Hybrid work is the reality for most organizations, including state and local government agencies. The pandemic initially caused many organizations to suddenly switch to full-time telework and now, managers may not know who’s going to be in the office and who’s going to be teleworking each day.
Agencies must prepare for their onsite employees to switch to telework at any time — and, more important from a security perspective, for their teleworkers to return to the office. The risk of a security incident increases every time a laptop, desktop, smartphone or tablet moves between unsecured telework environments and agency networks.
Bringing a telework device back to the office is particularly risky because it typically isn’t as well protected outside the office. For example, a telework device might be infected with malware from family members’ computers or Internet of Things devices on the employee’s home network. If an employee connects an infected laptop to an agency network, an attacker might gain an immediate foothold within that network, enabling the spread of ransomware throughout the agency.
Managers must secure devices before they’re used for telework. One way to do this is by following guidelines from the National Institute of Standards and Technology. Once devices are in use, agencies also need to reduce the risk by putting measures into place to return telework devices to the workplace safely.
Click the banner below for a customized content experience by becoming an Insider.
1. Allow Only Managed Devices to Use Regular Agency Networks
It’s generally best to allow only agency-managed laptops, smartphones and other devices to connect directly to the agency’s regular networks. When devices are managed, their security can be much better controlled; for example, by ensuring they’re fully patched and the necessary anti-malware tools are running and up to date.
When devices are agency-issued but unmanaged — meaning they’re manually managed by support personnel or the users themselves — it’s more likely that they’ll have significant security issues. And if Bring Your Own Device is permitted, such as when employees who normally work at the office have to telework unexpectedly, those devices are even more likely to pose a major security risk.
Instead of allowing unmanaged or personal devices to use regular networks, strongly consider establishing quarantine networks for these devices to use. This keeps higher risk user devices separate from the lower risk ones and gives the agency a better chance to ensure the devices are safe. A quarantine network should allow the devices on it to have only minimal access to the agency’s resources.
EXPLORE: What tools are available to help improve government security.
2. Check the Cyber Hygiene of Each Connecting Device
User devices connecting to any agency networks should have their cyber hygiene assessed before granting network access. Check for the following:
- Is all software on the device (OS and applications) fully patched?
- Is there any malware or unauthorized software installed on the device?
- Are anti-virus software and all other required security controls present, enabled and updated (if applicable)?
- Are there any signs of prior compromise, such as attacker tools?
Ideally, all devices should automatically connect to a separate (often virtual) quarantine network first, and be allowed to connect to a regular network only after all the cyber hygiene checks succeed. A variety of endpoint security technologies are available to do these checks.
3. Prepare to Rapidly Detect and Handle Security Incidents
Security incidents are inevitable. While the above practices will help reduce the number of incidents, no set of practices can completely prevent them. And the more often user devices go back and forth between external environments and agency networks, the more likely it is that agency malware infections and other compromises will increase. Cyber hygiene checks will catch and stop many of these, but not all.
It’s vitally important to have continuous monitoring in place to look for signs of compromised user devices, and to act quickly when suspicious activity is detected so that other devices don’t get infected too. Depending on an agency’s resources and user device base, managers might be able to do this in house, or they can turn to managed services. Managed services can be vigilant at all times, even when government security professionals can’t be.
DISCOVER: The keys to countering cyber attacks against state and local agencies.
In addition to user device monitoring, every agency needs to be prepared to take care of compromised user devices. The most common options are:
- Use anti-virus software or other anti-malware utilities to remove infections. After rescanning the device to confirm the malware is gone, run all typical cyber hygiene checks and correct any problems to reduce the chance of the attacker exploiting the same vulnerability again.
- Wipe the device and reimage it, or swap the device with a clean device. This could involve a loss of data if users store data only locally. Encourage users to store their data in agency-approved online locations and not on user devices only, where it probably won’t be captured in backups.
Finally, agencies should also try to discover the root cause of any incident. This helps to identify isolated problems or bigger challenges that require a plan, such as user training or additional security controls.
