Is Telework a Growing Cyber Threat? New Guidelines Offer Security Tips

The National Institute of Standards and Technology is revising its telework guidance to address cybersecurity concerns associated with employees who access work content on their personal smartphones, tablets and computers. 

A bring-your-own-device policy could make organizations vulnerable to hackers, new draft guidance from NIST suggests. For example, employers are finding that "many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework,” Murugiah Souppaya, a NIST computer scientist, said in a blog post published this week. 

The agency is collecting public comment on the new draft telework guidance, which include security-related recommendations for both the organizations and the employees themselves, including suggestions to create separate, external networks for personal devices. 

NIST recommended organizations "plan their remote access security on the assumption that the networks between the telework client device and the organization cannot be trusted," one draft publication said. 

Agreements between organizations, employees and contractors about protocols for device security "generally cannot be automatically enforced," the guidance read, "so unsecured, malware-infected, and/or otherwise compromised devices may end up connected to sensitive organizational resources."

The agency also recommended employees create unique access codes and passwords for the devices, setting auto-locks after the device is idle, and disabling Bluetooth and Near Field Communication features except when necessary, one draft said. 

NIST is collecting public comment on the drafts until April 15.