NIST: Time to take telework's cyber risks seriously

Tablet PC

Federal teleworkers present an inviting target for hackers, according to NIST researchers. Information gleaned from teleworkers devices can provide attack vectors for those targeting federal IT systems.

"Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework," said NIST computer scientist Murugiah Souppaya.

Two draft publications were released on March 11: the Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security and the User's Guide to Telework and Bring Your Own Device Security.  In them, Souppaya and fellow NIST researcher Karen Scarfone advise organizations to assume that external environments contain hostile threats. NIST advises using multi-factor authentication for enterprise access. In case a device gets lost or stolen, organizations should encrypt the device's storage and all sensitive data stored on user devices, or refrain from storing sensitive data on devices at all.

Agencies should consider deploying separate networks for BYOD users, rather than mingling organization and personal devices on the same management system. Agencies should also take it for granted that user-owned devices will at some point acquire malware infections, the researchers urge, "and plan their security controls accordingly."

Teleworkers should beware of eavesdropping, interception, and modification on external networks that are outside the organization's control. The recommendations stress that encryption technologies can protect the confidentiality of communications and verify identities.

Teleworkers using their own laptop computer should secure its operating system and primary applications. Users bringing their own mobile device for telework should secure it based on the device manufacturer's security recommendations and back up all data. They should also make sure the wireless home network they are using is secure.

And while it may be tempting to check work emails at a hotel kiosk or on a friend's smart phone, NIST's policy for users suggests avoiding using any device for telework that is not controlled by the organization, the teleworker, or a contractor or business partner affiliated with the organization.

About the Author

Bianca Spinosa is an Editorial Fellow at FCW.

Spinosa covers a variety of federal technology news for FCW including workforce development, women in tech, and the intersection of start-ups and agencies. Prior to joining FCW, she was a TV journalist for more than six years, reporting local news in Virginia, Kentucky, and North Carolina. Spinosa is currently pursuing her Master’s degree in Writing at George Mason University, where she also teaches composition. She earned her B.A. from the University of Virginia.

Click here for previous articles by Spinosa, or connect with her on Twitter: @BSpinosa.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.