Dear Boards of Directors, Chief Executive Officers, Chief Information Officers, and Chief Information Security Officers:
Technology affords opportunities for working remotely under normal circumstances, as well as in times of emergency. Employees working remotely have a responsibility to address cybersecurity risks for their home networks, personal computing devices, and other internet-connected devices.
Credit union employees working remotely should adhere to their organizations’ information security- and privacy-related policies and procedures. Policies and procedures should effectively address remote work by preparing employees to prevent security incidents and including provisions for responding to any incidents that do occur. Controls over remote work and use of personal devices should be based on an institution’s risk assessment, and commensurate with the size and complexity of the institution.
This Risk Alert highlights cybersecurity best practices for credit unions that leverage employees’ personal networks and devices.1
Common cybersecurity risks for remote workers include:
- Malware attacks;
- Phishing and other social engineering attacks; and
- Advance Persistent Threat (APT) attacks.2
Preparing Employees to Prevent Security Incidents
To minimize the risk of a successful cyberattack while working remotely or with personal equipment, policies and procedures should address employee expectations, such as:
- Ensuring that family members or others do not use devices designated for work;
- Implementing session time outs and encryption of sensitive information;
- Keeping devices physically secure;
- Working with a user account and not an administrator or privileged account;
- Establishing strong, unique passwords for all log-ins and devices on their home network;
- Leveraging firewall capabilities available through internet service providers;
- Increasing wireless security to the strongest encryption option;
- Removing unnecessary services and software;
- Updating software regularly;
- Maintaining antivirus software and ensuring timely updates to definitions; and
- Ensuring system and account logs are being collected and maintained.
Credit union management should communicate proactively with employees to verify that remote work is being done securely, and provide guidance and assistance as needed. Additional institution-level controls such as those designed to ensure operating system versions, patch levels, and anti-malware solutions meet your security standards, should be considered and addressed in your risk assessment.
Responding to a Security Incident
To minimize the impact of an attack, policies and procedures should address the immediate actions an employee should take when they suspect a cyberattack, such as:
- Disconnecting the device(s) from all internet connectivity;
- Keeping the computer on to preserve forensic evidence; and
- Reporting the incident to their organization.
Policies and procedures should also address how the credit union would respond to a security incident, such as:
- Filing a report with local law enforcement or other law enforcement agencies,such as the FBI Internet Crime Complaint Center;
- Taking appropriate corrective action, depending on the nature of the incident (for example, changing passwords, completing a forensic audit, and scanning and cleaning devices); and
- Evaluating whether the incident should be reported to the NCUA or state supervisory authority.
Cybersecurity Resources
The following resources provide additional information on cybersecurity risks and working remotely:
- Department of Homeland Security Cybersecurity and Infrastructure Security Agency, Security Tips for Home Network Security;
- National Institute for Standards and Technology Special Publication 800-46r2, Guide to Enterprise Telework, Remote Access and Bring Your Own Device (BYOD) Security; and
- Information Sharing and Analysis Organization groups, such as the Financial Services Information Sharing and Analysis Center and the National Credit Union Information Sharing and Analysis Organization.
The Information Sharing and Analysis Organization has a complete list of Information Sharing Groups on its website.
While funds remain available, the NCUA’s Office of Credit Union Resources and Expansion has several grants and loans available that may be of use to your institution. If you have questions about cybersecurity, please contact your regional office or state supervisory authority.
Sincerely,
/s/
Rodney E. Hood
Chairman
1 This information does not include all precautionary measures available, but includes various considerations based on recommendations from the Department of Homeland Security, the National Institute of Standards and Technology, and various law enforcement organizations.
2 The definitions for these attacks and other cybersecurity terminology is provided by the National Institute of Standards and Technology Glossary.