2020 saw a major disruption in the way many people work, learn, and socialize online. Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities for users. The second blog highlighting NIST resources for Cybersecurity Awareness Month is from NIST’s Julie Haney, Ph.D., lead for the NIST Usable Cybersecurity Program. In this blog post, Dr. Haney discusses some of the steps users and organizations can take to protect internet-connected devices for both personal and professional use.
I am the lead for the NIST Usable Cybersecurity Program, where I conduct research at the intersection of cybersecurity and human factors. My background was originally in computer science. I worked as a cybersecurity professional in the Department of Defense for over 20 years doing vulnerability assessments, writing security guidance, and, in general, focusing on trying to convince organizations to implement various security best practices. During that time, I recognized that security is not just a technology problem - there are many people and organizational factors that may impact adoption. And I really wanted to learn more about that. So, several years ago, I returned to school to get a Ph.D. in Human-centered Computing with a focus on cybersecurity. That led me to come to NIST as a guest researcher to work on usable security projects back in 2016. I loved the work and organization so much that my 6-month detail turned into 18 months! I was then fortunate enough to be hired directly by NIST in the spring of 2018.
NIST has some great security resources for both teleworkers and organizations supporting telework. For teleworkers, there are some informative articles on the Cybersecurity Insights Blog with tips on telework security and protecting privacy during virtual meetings. For organizations supporting telework, NIST has issued a new draft revision of Special Publication 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security that contains information on security considerations and recommendations when implementing remote access solutions.
In a nutshell, first, make sure you understand your organization’s telework policies and procedures. If your organization provides a VPN (virtual private network) for connecting into your work network, use that for stronger protection. If not, consider finding and using a reputable VPN (there are numerous available online) when conducting work-related activities. If you’re using a computer issued by your organization, hopefully it’s already configured securely and updated regularly, which can go a long way. However, if accessing work from your own computer, be sure to implement some basic security measures like using strong authentication (for example, passwords, PINs, or fingerprint or facial recognition), installing an anti-virus program on your Microsoft Windows computer (and keeping it updated!), and keeping up with the latest updates for your operating system and applications, especially those that fix security issues (enabling automatic updates if possible really helps). When using a wireless connection (Wi-Fi) on your home network, be sure to use WPA2/WPA3 for stronger protection and set a Wi-Fi password that is not easily guessable.
Other devices on your home network should be secured similarly so that they don’t become a jumping off point for bad actors to attack your network or telework device. You also need to stay vigilant when it comes to email and be careful not to click on potentially dangerous attachments or links that try to steal your personal information or install malicious programs on your computer.
There’s also the added complexity and potential security risks of all the other “smart” connected devices we have, whether that be our fitness trackers, voice-controlled assistants like Amazon Alexa or Google Home, or smart cameras. Unfortunately, some of these don’t have the basic security settings that your mobile devices and computers may have. Be sure to set a strong password or other type of authentication on the smartphone companion apps for these devices and immediately install updates if you’re notified to do so. Consider what your devices can do and how that might affect your work from a security perspective if someone with bad intent should gain access to the devices. For example, I certainly wouldn’t recommend having a smart camera pointed at your work monitor! If you’re a bit more technology-savvy, consider segmenting your home network so that these connected devices are in their own subnet with limited access to other devices on your home network (like your work and personal computers) that may contain more sensitive information.
Some people believe there’s an inherent tension between a system being secure and being usable. However, usability and security really must co-exist; it’s not an “either-or” kind of thing. Systems that are easy to use but not secure may eventually become unusable when they fall prey to cyber attacks like phishing, viruses, or botnets. Conversely, there may be a good solution from a technology perspective, but if people can’t figure out how to use it or get really frustrated with that solution, they may either give up or find less-secure workarounds.
In usable security, we’re interested in the human factors of cybersecurity: understanding people’s perceptions, limitations, needs, tasks, and context when interacting with security technologies. For example, we know that security is not most people’s primary task and may be viewed as disruptive or burdensome. Many don’t really understand security threats and the complexities of security solutions, so they may be less inclined to follow security guidance. And, because we’re all human, we may be influenced by our own cognitive biases (for example, “No one would ever want to target me.”).
As usable security researchers, we “champion” the human in cybersecurity by providing actionable guidance to practitioners so they can consider these human factors when developing cybersecurity decisions, processes, policies, and products. Usability is a big piece of this. In fact, we have a little mantra within our group that we’d love for the security community to follow: “Make it easy to do the right thing, hard to do the wrong thing, and easy to recover when the wrong thing happens.” But we’re also really interested in how to empower people to make informed security decisions and influence attitudes and behaviors, for example via security awareness and training and digestible guidance. This emphasis on empowerment can really help to combat the misplaced attitude of some security folks that “users are stupid” or “humans are the weakest link” and change the narrative to everyone being regarded as active and capable partners in cybersecurity.
I can’t choose just one! The work itself is fascinating, and there’s an opportunity to have a positive, broad-reaching impact. I don’t want to do research just for research’s sake; we want to get our findings out to those who can actually do something with them so that we can help improve people’s cybersecurity experiences. And NIST’s long-standing stellar reputation and relationships across the security community really facilitate that.
I also really like the collegial and supportive work environment of the Information Technology Lab. I especially love working with the people in my group and their multi-disciplinary perspectives. Plus, they’re smart, diligent, kind, and fun to work with!
Good security habits are easier to form when they permeate someone’s entire life and do not just end when they power down their work computer. So, from an individual perspective, strive to engage in security-minded practices no matter where you are or what you’re doing. From an organizational perspective, in addition to addressing topics related to secure work habits, one of the trends we’re seeing in institutional security awareness training is providing information employees can use in their personal lives and take home to their families. This blended approach can be really effective.
For more information on ways to keep your devices secure while working at home, visit our Cybersecurity Awareness Month Resources page. Help spread the word, and don't forget to follow NIST on Facebook and Twitter (@NIST and @NISTcyber) and use the #BeCyberSmart hashtag in your social media messages.