Route Fifty — By Aaron Boyd, Senior Editor, Nextgov — October 5, 2020
The mass teleworking required by the ongoing COVID-19 pandemic is creating new cybersecurity vulnerabilities and exacerbating old ones. In response, the Cybersecurity and Infrastructure Security Agency released a quick guide to help organizations address these issues at every level.
The guide is broken into three parts, each representing distinct users in the telework security ecosystem: bosses, security professionals and everyday employees.
“The Cybersecurity and Infrastructure Security Agency is providing these recommendations to support organizations in re-evaluating and strengthening their cybersecurity as they transition to long term telework solutions,” the guidance states.
The guide suggests four focus areas for executive leaders:
- Review and update organizational policies and procedures.
- Implement cybersecurity training requirements.
- Determine the risks of moving assets beyond the traditional perimeter—such as printing from home and use of personal email and devices.
- Create a hybrid culture of remote and on-premise employees.
Similarly, the guide offers four tips for remote employees working from home:
- Ensure your home network is properly configured and hardened.
- Follow secure practices and organizational policies for handling sensitive data, including personally identifiable information, protected health information, classified materials, intellectual property and sensitive customer or client information.
- Use caution when opening email attachments and clicking links in email.
- Report suspicious activity to your organization’s IT security team.
But the biggest onus is on IT managers, for whom the guide offers six suggestions:
- Ensure hardware and software inventories include new items added due to teleworking to ensure patching and vulnerability management are effective.
- Implement, maintain and invest in enterprise cybersecurity controls to securely connect employees to the organization’s network and assets.
- Enforce multifactor authentication for remote access to organizational systems and services.
- Maintain a list of organizationally approved products, including collaboration tools and teleconferencing applications.
- Perform frequent backups of the organization’s systems and important files, verify backups regularly, and store backups offline and offsite.
- Implement a Domain-Based Message Authentication, Reporting and Conformance, or DMARC, validation system to address increased risk of phishing and business email compromise in remote working environments.
CISA also provides links to additional resources under each recommendation.
While the guide provides good advice for federal agencies, it is meant for a wider audience to help secure the nation as a whole.
“The Telework Essentials Toolkit is designed to assist business leaders, IT staff, and end users in their transition to a secure, permanent telework environment through simple, actionable recommendations,” CISA wrote on the toolkit website.
The guide is also just the latest piece of a larger set of telework resources provided by CISA, including General Telework Guidance, VPN-Related Guidance, Video Conferencing Guidance and Wireless Related Guidance, all targeting the larger American population.
Federal agencies also received government-specific advice in the form of interim guidance from CISA’s Trusted Internet Connection program office. That office is currently working on the third iteration of the TIC program, which will eventually include deeper security standards for remote work. Recognizing an immediate need, TIC officials released the interim guidance in April to help agencies manage through the pandemic.