Govt employees asked not to use third-party VPN, Google Drive and Dropbox

Ten-page guideline from National Informatics Centre issues 'do's and don'ts' for cyber security

Indian government employees are advised not to use third-party virtual private networks (VPN) and cloud services like Google Drive and Dropbox, according to a 24-point "cyber security don’ts" issued by the state’s National Informatics Centre (NIC).  

The NIC’s 10-page guideline asks employees not to use third party toolbars, like download manager or weather tool bar in internet browsers, or external email services for "official communication".

"Don’t use any 3rd party anonymization services (ex: Nord VPN, Express VPN, Tor, Proxies, etc.),” says the eighth point of don’ts. That advisory comes weeks after NordVPN, ExpressVPN, Surfshark, and Tor pulled out of India after the country’s Computer Emergency Response Team (CERT-In’s) asked all VPN service providers to store user data for five years.

“All government employees, including temporary, contractual, and outsourced resources, are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance may be acted upon by the respective CISOs/Department heads,” said the NIC document labeled "restricted" and available on the highways ministry’s website.

“The increasing adoption and use of ICT has increased the attack surface and threat perception for the government due to a lack of proper cyber security practices followed on the ground. In order to sensitise the government employees and contracted/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled,” the note added.

BusinessLine website reported that a senior NIC official confirmed the guidelines but declined to give details.

The NIC document has a 25-point list of "security do’s", asking employees to use authorised software and report suspicious mails.