NCUA recently issued a Risk Alert (20-Risk-01) to federally insured credit unions on cybersecurity concerns with remote work. The alert is primarily directed toward credit union boards of directors, CEOs, chief information officers, and chief information security officers
NCUA notes that employees working remotely have a responsibility to address cybersecurity risks for their home networks, personal computing devices, and other internet-connected devices.
“Credit union employees working remotely should adhere to their organizations’ information security- and privacy-related policies and procedures. Policies and procedures should effectively address remote work by preparing employees to prevent security incidents and including provisions for responding to any incidents that do occur,” the alert reads. “Controls over remote work and use of personal devices should be based on an institution’s risk assessment, and commensurate with the size and complexity of the institution.
This Risk Alert highlights cybersecurity best practices for credit unions that leverage employees’ personal networks and devices.1
Common cybersecurity risks for remote workers include:
To minimize the risk of a successful cyberattack while working remotely or with personal equipment, policies and procedures should address employee expectations, such as:
Credit union management should communicate proactively with employees to verify that remote work is being done securely, and provide guidance and assistance as needed. Additional institution-level controls such as those designed to ensure operating system versions, patch levels, and anti-malware solutions meet security standards, should be considered and addressed in a risk assessment.
The risk alert also contains information for employees that suspect an attack and how to respond to a security incident and links to additional information on cybersecurity and working remotely.