NCUA risk alert: Cybersecurity considerations for remote work


NCUA warned federally insured credit unions in a risk alert on Tuesday about the cybersecurity risks related to employees working from home.

Credit union employees working remotely should adhere to their organizations’ information security- and privacy-related policies and procedures, which should effectively address remote work by preparing employees to prevent security incidents and also include provisions for responding to any incidents that do occur, the risk alert stated.

The risk alert stated that common cybersecurity risks for remote workers include malware attacks, phishing and other social engineering attacks, as well as advanced persistent threat attacks, in which an unauthorized user obtains access to an institution’s network and remains there undetected for an extended period of time.

Credit union management should communicate with employees to ensure that remote work is being done securely, providing guidance and assistance as needed, and make sure that institution-level controls meet the security standards outlined in their risk assessment plans, the risk alert stated.

To minimize the risk of a successful cyberattack while working remotely or with personal equipment, the risk alert states that policies and procedures should address employee expectations, including:

  • ensuring that employees’ family members or others do not use devices designated for work;
  • implementing session time-outs and encryption of sensitive information;
  • keeping devices physically secure;
  • working with a user account and not an administrator or privileged account;
  • establishing strong, unique passwords for all log-ins and devices on their home network;
  • leveraging firewall capabilities available through internet service providers;
  • increasing wireless security to the strongest encryption option;
  • removing unnecessary services and software;
  • updating software regularly;
  • maintaining antivirus software and ensuring timely updates to definitions; and
  • ensuring system and account logs are being collected and maintained.

The full risk alert can be accessed on NCUA’s website.

Leave a Reply