COVID-19 has disrupted today’s workplace for the foreseeable future. Beginning in mid-March 2020, employees transitioned in mass from their onsite offices to a variety of off-site locations. Federal workers are not expected to return to the office almost a year later, and many businesses are still struggling with if and when to bring their employees back onsite. To help address cybersecurity-related issues, the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, developed a short guide on teleworking best practices. CISA published the Telework Essentials Toolkit on October 5, 2020.
By Thomas Wolfe, Head of Strategic Development, TalaTek
CISA was established on November 16, 2018, after the Cybersecurity and Infrastructure Security Agency Act of 2018 was signed into law. Its mission is to “address interoperability among the public safety community at all levels of government, foster intergovernmental cooperation, and identify and leverage common synergies.” Its role is to improve cybersecurity across the federal government, increase cybersecurity protections, and coordinate cybersecurity programs with the states. Its programs are applicable to both the public and private sectors.
CISA’s Telework Essentials Toolkit is broken into three sections that target guidance to executive leaders, IT professionals, and teleworkers.
The four strategic areas to help executive leaders drive cybersecurity strategy, investment, and culture are:
- Organizational policies and procedures
- Cybersecurity training requirements
- Moving organizational assets
- Cyber secure, hybrid culture
The six technical and tactical areas to help IT professionals develop security awareness and vigilance are:
- Patching and vulnerability management
- Enterprise cybersecurity controls
- Multi-factor authentication
- Organizationally approved products
- Frequent backup
- Domain-based message authentication
The four technical and tactical areas to help teleworkers develop increased security awareness and vigilance are:
- Configure and harden
- Secure practices and organizational policies
- Opening email attachments by clicking links
- Communicating suspicious activities
Like any good toolkit, the tools in this resource are designed to be used together to build a secure workplace. Common themes for each group include establishing and following organizational policies and procedures, taking basic security measures, and developing security awareness.
Enacting Organizational Policies and Procedures
All organizations, regardless of size, need to enact clear and consistent cybersecurity policies that employees at every level can follow. The Toolkit addresses this for each group. Executives can find links from organizations such as the National Institute of Standards and Technology and the National Cybersecurity Alliance on driving strategy, development, implementation, updating, and championing cybersecurity and telework policies and procedures.
IT professionals get details on how to implement and monitor these policies and procedures. Links to other CISA resources such as “Guidance on Supplementing Passwords with Multifactor Authentication” can show IT staff how to get started.
Teleworkers are also integral to successful cybersecurity practices and are encouraged to follow organizational policies, practices, and procedures for handling sensitive data (once leadership establishes and communicates them).
Taking Basic Security Measures
Whether remote workers are using company-provided devices or their own laptops, they need to observe and obey basic security measures. And it’s up to company executives to address the secure configuration and updates to those devices in the policies and procedures. CISA makes it clear that both the IT professional and the teleworker must patch, update, configure, and harden the devices they use. The Toolkit offers links to resources such as “NSA Telework and Mobile Security Guidance” and “Making Your Remote Workforce Cyber Ready.”
IT professionals must execute and maintain the patch and vulnerability management policy to keep organizational hardware and software up to date and continuously scan for vulnerabilities. Links to “CISA Tips and Understanding Patches and Updates” and “GCA Patch to Protect” can show them how.
Teleworkers get how-to help on configuring and hardening their home network by changing the default password to a complex one and reconfiguring routers to use WPA2 or WPA3.
Driving Security Awareness
It can’t be said enough. Hackers and cybercriminals are constantly on the lookout for weaknesses and vulnerabilities. And the human element—remote employees working on home networks—are an organization’s weakest link. So it’s vital to cultivate a culture of cyber awareness and vigilance and to include security training for employees at every level. The Toolkit provides resources to develop such programs. Executive leaders can find links to the “Cyber Readiness Institute Cyber Readiness Program” and “Creating a Cyber Ready Culture in Your Remote Workforce: Five Tips.”
Tips for IT professionals include keeping up to date on new cybersecurity controls such as zero-trust architecture and new collaboration and teleconferencing tools.
Teleworkers get information warning them of the dangers of opening email attachments and clicking links as well as advice on communicating suspicious activities to company leadership.
The Telework Toolkit also includes additional resources, including the Global Cyber Alliance’s Cybersecurity Toolkit for Small Businesses, and links to additional CISA guidance for all three levels.
This is not CISA’s first foray into teleworking safety. CISA has provided many additional teleworking resources and guidance since the coronavirus has changed the landscape of how and where people work. These include General Teleworking Guidance, VPR Related Guidance, Video Conferencing Guidance, and Wireless Related Guidance.
With a COVID-19 resurgence predicted for this winter and no end in sight, CISA’s Teleworking Toolkit comes at a vital time for many organizations that are unsure of how to navigate the waters.
About the Author
Thomas Wolfe has more than a decade of business development, project management, technical writing, and editing; he has proposal writing and management experience in the public and private sectors. In his business development and proposal writing/management capacity, Thomas has been instrumental in winning awards with a combined amount of more than $100M. In his technical writing, editing, and project management capacities, Thomas has supported such federal agencies as the Federal Aviation Administration, General Services Administration, Department of Homeland Security, and Department of Education, among others. Thomas graduated from West Virginia University with a major in English, Professional Writing, and Editing. Thomas’ personal pursuits include reading, collecting vinyl records, and hiking the Appalachian Trail, with a goal of hiking the AT from Harpers Ferry National Historic Park in West Virginia to Grayson Highlands State Park in Virginia (509 miles).
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.