ALEXANDRIA, Va.—NCUA has issued a Risk Alert for credit unions deploying remote work policies.
The Alert reminds employees working remotely have a responsibility to address cybersecurity risks for their home networks, personal computing devices, and other internet-connected devices.
“Credit union employees working remotely should adhere to their organizations’ information security- and privacy-related policies and procedures. Policies and procedures should effectively address remote work by preparing employees to prevent security incidents and including provisions for responding to any incidents that do occur,” the Risk Alert states. “Controls over remote work and use of personal devices should be based on an institution’s risk assessment, and commensurate with the size and complexity of the institution.”
Best Practices
This Risk Alert outlines cybersecurity best practices for credit unions that leverage employees’ personal networks and devices.
Common cybersecurity risks for remote workers include:
- Malware (opens new window) attacks
- Phishing (opens new window) and other social engineering (opens new window) attacks
- Advance Persistent Threat (APT) (opens new window) attacks
Other Steps to Take
NCUA added that to minimize the risk of a successful cyberattack while working remotely or with personal equipment, policies and procedures should address employee expectations, including:
- Ensuring family members or others do not use devices designated for work
- Implementing session time outs and encryption of sensitive information
- Keeping devices physically secure
- Working with a user account and not an administrator or privileged account
- Establishing strong, unique passwords for all log-ins and devices on their home network
- Leveraging firewall capabilities available through internet service providers
- Increasing wireless security to the strongest encryption option
- Removing unnecessary services and software
- Updating software regularly
- Maintaining antivirus software and ensuring timely updates to definitions
- Ensuring system and account logs are being collected and maintained
What Management Should Do
“Credit union management should communicate proactively with employees to verify that remote work is being done securely, and provide guidance and assistance as needed. Additional institution-level controls such as those designed to ensure operating system versions, patch levels, and anti-malware solutions meet your security standards, should be considered and addressed in your risk assessment,” NCUA stated.
For more info: Cybersecurity Considerations for Remote Work