In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely. In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying essential workers, including IT and cybersecurity personnel, in critical infrastructure sectors that should maintain normal work schedules if possible. Each set of guidance is discussed in further detail below.
NIST Guidance to Enterprises on Secure Telework, Remote Access, and BYOD
NIST has issued a bulletin on Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions to “help organizations mitigate security risks associated with the enterprise technologies used for teleworking.” The bulletin summarizes key concepts and recommendations from NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security and recommends that organizations consider the “balance between the benefits of providing remote access to additional resources and the potential impact of a compromise of those resources.” To mitigate the risks associated with providing remote access, NIST recommends hardening resources against external threats and limiting access to the “minimum necessary.”
The NIST guidance also highlights the following key recommendations, derived from NIST SP 800-46:
- Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats. The NIST guidance specifically references three types of threats that organizations should assume exist, along with accompanying mitigation measures.
- First, organizations can mitigate the risk that malicious parties will gain control of client devices and attempt to recover data from them, or leverage them to gain access to the enterprise network, by limiting storage of sensitive data on such devices, encrypting the device or the data present on it, and using strong authentication, “preferably multi-factor,” for access to the enterprise network.
- Second, organizations can protect against the risk of eavesdropping, interception, or modification of communications on external networks by using encryption technologies to protect these communications and authenticating endpoints to each other to verify their identities.
- Finally, organizations can protect against malware infections on client devices by utilizing anti-malware technologies, verifying a client’s security posture through network access controls, and segmenting client devices on a separate network.
- Develop a telework security policy that defines telework, remote access, and BYOD requirements. NIST recommends that an organization’s policy define the forms of remote access the organization permits, devices that can be used for remote access, the type of access each teleworker is granted, and the administration and patching of remote access servers. NIST further recommends that organizations should make “risk-based decisions” on the levels of remote access they will permit to different types of client devices. The NIST guidance suggests considering a tiered approach for remote access that allows “the most controlled devices [e.g. organization-owned laptops] to have the most access and the least controlled devices [e.g. BYOD mobile devices] to have minimal access.”
- Ensure that remote access servers are secured effectively and configured to enforce telework security policies. The NIST guidance notes that remote access servers not only serve a critical role in an organization’s remote access capabilities, but can also be leveraged by attackers for various types of malicious activities. NIST recommends that such servers are not only configured as a single point of entry to the organization’s network that can enforce a telework security policy, but are also kept fully patched and only managed by authorized administrators from trusted hosts.
- Secure organization-controlled telework client devices against common threats, and maintain their security regularly. The NIST guidance recommends that organizations not only apply their normal security baseline controls to client devices, including applying updates, disabling unneeded services, and using firewalls and anti-malware tools, but also consider enhanced controls to address the risks associated with teleworking, including encryption of sensitive data stored on the devices. NIST also recommends that organizations provide guidance to device administrators and users on securing these devices.
FTC and NIST Guidance on Secure Teleworking for Employees
The FTC’s blog post on Online Security Tips for Working from Home, as well as guidance released by NIST on Telework Security Basics, build on prior guidance from both organizations on key cybersecurity practices. While both organizations’ secure teleworking guidance are directed to individuals, employers should be prepared to support their employees in following the guidance and use it as a reference point for their own cybersecurity practices for remote work. A summary of key points from both sets of guidance is provided below.
Although the specific details from each set of guidance differ, both the FTC and NIST guidance for teleworking securely revolve around many similar themes. We have summarized the most notable themes below:
- Follow organizational policies or rules: Both the FTC and NIST guidance include recommendations that employees follow security policies or rules established by their employers, including policies or rules that may govern working remotely. In support of these efforts, organizations may want to ensure that employees are aware of these policies and consider whether any policies should be adjusted to account for the increase in remote work.
- Adhere to good cybersecurity practices: The FTC urges employees to follow its “Cybersecurity Basics for Small Business” guidance, which recommends measures such as updating software, encrypting devices, requiring passwords, and using multi-factor authentication to access sensitive information. NIST similarly encourages employees to keep their devices patched and updated, enabling automatic updates where appropriate. Employers can use these suggestions as indications of cybersecurity practices that regulators may expect employers to maintain as employees shift to working remotely.
- Enable device security features: While the FTC’s guidance encourages the use of passwords for laptops, NIST also encourages enabling “basic security features” on devices, such as PINs, fingerprint authentication, or facial recognition, to the extent that they are available.
- Practice secure networking: Both the FTC and NIST guidance recommend that employees ensure that their home wi-fi networks are set up securely, using WPA2 or WPA3 security and a hard-to-guess password. NIST also recommends that employees use an employer-provided VPN or, if none is provided, consider obtaining their own VPN service. To support these efforts and maintain consistent security practices, employers may want to ensure that employees are aware of employer-approved VPN solutions and instructions for their use.
- Maintain physical security: The FTC’s guidance also focuses on the physical security of the devices and files that employees may take home, as well as secure disposal of hard-copy personal information, which has previously been an area of interest for the FTC. Employers may want to consider how they can limit the amount of personal information that employees may need to secure outside of the office, and how they can support secure disposal methods for information that employees may need to take home.
- Reporting suspected security incidents: NIST’s guidance also emphasizes the importance of employees reporting “usual or suspicious activity” on any device the employee uses to telework. Employers should consider promoting awareness of incident reporting mechanisms to employees working remotely and plan for how to respond to possible incidents involving remote employees and, possibly, their personal devices.
NIST’s guidance also warns employees to be “on the lookout for social engineering attempts,” which may include emails with strange file attachments, communications from individuals claiming to be IT personnel asking for passwords or directing you to a website to “scan” your computer, or unusual web meeting requests. NIST recommends that employees ask questions when confronted with such requests, and verify the authenticity of the request via phone “or other means” before proceeding to avoid falling victim to malicious activity. The FTC also recently released similar guidance regarding scams related to “Coronavirus Scams,” urging consumers to avoid clicking on unfamiliar links and exercise caution with donation requests, online offers for vaccinations or cures, or emails purporting to be from the CDC, WHO, or other medical organizations. As trends in fraudulent or malicious activity surrounding COVID-19 continue to develop, employers should consider alerting or reminding their employees of such scams and the appropriate steps they should take to minimize the risk of a potential security incident.
CISA Guidance on Critical Infrastructure Workforce
CISA has also released guidance on the identification of essential critical infrastructure workers that have a “special responsibility” to maintain their “normal work schedule” during the COVID-19 response. The guidance covers workers across all sixteen critical infrastructure sectors and specifically identifies several categories of IT or information security personnel, including workers “supporting [information technology] command centers,” data center operators, client service centers and technicians supporting critical infrastructure, and workers “responding to cyber incidents involving critical infrastructure.” CISA notes that its guidance is advisory, and that state and local authorities maintain responsibility for managing response activities within their borders, which could include the issuance of business closure or shelter-in-place orders. The guidance therefore does not automatically exempt workers in critical infrastructure industries from such state and local restrictions. The guidance also encourages workers to work remotely where possible or otherwise enlist strategies, such as social distancing or off-setting shifts, to reduce the likelihood of spreading the disease.