NIST offers tips for secure telework
- By Derek B. Johnson
- Mar 17, 2020
Workers across the country are being sent home and told to telework as the coronavirus outbreak continues to spread. As virtual meetings and other online interactions become a reality for many federal agencies and businesses, so too do the related cybersecurity threats.
The National Institute of Standards and Technology has issued advice for organizations that must communicate remotely, warning that the lackadaisical security policies of the past will no longer cut it as hackers and spies seek to take advantage of the increased attack surface created by the surge in nationwide remote work.
"Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop," wrote Jeff Greene, director of NIST's National Cybersecurity Center of Excellence. "Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively -- and not the genesis of a data breach or other embarrassing and costly security or privacy incident."
Greene laid out a number of suggestions for keeping virtual work discussions private and safe, most of which are simple and likely to already be specified (if not always heeded) in an organization's existing policies.
Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn't) supposed to be connected.
Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.
The Cybersecurity and Infrastructure Security Agency has also warned that widespread telework could open up new opportunities for digital compromise. The agency put out its own security guidance last week for organizations relying on enterprisewide virtual private networks, including testing VPNs for mass usage; ensuring VPNs, network infrastructure devices and end-user devices are patched and up to date; ramping up log reviews, attack detection and incident response and recovery activities; and implementing multifactor authentication wherever possible.
Derek B. Johnson is a former senior staff writer at FCW.