Nepal issues 102-point cyber security advisory to safeguard data and networks

KATHMANDU: After repeated targeting by cyber attackers, the government has issued a 102-point advisory to safeguard official websites, data, and networks.

The National Cyber Security Center, the official government body responsible for cybersecurity, has issued this advisory to ensure the security of IT systems in government offices and to protect them from potential cyberattacks, said the center’s Director General, Anil Kumar Datta.

“The advisory was issued after observing issues such as problems with government websites, cyberattacks, and data theft. Reports indicate that government websites, applications, servers, networks, desktops, laptops, mobile devices, and social media platforms nationwide are under the threat of cyberattacks,” he said, adding that “to mitigate this, we have introduced a 102-point advisory as a tool. This will benefit not just government entities but also the general public by guiding them on how to avoid cyberattacks.”

According to him, the advisory includes various security measures related to websites, applications, servers, networks, desktops, laptops, mobile devices, and the use of social media. He highlighted that ignorance or negligence often leads to severe cybersecurity breaches, resulting in significant damages. “Government employees and citizens alike are not adhering to basic protocols. This advisory aims to inform and guide them. We expect it will significantly reduce cyberattacks, phishing, social engineering, and malware incidents in the future,” he said.

To address issues on government websites or applications, the center has directed all ministries, commissions, and departments to designate a “focal person” to be contacted. Regular updates, security testing, data backups, and the implementation of a business continuity plan have been advised for securing government websites and networks. Recommendations also include updating antivirus software, databases, application libraries, operating systems, and implementing multi-factor authentication.

Security for Desktops, Laptops, and Printers

The advisory suggests using licensed software only, enabling automatic updates for systems and BIOS, and isolating printers from internet access. It also advises setting unique passwords for shared office printers and avoiding print history storage. Staff are urged to log off or lock their devices when not in use and to shut them down when leaving the office.

Password Management

To combat hacking attempts, the advisory recommends creating strong passwords with at least 8 characters, mixing uppercase, lowercase, numbers, and symbols. Passwords should be changed every three months. The use of personal information, such as names, birthdates, or addresses, as passwords is strongly discouraged. Default passwords should be immediately changed, and multi-factor authentication enabled. Using the same password across multiple services is also advised against.

Internet Browsing Security

For secure internet use, private browsing or incognito mode is recommended, especially for accessing government applications, banking services, or other critical systems. Users should manually type website domains into the browser rather than clicking on links. Regular updates to browsers are advised, and usernames and passwords should never be saved in browsers. The use of unauthorized third-party services, such as unverified VPNs, and downloading pirated content should be avoided.

Email and Phishing Attacks

To avoid phishing, users are advised not to open emails or attachments from unknown senders. Suspicious emails should be marked as spam and deleted. Users are cautioned against hastily subscribing to unnecessary newsletters or mailing lists. Multi-factor authentication for email accounts, avoiding accessing work emails on public Wi-Fi, and using secure VPNs are also recommended.

Securing Removable Media

The advisory suggests scanning USB drives and external hard drives before use, encrypting sensitive data, and only using media approved by the office.

Social Media Safety

Users are urged to limit sharing personal information on social media and to avoid accepting friend requests or messages from unknown individuals. Government email addresses should not be posted on social platforms.

Mobile Device Security

The advisory recommends keeping mobile operating systems updated and enabling Wi-Fi, GPS, Bluetooth, and other sensors only when necessary. Users should download apps from trusted sources after reviewing ratings and user feedback. During sensitive meetings, mobile devices should be turned off and kept in a secure place. Additionally, precautions should be taken when clicking on links from SMS or social media platforms, particularly those offering discounts or offers.

The National Cyber Security Center has also advised enabling tracking features and maintaining offline records of the 15-digit IMEI number to secure stolen or lost mobile devices.

By following these measures and providing regular cybersecurity training for relevant employees, the government aims to strengthen the overall cybersecurity framework.