NIST: Time to take telework's cyber risks seriously
- By Bianca Spinosa
- Mar 15, 2016
Federal teleworkers present an inviting target for hackers, according to NIST researchers. Information gleaned from teleworkers devices can provide attack vectors for those targeting federal IT systems.
"Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework," said NIST computer scientist Murugiah Souppaya.
Two draft publications were released on March 11: the Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security and the User's Guide to Telework and Bring Your Own Device Security. In them, Souppaya and fellow NIST researcher Karen Scarfone advise organizations to assume that external environments contain hostile threats. NIST advises using multi-factor authentication for enterprise access. In case a device gets lost or stolen, organizations should encrypt the device's storage and all sensitive data stored on user devices, or refrain from storing sensitive data on devices at all.
Agencies should consider deploying separate networks for BYOD users, rather than mingling organization and personal devices on the same management system. Agencies should also take it for granted that user-owned devices will at some point acquire malware infections, the researchers urge, "and plan their security controls accordingly."
Teleworkers should beware of eavesdropping, interception, and modification on external networks that are outside the organization's control. The recommendations stress that encryption technologies can protect the confidentiality of communications and verify identities.
Teleworkers using their own laptop computer should secure its operating system and primary applications. Users bringing their own mobile device for telework should secure it based on the device manufacturer's security recommendations and back up all data. They should also make sure the wireless home network they are using is secure.
And while it may be tempting to check work emails at a hotel kiosk or on a friend's smart phone, NIST's policy for users suggests avoiding using any device for telework that is not controlled by the organization, the teleworker, or a contractor or business partner affiliated with the organization.
Bianca Spinosa is an Editorial Fellow at FCW.
Spinosa covers a variety of federal technology news for FCW including workforce development, women in tech, and the intersection of start-ups and agencies. Prior to joining FCW, she was a TV journalist for more than six years, reporting local news in Virginia, Kentucky, and North Carolina. Spinosa is currently pursuing her Master’s degree in Writing at George Mason University, where she also teaches composition. She earned her B.A. from the University of Virginia.
Click here for previous articles by Spinosa, or connect with her on Twitter: @BSpinosa.