Computerworld - No matter their job title, business department, industry knowledge, computer savvy and/or exposure to security training, end users are the second-weakest spot in every organization's security fence. They are bested only by one subgroup of employees -- remote workers.
Think of the person who works in a satellite or branch office, perhaps with just one or two other employees. Think of the person who works three days a week at corporate headquarters and then travels with his laptop or telecommutes on other days. Think of the countless salespeople working from hotel rooms, airport gate areas, customer sites and Starbucks shops. These are the people who cause security managers to lose the most sleep.
Security awareness training typically occurs on an annual basis, yet remote users make hundreds of security choices every week in the course of their work, says Carol Suchit-Hudson, director of citywide security for the New York municipal government.
For example, should they pop into the corner coffee shop and hop on its wireless network to answer an urgent e-mail? Or if their flight is delayed, should they use that extra hour to work on that customer spreadsheet?
IT's response: One of the best ways to ensure that remote workers make the right decisions is to offer them more frequent training coupled with periodic security reminders that are tailored to the way they work.
"The appropriate step is to tweak your education program based on the type of user," says Suchit-Hudson. That means using real-life examples and anecdotes. "No one wants to sit through training that isn't applicable to their needs," she says.
"Mom, can I use your computer to check online for my homework?"
Answering "yes" to this question -- as many parents do -- can open the gates to security hell, experts say. "Letting kids and others download programs and data of unknown origin onto their machines is one of the biggest worries we have for telecommuters," says Matthew Kesner, chief technology officer at Fenwick & West LLP in Mountain View, Calif.
IT's response: Even the most Draconian of usage policies won't end such incidents altogether. Instead, try appealing to users' self-interest, Kesner advises. If a user has downloaded an unauthorized program or left a wireless connection open after working at home, it will really slow their computer down, he notes. "That's how we message it," he adds. One more tip: Regularly monitor users' hard drives.
BlackBerries, flash drives, mobile phones and handhelds frequently contain critical corporate data, yet most users treat these relatively low-cost devices far more casually than laptops.
IT's response: "Our rule is, if we don't own it, you don't plug it into our network," says Chris Blake, workstation administrator at The Benchmark Group, an architectural and engineering firm in Rogers, Ark.
Another option is to instead have users upload and download data from the server and to encrypt all data transmissions, he says.
Paper may seem quaint in our increasingly digital world. Yet, it's actually quite dangerous if tossed around carelessly, says Darryl Lemecha, CIO at Vertafore Inc., an insurance software and services company in Bothell, Wash. "Dumpster diving remains a common way for thieves to get information," he says. "People have become quite accustomed to shredding at work, but there are still individuals who work from home who are without a shredder."
IT's response: Shredders for all. And they should be cross-cut shredders, so thieves can't piece back together documents that have been torn in only one direction.
Next: 5 things your salespeople should know
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
