By Gene Richardson
If you hate bringing your work home with you, spare a thought for the 3.7 million Americans for whom home is the workplace.
The telecommuter population is growing faster than the overall employee base, according to Global Workplace Analytics, and with half of all jobs deemed suitable for performing from home, it is a trend that is set to go on growing. Already, around a dozen of our 50 employees at Experts Exchange are home-based.
But, while remote working can bring lifestyle benefits for employees and overhead benefits to their employers, there is a problem that is also rearing its head. For security-conscious employers, who may have spent years getting their bring-your-own-device (BYOD) policy in place, the challenge of remote working is like Groundhog Day multiplied.
When your workers are connecting to your systems from home, likely with their own hardware and software, you can’t see, know or control the means by which they come through the door. Remote workers may be using out-of-date tools and systems, laden with unpatched vulnerabilities. They may be storing their work access passwords in cookie or browser caches. What if their laptop is stolen from home or left unattended at a cafe?
I believe employees connection from a remote location are the next big security disaster waiting to happen. That is why businesses, who should absolutely consider home working for employees, should also take appropriate measures to ensure systems integrity.
There are two categories of connection that businesses need to worry about. First, is staff who connect via employer-issued devices – which, by the way, is certainly your preferred option.
The optimum implementation is to issue as close to the exact same setup as staff would expect if they were office-based – the same hardware, the same network configuration — but there are additional steps you should take.
At the very least, you should consider that people other than your staff member may access that device. Issue a tight mandatory screen lock time-out before a password is required, and ensure your employee cannot change that setting, nor can they add new users – no spouse, no kids, no one but your worker.
Next up, you need to protect the pathway to your door. You don’t know where your staffers will take their devices – a hotel, a Starbucks, the gym – nor how secure these networks are. Set up a secure virtual private network (VPN), a tool that ensures they beam in via your own network, on their machine to ensure snoopers can’t get by the security you have already deployed.
A growing number of companies, especially the thriving micro-business sector, welcome workers using their own computers and phones to connect to the office. This can certainly help keep down expenditure. But the security concerns surrounding this practice are magnitudes greater. Suddenly, you have even less control over the means of connection.
Your primary focus should be to require that the accounts with which staff connect to your systems, servers or hosted apps are protected using two-factor authentication. This extra layer of security, which would send a secondary qualifying code to a staffer’s smartphone, provides an additional barrier against unauthorized use, and is now easy to set up through services like Google Authenticator.
No matter what the device, the risk that your company’s credentials will fall into unsavory hands is great, when you consider that a third of office workers admit to having lost unsecured and unencrypted mobile devices in a public place, according to an Imation study. The takeaway is clear – implement an encryption solution from reputable companies like McAfee or Symantec to maximise your protection.
Best practice is to group your users by role, identifying what access privileges they really need based on their job, and limit their access to that alone, or make tough security calls based on the sensitivity of the data inside. Does one worker only need to connect to your web-based time-tracking log? Come on in. Does another need access to your database administration? Think hard about that.
Be aware however, that implementing some of these policies could lead to employees finding canny, and unsafe, workarounds. Many who are barred from accessing file stores may resort to sending files around by email – a weaker security point, from where sensitive information could leak out. So ensure your company-wide regulations prohibit the kinds of activities you want to discourage.
At Experts Exchange, we follow many of the above pieces of advice, implementing roles-based access that requires our remote staff only connect in via a work-issued laptop.
Small businesses, in particular, who are unlikely to hire a big IT or security staff, risk remaining vulnerable if they do not follow measures of their own – so act today.
Gene Richardson is the COO of Experts Exchange.