NIST: Time to take telework's cyber risks seriously
With telework and BYOD on the rise, NIST is updating its guidelines from 2009 to address how organizations and individuals can protect themselves from cyberattacks.
Federal teleworkers present an inviting target for hackers, according to NIST researchers. Information gleaned from teleworkers devices can provide attack vectors for those targeting federal IT systems.
"Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework," said NIST computer scientist Murugiah Souppaya.
Two draft publications were released on March 11: the Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security and the User's Guide to Telework and Bring Your Own Device Security. In them, Souppaya and fellow NIST researcher Karen Scarfone advise organizations to assume that external environments contain hostile threats. NIST advises using multi-factor authentication for enterprise access. In case a device gets lost or stolen, organizations should encrypt the device's storage and all sensitive data stored on user devices, or refrain from storing sensitive data on devices at all.
Agencies should consider deploying separate networks for BYOD users, rather than mingling organization and personal devices on the same management system. Agencies should also take it for granted that user-owned devices will at some point acquire malware infections, the researchers urge, "and plan their security controls accordingly."
Teleworkers should beware of eavesdropping, interception, and modification on external networks that are outside the organization's control. The recommendations stress that encryption technologies can protect the confidentiality of communications and verify identities.
Teleworkers using their own laptop computer should secure its operating system and primary applications. Users bringing their own mobile device for telework should secure it based on the device manufacturer's security recommendations and back up all data. They should also make sure the wireless home network they are using is secure.
And while it may be tempting to check work emails at a hotel kiosk or on a friend's smart phone, NIST's policy for users suggests avoiding using any device for telework that is not controlled by the organization, the teleworker, or a contractor or business partner affiliated with the organization.