Tips on Cyber Safety
Editor’s Note: In the coming weeks, follow our new series, Working Remotely.
As the series unfolds, if you have any questions or feedback to share, email us directly at digital.training@ontario.ca. In case you missed it, check out
As public servants, we share thousands of electronic communications every single day. While there are many benefits to fast, secure and efficient communication, there are also challenges — particularly as a large portion of the public service is working remotely, all at the same time.
So we sat down with ethical hacker and former director of the Ontario Digital Service, Zeena Abdulla, and Senior Manager, Cybersecurity Advisory Group, Sam Wissa, to better understand what public sector teams can do to stay safe online, while working from home.
Please note: if you are part of a broader public sector organization in Ontario, and you are interested in getting advice, guidance or joining the Community of Practice on Cyber Security, reach out to cyberadvice@ontario.ca with your broader public sector organization email address.
So… what does the Cyber Security Division do?
You might know the Cyber Security Division as the folks that run the “phishing scam awareness campaigns” and you’d be correct!
“A lot of our work is focused on ensuring that public servants and the general public are cyber safe through awareness campaigns,” says Sam.
“And sometimes it feels uncomfortable and upsetting when you are tricked by a security test, but everyone will fall for one at some point in time,” says Zeena. “This is one way of immunizing government against new techniques being used in the wild to trick public servants into sharing information.”
Zeena also went on to compare her work to that of a dentist.
“It’s almost like going to the dentist: you don’t want to go because you don’t want them to find things you haven’t been doing, but it’s important to go regularly to be safe, diligent, and ensure prevention rather than just addressing problems.”
Secure by design
The Cyber Security Division also works to ensure what’s called a ‘secure by design’ approach to all digital products and services used across the Ontario Public Service.
“It’s not just about taking a product off the shelf and turning it on, or running an audit of a governance function, after a product has been launched, it’s about having cyber experts embedded into the design and development of products and services from start to finish,” says Sam. “We are shifting away from being an adversarial function, and more into a core, embedded function in every product that launches.”
How to stay safe while working from home
Don’t go “phishing”
Phishing scams refer to messages that have been deliberately faked to make it appear like they originate from a trusted and authentic source. The most common phishing scams can come through email, phone calls, and text messages.
If you’re in the Ontario Public Service, the Cyber Security Division has put together a special report on how to detect Coronavirus (COVID-19) phishing emails.
“Phishy” emails
It’s good practice to check all parts of the email from the sender address to the subject line, date and time, body text and attachments and/or links.
Ask questions like:
- Do you recognize where the email is coming from?
- Does the time stamp on the email seem strange?
- Are there any spelling mistakes or grammatical errors seen throughout?
- Are there any attachments or urls that are included that seem unusual?
Never share your password
Never share your passwords or disclose them to others — including co-workers, managers/staff, or anyone claiming to be from I+IT or the service desk — whether by email or over the phone.
Passwords: length is key
“Password complexity doesn’t matter anymore, because any 8 character password can be cracked in a few hours with cloud computing,”says Zeena. “Make sure your password is over 10 characters in length and avoid commonly-used passwords, such as password.”
Another suggestion raised by Sam is to group passwords into different categories.
“We know that technically best practice is to have a unique password for every device, but that just isn’t how people operate,” says Sam. “To counter this, create passwords by grouping them to the function of the password. For example, use the same long password for all your essential services, with 2-factor authentication (i.e., email account, banking info, ecommerce) and a different password for your media/entertainment-related services.”
Also consider using single sign-on methods (e.g. sign in with your Google account with 2-factor authentication) instead of creating new accounts everywhere. This means you’ll have fewer passwords to remember and a little more security when dealing with small sites with weaker security.
Connect to home Wi-Fi safely
It’s important to make sure your home network is secure and safe. Use a strong and unique password for your home Wi-Fi, which consists of at least 10 characters and is not the same as your Wi-Fi access point name.
Always change the factory password on your router and use a secure Wi-Fi protocol (WPA2 encryption if available).
Information sensitivity classification
When it comes to information sensitivity classification (ISC), one size does not fit all.
Industry estimates indicate that approximately 80% of information created by an organization — including government — is unclassified or low sensitivity. Another 15% is medium sensitivity, and the remaining 5% fits into the high sensitivity level.
Information classification is an important aspect of cyber safety and can be broken down into three basic steps:
CLASSIFY the information to one of the four sensitivity levels;
LABEL all information with the appropriate sensitivity level; and,
SAFEGUARD the information in accordance with its sensitivity level.
When determining the sensitivity classification levels consider the following:
The information in context
- What type of information is it?
- Where does the information appear?
- How is the information being used?
- What other information appears with it?
- What legislation applies to it?
Think about the potential for harm and injury if the information was ever disclosed without authorization
- It might be loss of life — for example, unauthorized disclosure of undercover police identities;
- It might be business disruption or financial hardship — for example, unauthorized disclosure of corporate taxes or job tenders.
Determine the business requirement for the information (is it governed by legislation?) and how much confidentiality the information requires (who should have access to it?)
- Access is restricted to named individuals or positions only.
- Access is usually restricted to specific work groups or units.
- Access is often restricted to Ontario Public Service employees and known service delivery partners.
- There are no access restrictions for unclassified information. This information is suitable for public consumption.
“Once you’ve classified the information, don’t forget to label it! We classify and label information to communicate how to safeguard it properly”, says Sam. “When you see a sensitivity classification label, it’s your responsibility to know the required safeguards to protect that information.”
Cyber safe videoconferences
Here are a few safety considerations to consider when videoconferencing.
- Use the latest version of the web conferencing solution.
- Ensure meeting organizers are aware of and know how to use the security features in your organization’s web conferencing software.
- Avoid cross-posting links to teleconference ID’s or videoconference links to unmanaged or public forums
More information can be found on the Canadian Cyber Security Guide to Secure Videoconferencing
