REDSTONE ARSENAL, Ala. – With so many of the U.S. Army Aviation and Missile Command workforce teleworking to help minimize the spread of COVID-19, agency information technology experts are asking everyone to practice heightened awareness of cybersecurity risks and practices.
“Think about it – with so many people operating remotely – you can bet cyber bad guys are on the lookout for a way to exploit the changes in routine operations and work locations,” said AMCOM G-6 Cybersecurity and Privacy Division Chief Dan Stewart. “The good news is, there’s a lot you can do to stay cyber-secure while working in a home environment.”
Rule Number 1 – Official work can only be done on official government equipment. Use of non-government-furnished equipment (GFE) to process Army information is prohibited. The use of non-approved commercial tools on the Army network to process data is also prohibited, according to AMCOM G-6 Chief Information Officer Shirley Perkey.
“These rules are in place to protect the employee and the organization,” she said. “Inappropriate use exposes the Army to risks including attacks, compromise of network systems and services, and legal issues. These rules apply to all employees, contractors, consultants, temporary employees and other workers assigned to Army organizations.”
Stewart offered some additional cybersecurity tips for teleworkers:
• Arrange your home workspace in a manner that prevents any others (family members, roommates and guests) from seeing your computer screen or overhearing your telephonic work discussions.
• Check your home internet connection. Make sure your WiFi password is protected. Update your password, just in case you’ve previously provided it to guests or former roommates.
• Always remove your common access card (CAC) when you step away from your computer – exactly like you would if you were in your office.
• Be extra-vigilant against risks in email – turn off reading panes, scrutinize sender addresses and don’t open emails from questionable sources; delete anything suspicious.
• If what you’re working on doesn’t require a virtual private network, or VPN, connection, disconnect it so other teleworkers who do need it can better access the secure connection.
• Use internet-based webmail whenever possible – https://web.mail.mil – you can send encrypted email without taking up bandwidth on AMCOM’s VPN.
• Make sure you know how to identify and mark For Official Use Only (FOUO) and controlled-unclassified information – encrypt emails containing that type of information.
Check out additional cybersecurity tips that were recently published by the Department of Defense Cyber Exchange: https://cyber.mil. The website also provides cyber-awareness training and updates.
• Reboot your machine prior to establishing a VPN connection.
• Ensure your government-furnished equipment (GFE) is patched with the latest updates.
• Use GFE when possible.
• Ensure your personal devices are updated with the latest operating system and security patches.
• Follow your organization’s GFE use and handling instructions.
• Report loss or theft of GFE to your IT service desk immediately.
• Close all applications you’re not actively using.
• Configure your home Wi-Fi according to best practices; change the password and enable encryption.
• Study and know how to identify and mark For Official Use Only (FOUO), controlled unclassified information (CUI) and unclassified information.
• Familiarize yourself with adversary attack methodology (e.g., Coronavirus maps, coronavirus spear phishing attacks).
• Report suspicious activity or behavior to your chain of command.
• Follow your organization’s specific cybersecurity guidance.
• Leave your computer unlocked when unattended.
• Use untrusted internet or Wi-Fi connections.
• Auto-forward or forward FOUO, CUI, publicly identifiable information (PII), and protected health information (PHI) from official email accounts to personal email accounts.
• Open suspicious emails.
• Use personal email accounts for official business.
• Use personal cloud/file sharing accounts for official business.
• Use any non-DoD instant messaging applications to share DoD information.
• Post, store and or transmit FOUO, CUI, PII and PHI on non-GFE.
• Send unencrypted PII or PHI.
• Work from public locations where others can “shoulder surf.”
• Click security alert/warning “pop-ups” on your GFE.
“From a cyber-security perspective, the best mindset to be in while you’re teleworking is to treat it as though you’re sitting in your office at work,” said Stewart. “While we are dealing with unprecedented changes due to the COVID-19 pandemic, we still need to protect Army data, so our organization can continue uninterrupted support to our Warfighters. Please, be smart and ensure we don’t introduce vulnerabilities to our network or expose our data to adversaries.”