Telecommuters are nothing new at TriNet Group Inc., a human resources outsourcer in San Leandro, Calif. In fact, a significant part of the company’s workforce operates remotely, either out of their homes or in small satellite offices, all on laptop computers, according to Bob Dehnhardt, the company’s network and information security manager.
But over the past 18 months, Dehnhardt has grown increasingly concerned about the rising number of mobile computer security breaches in the news, most notably the theft of a laptop and external drive from a U.S. Department of Veterans Affairs employee — an incident that compromised the personal data of 26.5 million veterans and military personnel. So last year, he helped institute a series of security policies, including a requirement that all employees who work at home must sign a contract. One of the contract’s provisions states that such employees must be willing to open their homes for inspection.
“Working from home is a privilege, not a right,” Dehnhardt says. “It has numerous advantages to both the employer and the employee, but it also constitutes a very real security risk for the company. There have to be rules and policies in place to protect the employer from this risk, and both parties must agree to them.”
But TriNet is ahead of the curve in home-worker security. Despite network attacks, virus onslaughts, data loss and other hazards that remote users can introduce, many U.S. companies haven’t bothered to establish security policies for teleworkers, according to Runzheimer International Ltd., a Rochester, Wis.-based provider of employee mobility products and services. In Runzheimer’s 2006 survey of 87 organizations with mobile workers, 62% of respondents said they were concerned about the security of company assets located off-premises, but only 46% reported that they have a virtual office policy.
“A lot of companies are just hoping that nothing will happen,” says Jack Gold, a mobile technology consultant at Runzheimer. “And yet for a reasonable amount of effort, they could eliminate 90% of the potential problems.”
For starters, telecommuters should use only company-owned equipment for their work, not their own home computers, Gold says. That way, IT can ensure that the equipment is loaded with virus protection software and other control devices. By keeping operating systems and application versions standardized, IT can also centrally manage virus updates. “If you rely on the end-user community to take care of their own systems, you’re in trouble,” Gold says.
At TriNet, telecommuters use centrally managed laptops. “This gives us a means of enforcing policy, since we own the equipment, and it also reduces the workload on our support people, since they don’t have to troubleshoot why Billy’s World of Warcraft installation broke our critical internally developed application,” Dehnhardt says.
Another Method
The American Academy of Ophthalmology takes a different approach to managing security on home workers’ computers. Until recently, the organization used only the security available in Microsoft Windows Active Directory and its virtual private network (VPN) software.
Credit: Luba LukovaAs viruses began disrupting bandwidth on the corporate network, however, Vice President of IT Joe Carr decided to take further measures. He installed Safe Access, an appliance from Superior, Colo.-based StillSecure that ensures that user devices have updated virus-protection software and appropriate firewall status before allowing them on the VPN. “We’ve had productivity in the office interrupted due to viruses, so we needed to make a change in the way people managed their equipment outside the office,” Carr says.
Carr is also testing a policy in which Safe Access will check on the last time home workers performed virus scans on their machines. If more than a certain amount of time has passed, it will require a scan before allowing the device onto the VPN. “We test new policies with users to make sure the action is working before ratcheting it up academywide,” he says.
Another TriNet policy forbids home workers from storing corporate data long term on their laptops, Dehnhardt says, although he doesn’t know of any technology to help him enforce that. Instead, telecommuters are expected to access data through the company’s VPN and store data on network home folders, which are backed up nightly. They’re also discouraged from using USB or thumb drives because they can easily be lost or stolen.