ACSC issues FUD-busting COVID-19 WFH guide

Millions of Australians assailed by a relentless and confusing barrage of cyber security messaging from vendors warning them of an impending Zoom apocalypse as they struggle to work from home can finally take comfort; the nation’s digital spy masters feel your pain.

Fresh from issuing a thoroughly no-nonsense and brand-free advisory on the dos and don’ts of web conferencing and collaboration tools, the Australian Cyber Security Centre on Wednesday issued its latest official rundown on working from home (WFH).

For seasoned technology professionals the idea of a simple, official nine-point cyber security guide for working out of your kitchen, verandah or living room will probably seem a bit pedestrian.

Yet for millions of others it’s a painstakingly neutral, straightforward and plain spoken plan that doesn’t ask you to buy, download or install a product or enter your details.

Once a specialist agency, the ACSC has quickly had to pivot quickly towards being a generalist ‘go to’ for public cyber advice, the kind easily digested by the masses rather than being mangled by the mainstream media.

Or when ministers erroneously declare online service flubs DDoS attacks.

“The COVID-19 pandemic has resulted in many people working from home for the first time. Working from home has specific cyber security risks, including targeted cybercrime,” the ACSC's latest missive counsels users, earnestly resisting any commentary on Zoom bombing or the perils of using children as Level 1 tech support.

“When compromised, unauthorised access to your stored information can have a devastating effect on your emotional, financial and working life.”

Possibly not as devastating as COVID-19 itself, which is why the nation has been locked down, but there’s no denying the nationwide WFH phenomenon is a once in a lifetime opportunity for hackers and promulgators of state and criminal sponsored espionage.

Aside from the usual warning on scams, phishing, baited links and bogus credential reset requests, there’s a Chopper-esque call for Australians to just harden up on their credentials and dump passwords for something tougher to brute force or guess.

“Passwords are passé!,” the ACSC circular exhorts, telling users to use “a strong and unique passphrase on portable devices such as laptops, mobile phones and tablets.”

“Use a different passphrase for each website and app, particularly those that store your credit card details or personal information. To use the same username (such as an email address) and passphrase for multiple accounts means that if one is compromised, they are all at risk.”

Going multi-factor, including biometrics, also gets a thumbs-up - as does the necessary but persistently annoying practice of enabling automatic software and operating system updates that help reveal life’s little UX weak spots.

Our favourite bit of cyber pragmatism from ACSC is the tacit acknowledgement that despite the best of intentions, in reality households often wind-up sharing devices, especially when it’s school holidays – or when your personal machine is better than what the office provides (or doesn’t provide).

“You should also carefully consider who has access to your devices. Don’t lend laptops to children or other members of the household using your work profile or account,” ACSC counsels, adding that “they could unintentionally share or delete important information or introduce malicious software to your device.”

So true, yet so often unavoidable. Let’s cut to the chase.

“If you do share your computers or devices with family or your household, have separate profiles so that each person logs in with a unique username and passphrase.”

Especially if you need to flick over to Netflix in the early afternoon to appease certain smaller people who won’t eat their healthier lunch and need distraction, only to discover the work VPN won’t let you do that or is simply too slow.