NIST: Time to take telework's cyber risks seriously

Tablet PC

Federal teleworkers present an inviting target for hackers, according to NIST researchers. Information gleaned from teleworkers devices can provide attack vectors for those targeting federal IT systems.

"Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework," said NIST computer scientist Murugiah Souppaya.

Two draft publications were released on March 11: the Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security and the User's Guide to Telework and Bring Your Own Device Security.  In them, Souppaya and fellow NIST researcher Karen Scarfone advise organizations to assume that external environments contain hostile threats. NIST advises using multi-factor authentication for enterprise access. In case a device gets lost or stolen, organizations should encrypt the device's storage and all sensitive data stored on user devices, or refrain from storing sensitive data on devices at all.

Agencies should consider deploying separate networks for BYOD users, rather than mingling organization and personal devices on the same management system. Agencies should also take it for granted that user-owned devices will at some point acquire malware infections, the researchers urge, "and plan their security controls accordingly."

Teleworkers should beware of eavesdropping, interception, and modification on external networks that are outside the organization's control. The recommendations stress that encryption technologies can protect the confidentiality of communications and verify identities.

Teleworkers using their own laptop computer should secure its operating system and primary applications. Users bringing their own mobile device for telework should secure it based on the device manufacturer's security recommendations and back up all data. They should also make sure the wireless home network they are using is secure.

And while it may be tempting to check work emails at a hotel kiosk or on a friend's smart phone, NIST's policy for users suggests avoiding using any device for telework that is not controlled by the organization, the teleworker, or a contractor or business partner affiliated with the organization.

About the Author

Bianca Spinosa is an Editorial Fellow at FCW.

Spinosa covers a variety of federal technology news for FCW including workforce development, women in tech, and the intersection of start-ups and agencies. Prior to joining FCW, she was a TV journalist for more than six years, reporting local news in Virginia, Kentucky, and North Carolina. Spinosa is currently pursuing her Master’s degree in Writing at George Mason University, where she also teaches composition. She earned her B.A. from the University of Virginia.

Click here for previous articles by Spinosa, or connect with her on Twitter: @BSpinosa.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.