Security Risks of Telecommuting
In today’s work environment, costs are skyrocketing, but one way to reduce costs is to offer a telecommuting option for employees. While it may be easier for telecommuting employees to perform their work at home or in the field, the process doesn’t happen without posing serious security risks.
The number one issue is connecting from the home environment or the field environment to the office, but secure communications are often overlooked due to costs and complexity. Using a virtual private network (VPN) is the safest way to protect important data that transmits in both directions. There are inexpensive VPN’s that can either be purchased by the telecommuter and/or the company at a reasonable price. The reason for the use of VPN’s is that a lot of telecommuters tend to use free Wi-Fi in coffee shops, airports, and other places that puts data at risk from the device to the wireless access point.
A VPN protects the data by scrambling it so that it is protected in transit in both directions. That also includes using smartphones and using wireless environments. Prices range from a couple of dollars to approximately $30 per month or more, or daily access can be purchased from VPN providers. Purchasing VPN time is much less expensive than going to a complex system, such as, Kerberos or TACACS, which require complex servers. If at home, use the best wireless security, WPA2-PSK personal, and change default passwords on the router. Of course, the best way to avoid these problems is to create a policy that prohibits the use of free Wi-Fi in places that may be convenient for the employee but risky for a company’s data.
Consider the BYOD (Bring Your Own Device) to the office phenomenon. While in the short term, it will save companies money since they don’t have to purchase or support devices for personnel, they are opening up a whole new attack vector (how malware gets into networks). This problem occurs when an employee’s device is not properly protected with a good anti-virus program. The possibility of an infected email launching itself onto a corporate network is high. Use a DMZ approach to protect external employee email so that any malware can hopefully be killed before they do any damage. With the advent of viruses now hitting Android as well as iOS products, the risk increases everyday. The way around this scenario is to sandbox browsers and use only webmail to retrieve and send email within the corporate environment from outward-facing clients. A good program is Sandboxie.
A relatively new way that employers are handling the sticky issue of BYOD and home systems is to create virtual machines on the server side so that an employee only has direct access to his or her “traditional desktop” from the virtual machine. This way, if malware is detected, the virtual machine can be destroyed, and an exact replica can be put back into service with little or no delay to the end user. Above all, the integrity of the server and network will not be affected.
If your employees are using work-supplied devices, it’s best to make sure that their global positioning system (GPS) has been activated. Keep a log of the serial numbers and phone numbers for all devices. Install location apps on the devices, such as, LoJack, Prey, or Lookout, so that if a device is lost or stolen, you can activate the program to locate the device. Once the device is located, you can either inform the police or if installed, you can activate the remote wipe feature. To avoid any Fifth Amendment privacy issues, have the employee sign a contract stating that the device belongs to the company so that the company has a legal right to track a device if lost or stolen – and that the employee won’t be tracked for any other reason.
Remote wipe is the capability to delete information off a device completely so that no trace of company data remains. Unfortunately, you risk deleting all of the employee’s data from the device as well, which is why encryption is a better option.
Nowadays, devices are equipped with the ability to have all of their chips encrypted. They use 128-AES encryption, which is a Government and industry standard. Once encrypted, the device is useless for anyone who doesn’t know the password to unlock the encrypted data. Use at least 10-character passwords that are easy for the employee to remember, and make sure that you implement a policy that the IT Department has a copy of those passwords – or the IT Department should set up the passwords with the employees. Then password-protect the device settings so that an employee cannot change device passwords. While all of these practices may seem to be a lot of work, in the long run, it will help to protect a company’s data.
Unless an employee is using a multi-use combination online file-sharing program, such as SharePoint, that is controlled by your company, file-sharing services (such as, Dropbox) should be banned. Dropbox should be avoided because the site keeps copies of all documents including deleted documents that don’t use industry-approved security protocols.
Every company should have an “acceptable use policy” for work-supplied devices, including downloads of personal data including apps, photos, music, etc. The problem with these types of files is that they can take up large amounts of space that is designated for work product and company files. Personal files may create attack vectors (how malware gets into networks). But, in order to avoid problems, this acceptable use policy must be clear from day one when the device is provided to the employee. A document describing your company policy should be signed by all employees indicating that they are aware of and will adhere to the usage specifics.
Remember, employee personal files that have been added to work-supplied devices could wind up as part of E-Discovery for lawsuits, or on the Internet. Who can forget WikiLeaks? And you never know if an employee’s personal images might pose a problem as well as legal liability for a company.
You should ALWAYS go on the assumption that it’s not if you will lose your data, but when. You may not be able to save everything, but you will be able to mitigate the damage. If you use the tips detailed above and update your virus protection enterprise-wide as recommended, you will have less possibility of encountering security risks from telecommuters.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.