Cybersecurity Considerations for Telework
With workers being remote, cyber threats are on the rise
The National Institute of Standards and Technology (NIST) has put out a series of new documents to help organizations and employees protect their privacy and security while working remotely. In a recent webinar, Ari Schwartz, coordinator of the Cybersecurity Coalition and director of Venable’s Cybersecurity Risk Management Group, moderated a panel of cybersecurity experts. The panelists discussed the recommendations set forth in the NIST publications and shared their advice on best teleworking practices. Here are some of the key takeaways:
- NIST Guidance. Much of the discussion revolved around one of NIST’s recent IT bulletins, Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions, which is directed at two audiences – seasoned IT professionals and “newly christened” teleworkers. The bulletin provides high-level information on how organizations can prepare for telework and remote access security, identifies the threats and problems organizations are facing, and offers recommendations on how to mitigate these threats through planning and implementation.
- Enterprise Planning. In ideal circumstances, organizations would have plenty of time before an emergency occurs to do telework planning. In the unprecedented situation brought about by COVID-19, however, even if organizations had emergency policies in place, with large numbers of people teleworking for the first time and using networks and equipment that are unfamiliar, any policies should be reevaluated to ensure they are up to date and sufficient. When re-evaluating telework policies, organizations should think about controls with a “zero-trust” mindset, adding new controls if necessary or tweaking the way controls work.
- Defining Tiers of Access. NIST is encouraging organizations to take a tiered approach to their teleworking policies. Aside from implementing multi-factor authentication, and encrypting communication and storage, organizations should think about defining tiers of access – what workers can access and from where. For instance, a company may support access to certain enterprise resources from devices the organization controls, but not allow workers to connect to a critical customer database with their smart phone. Ultimately the best approach is to give workers only the access they need to further the organization’s mission. While it may be necessary to grant total access in an emergency, organizations should narrow the access to only what is necessary as soon as possible.
Please select this link to read the complete blog post from Venable LLP.