In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely.  In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying essential workers, including IT and cybersecurity personnel, in critical infrastructure sectors that should maintain normal work schedules if possible.  Each set of guidance is discussed in further detail below.

NIST Guidance to Enterprises on Secure Telework, Remote Access, and BYOD

NIST has issued a bulletin on Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions to “help organizations mitigate security risks associated with the enterprise technologies used for teleworking.”  The bulletin summarizes key concepts and recommendations from NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security and recommends that organizations consider the “balance between the benefits of providing remote access to additional resources and the potential impact of a compromise of those resources.”  To mitigate the risks associated with providing remote access, NIST recommends hardening resources against external threats and limiting access to the “minimum necessary.”

The NIST guidance also highlights the following key recommendations, derived from NIST SP 800-46:

  • Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats. The NIST guidance specifically references three types of threats that organizations should assume exist, along with accompanying mitigation measures.
    • First, organizations can mitigate the risk that malicious parties will gain control of client devices and attempt to recover data from them, or leverage them to gain access to the enterprise network, by limiting storage of sensitive data on such devices, encrypting the device or the data present on it, and using strong authentication, “preferably multi-factor,” for access to the enterprise network.
    • Second, organizations can protect against the risk of eavesdropping, interception, or modification of communications on external networks by using encryption technologies to protect these communications and authenticating endpoints to each other to verify their identities.
    • Finally, organizations can protect against malware infections on client devices by utilizing anti-malware technologies, verifying a client’s security posture through network access controls, and segmenting client devices on a separate network.
  • Develop a telework security policy that defines telework, remote access, and BYOD requirements. NIST recommends that an organization’s policy define the forms of remote access the organization permits, devices that can be used for remote access, the type of access each teleworker is granted, and the administration and patching of remote access servers.  NIST further recommends that organizations should make “risk-based decisions” on the levels of remote access they will permit to different types of client devices.  The NIST guidance suggests considering a tiered approach for remote access that allows “the most controlled devices [e.g. organization-owned laptops] to have the most access and the least controlled devices [e.g. BYOD mobile devices] to have minimal access.”
  • Ensure that remote access servers are secured effectively and configured to enforce telework security policies. The NIST guidance notes that remote access servers not only serve a critical role in an organization’s remote access capabilities, but can also be leveraged by attackers for various types of malicious activities.  NIST recommends that such servers are not only configured as a single point of entry to the organization’s network that can enforce a telework security policy, but are also kept fully patched and only managed by authorized administrators from trusted hosts.
  • Secure organization-controlled telework client devices against common threats, and maintain their security regularly. The NIST guidance recommends that organizations not only apply their normal security baseline controls to client devices, including applying updates, disabling unneeded services, and using firewalls and anti-malware tools, but also consider enhanced controls to address the risks associated with teleworking, including encryption of sensitive data stored on the devices.  NIST also recommends that organizations provide guidance to device administrators and users on securing these devices.

FTC and NIST Guidance on Secure Teleworking for Employees

The FTC’s blog post on Online Security Tips for Working from Home, as well as guidance released by NIST on Telework Security Basics, build on prior guidance from both organizations on key cybersecurity practices.  While both organizations’ secure teleworking guidance are directed to individuals, employers should be prepared to support their employees in following the guidance and use it as a reference point for their own cybersecurity practices for remote work.  A summary of key points from both sets of guidance is provided below.

Although the specific details from each set of guidance differ, both the FTC and NIST guidance for teleworking securely revolve around many similar themes.  We have summarized the most notable themes below:

  • Follow organizational policies or rules: Both the FTC and NIST guidance include recommendations that employees follow security policies or rules established by their employers, including policies or rules that may govern working remotely.  In support of these efforts, organizations may want to ensure that employees are aware of these policies and consider whether any policies should be adjusted to account for the increase in remote work.
  • Adhere to good cybersecurity practices: The FTC urges employees to follow its “Cybersecurity Basics for Small Business” guidance, which recommends measures such as updating software, encrypting devices, requiring passwords, and using multi-factor authentication to access sensitive information.  NIST similarly encourages employees to keep their devices patched and updated, enabling automatic updates where appropriate.  Employers can use these suggestions as indications of cybersecurity practices that regulators may expect employers to maintain as employees shift to working remotely.
  • Enable device security features: While the FTC’s guidance encourages the use of passwords for laptops, NIST also encourages enabling “basic security features” on devices, such as PINs, fingerprint authentication, or facial recognition, to the extent that they are available.
  • Practice secure networking: Both the FTC and NIST guidance recommend that employees ensure that their home wi-fi networks are set up securely, using WPA2 or WPA3 security and a hard-to-guess password.  NIST also recommends that employees use an employer-provided VPN or, if none is provided, consider obtaining their own VPN service.  To support these efforts and maintain consistent security practices, employers may want to ensure that employees are aware of employer-approved VPN solutions and instructions for their use.
  • Maintain physical security: The FTC’s guidance also focuses on the physical security of the devices and files that employees may take home, as well as secure disposal of hard-copy personal information, which has previously been an area of interest for the FTC.  Employers may want to consider how they can limit the amount of personal information that employees may need to secure outside of the office, and how they can support secure disposal methods for information that employees may need to take home.
  • Reporting suspected security incidents: NIST’s guidance also emphasizes the importance of employees reporting “usual or suspicious activity” on any device the employee uses to telework.  Employers should consider promoting awareness of incident reporting mechanisms to employees working remotely and plan for how to respond to possible incidents involving remote employees and, possibly, their personal devices.

NIST’s guidance also warns employees to be “on the lookout for social engineering attempts,” which may include emails with strange file attachments, communications from individuals claiming to be IT personnel asking for passwords or directing you to a website to “scan” your computer, or unusual web meeting requests.  NIST recommends that employees ask questions when confronted with such requests, and verify the authenticity of the request via phone “or other means” before proceeding to avoid falling victim to malicious activity.  The FTC also recently released similar guidance regarding scams related to “Coronavirus Scams,” urging consumers to avoid clicking on unfamiliar links and exercise caution with donation requests, online offers for vaccinations or cures, or emails purporting to be from the CDC, WHO, or other medical organizations.  As trends in fraudulent or malicious activity surrounding COVID-19 continue to develop, employers should consider alerting or reminding their employees of such scams and the appropriate steps they should take to minimize the risk of a potential security incident.

CISA Guidance on Critical Infrastructure Workforce

CISA has also released guidance on the identification of essential critical infrastructure workers that have a “special responsibility” to maintain their “normal work schedule” during the COVID-19 response.  The guidance covers workers across all sixteen critical infrastructure sectors and specifically identifies several categories of IT or information security personnel, including workers “supporting [information technology] command centers,” data center operators, client service centers and technicians supporting critical infrastructure, and workers “responding to cyber incidents involving critical infrastructure.”  CISA notes that its guidance is advisory, and that state and local authorities maintain responsibility for managing response activities within their borders, which could include the issuance of business closure or shelter-in-place orders.  The guidance therefore does not automatically exempt workers in critical infrastructure industries from such state and local restrictions.  The guidance also encourages workers to work remotely where possible or otherwise enlist strategies, such as social distancing or off-setting shifts, to reduce the likelihood of spreading the disease.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.