems, hardware, and third-party integrations

Features and improvements

Updates sometimes introduce new features that improve functionality, usability, or performance
You can take advantage of these improvements to streamline workflows.
Updates may improve productivity, or access new capabilities.

Compliance and support

Using outdated software may lead to compliance issues with industry regulations or standards.
Vendors typically provide support and assistance only for the latest versions of their software.

LEARN MORE ABOUT CYBERSECURITY:

DistanceLab
https://interreg-baltic.eu/project-posts/distance-lab/remote-business-strategy-pilots-how-to-participate/

Cyber citizen
https://cyber-citizen.eu/en/
Download “Cyber city tycoon” -game:
https://play.google.com/store/apps/details?id=com.aalto.cybercitizen&pli=1

Cyber-resilient Kymenlaakso
https://www.xamk.fi/en/project/cyber-resilient-kymenlaakso/

ISSUES – Information Security and digital Services for sUstainablE designS
https://www.cybernorth.se/

Cybersecurity measures for remote work recruitment

In a job interview

Find out how a person generally relates to cybersecurity.
Example questions for the recruiter:
How did you consider cybersecurity at your previous workplace?
How important do you think cybersecurity is?
Is cybersecurity important to you or do you prefer to leave it to
the IT department?
What password practices do you have?
Do you know someone who has been the victim of a
cybersecurity breach, and how do you feel about it?
Do you know someone who knows the person you are
considering recruiting?
Check references

Worth considering in the social and health care sector

Staff in the social and health care sector are interested in caring
for people, not IT systems.
However, if one out of two applicants says that data protection
is important, this should be taken into account in the
recruitment decision.

Once the person has been recruited

Ensure that people working remotely receive
regular training.
The desire to learn is an important quality in all
work, and in remote work it is really important
to be curious and want to get to know things.
It is important that everyone stays up to date
on cybersecurity issues (not just the IT
department).

How can the employer support and engage their employees?

Attend a data security training together.
The employer should maintain motivation and engage the work community to minimize staff
turnover (risk of information leakage)
Provide clear instructions to employees on how to take care of cyber hygiene.
Ensure that data security instructions are visible in the workplace (for example, a board on the wall).
Provide instructions on who to contact if an employee suspects they have been the victim of a
cybersecurity incident.
Develop an action plan to support employees in the event of harassment on social media.
Develop guidelines for mobile work:
* how to act with customers
* on summer holiday trips, abroad, on trains, buses, airports

Cybersecurity review of your home office

How do you handle confidential documents?
Who hears your calls?
Do you do things other than work-related matters
on the work computer?
Is the VPN turned on?

After employment

The employee promises on a signed form that the
employer’s company information or customer
information is not available on the home
computer, in the cloud or on paper.
Ensure that the former employee does not have
user credentials, permissions or access to the
organization’s systems

Mobile and teleworking cyber- and data security audit form

Mobile and Teleworking Cybersecurity Audit

Intended for self-assessment of employees' cyber and information security.

Remote Workstation	Your Answer	How to Reduce Your Risk
Can you lock the door to your remote working space?	☐ Yes ☐ No ☐ ☐ Sometimes	Lock your workspace whenever possible. Discuss with your employer whether they would be interested in paying for an electric lock, for example.
Does your remote working space have a lockable locker or cupboard?	☐ Yes ☐ No ☐ ☐ Sometimes	Lock your equipment and documents in a cupboard whenever you leave the premises (during lunch, at the end of the working day). Discuss with your employer whether they are interested in paying for a lockable cupboard in the room.
Are there other people (non-work colleagues) in your workspace when you are working?	☐ Yes ☐ No ☐ ☐ Sometimes	Can you turn the screen to not to be visible to others? Get a privacy film for the screen if this is not possible.
Do other people hear what you say during your working day?	☐ Yes ☐ No ☐ ☐ Sometimes	Close the door. Use headphones. Lower your voice. If it is a confidential matter, go to a place where no one can hear the conversation or ask outsiders to leave.
Do other people have access to your workstation when you are not present?	☐ Yes ☐ No ☐ ☐ Sometimes	Lock the device every time you get up from your workstation. Use a password long enough and unique enough. Keep your documents out of the reach of outsiders. "The empty desk principle."
Can your screen be seen through a window from the street?	☐ Yes ☐ No ☐ ☐ Sometimes	Protect your data. Use curtains or reflective film on the window if necessary.

In Public Places	Your Answer	How to Reduce Your Risk
Do you make business calls in the presence of other people?	☐ Yes ☐ No ☐ Sometimes	Never use a loudspeaker. Your conversation partner's voice will not be heard if you use headphones. Go to a private space. This tip also applies to public transport and cafés.
Do you use a computer in a public place?	☐ Yes ☐ No ☐ Sometimes	Get a privacy screen protector for your screen. If this is not possible, do not handle confidential information where others can see your screen.
Do you connect to public or free networks with your devices?	☐ Yes ☐ No ☐ Sometimes	Avoid connecting to the public network. Share the network from your phone instead. If you absolutely have to use the public network, remember to use a VPN.

Working Methods	Your Answer	How to Reduce Your Risk
Do all work devices have a password or pin code?	☐ Yes ☐ No ☐ Sometimes	Install the passwords without delay.
Do you leave your work phone unattended to charge?	☐ Yes ☐ No ☐ Sometimes	Ensure confidential messages are not visible on the screen during charging. Place your phone securely.
If confidential messages may appear on the mobile screen during charging, you should consider where do you leave you mobile	☐ Yes ☐ No ☐ Sometimes	Set your computer to autolock (e.g. 5 minutes). Remember to lock the screen when you leave the room
When connecting your computer to a projector, do you ensure your password is not visible?	☐ Yes ☐ No ☐ Sometimes	Unplug the projector when you enter a password..

Do You Know...	Your Answer	Your Own Notes
Who to ask for advice if you're worried about cybersecurity issues?	☐ Yes ☐ No ☐ I am not sure	Ask for guidance
What to do if you suspect a scam email or phone call?	☐ Yes ☐ No ☐ I am not sure	Ask your employer about the company’s data security policies.
What to do if your computer starts behaving strangely?	☐ Yes ☐ No ☐ I am not sure	You have about 40 seconds to act, after which your entire company network may be down. In the case of a desktop computer, unplug the network and power cable as quickly as you can. In the case of a laptop, put it in airplane mode (find out right away where the function is on your own computer) and press the power button down for 15 seconds. DO NOT RESTART. .

Employee Declaration at the End of Employment

To be completed upon the termination of employment.

I hereby confirm that I have returned all property belonging to _______________ (employer) that was in my possession. This includes both tangible and intangible assets.

Additionally, I declare that I no longer have access to any of the company's information, nor do I retain any company-related data in my possession, such as customer records, files, supplier lists, spreadsheets, contracts, or any other information, whether in electronic or physical form.

I have also checked:

all personal and other devices I have used (for example, my phone, including my photo gallery, computer, tablet, etc.), and
any services I have used, such as social media, communication tools, or cloud services,

and I have deleted any photographs, documents, or other confidential information belonging to _______________ (employer) from them.

Place and date:

Name of the employee:

_________________________________