NIST: Time to take telework's cyber risks seriously

Tablet PC

Federal teleworkers present an inviting target for hackers, according to NIST researchers. Information gleaned from teleworkers devices can provide attack vectors for those targeting federal IT systems.

"Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework," said NIST computer scientist Murugiah Souppaya.

Two draft publications were released on March 11: the Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security and the User's Guide to Telework and Bring Your Own Device Security.  In them, Souppaya and fellow NIST researcher Karen Scarfone advise organizations to assume that external environments contain hostile threats. NIST advises using multi-factor authentication for enterprise access. In case a device gets lost or stolen, organizations should encrypt the device's storage and all sensitive data stored on user devices, or refrain from storing sensitive data on devices at all.

Agencies should consider deploying separate networks for BYOD users, rather than mingling organization and personal devices on the same management system. Agencies should also take it for granted that user-owned devices will at some point acquire malware infections, the researchers urge, "and plan their security controls accordingly."

Teleworkers should beware of eavesdropping, interception, and modification on external networks that are outside the organization's control. The recommendations stress that encryption technologies can protect the confidentiality of communications and verify identities.

Teleworkers using their own laptop computer should secure its operating system and primary applications. Users bringing their own mobile device for telework should secure it based on the device manufacturer's security recommendations and back up all data. They should also make sure the wireless home network they are using is secure.

And while it may be tempting to check work emails at a hotel kiosk or on a friend's smart phone, NIST's policy for users suggests avoiding using any device for telework that is not controlled by the organization, the teleworker, or a contractor or business partner affiliated with the organization.

About the Author

Bianca Spinosa is an Editorial Fellow at FCW.

Spinosa covers a variety of federal technology news for FCW including workforce development, women in tech, and the intersection of start-ups and agencies. Prior to joining FCW, she was a TV journalist for more than six years, reporting local news in Virginia, Kentucky, and North Carolina. Spinosa is currently pursuing her Master’s degree in Writing at George Mason University, where she also teaches composition. She earned her B.A. from the University of Virginia.

Click here for previous articles by Spinosa, or connect with her on Twitter: @BSpinosa.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.