Want to cut the security risks from home offices? Here's how

Most companies still lack policies for virtual offices. Here are some ways to allay the huge data risks they pose.

1 2 Page 2
Page 2 of 2

Of course, some data must reside on the laptop for times when the employee has no network access, like during customer visits. In such cases, remote workers are instructed to take only the data they need for that visit and delete it from the laptop immediately afterward, after saving any changes to the network drive, Dehnhardt says. “It’s a fine line to walk,” he acknowledges.

Mark Rhodes-Ousley, an information security architect and co-author of Network Security: The Complete Reference (McGraw Hill Osborne Media, 2003), agrees that data should mainly reside in centralized corporate repositories.

Training for Virtual Office Employees

Percentage of organizations that offer their teleworkers the following types of training:
PC/network connectivity72%
E-mail usage67%
Business applications usage67%
Safety and security of virtual office39%

Base: 87 organizations; multiple responses allowed

Runzheimer Internationals Total Employee Mobility Benchmarking Report, October 2006

“Home workers should be granted access to view and change data only from a distance,” he says. That can be facilitated with systems that provide front-end access, such as Secure Sockets Layer VPNs.

Remote access makes the home computer a part of the company network, Rhodes-Ousley explains, whereas front-end access makes only the user interface accessible, separating users and their computing environments from the actual servers that manage the data. This technique presumes that users have a good broadband connection, Gold says, because dial-up could never handle the traffic load.

Everyone agrees that home workers should keep data encrypted, but relying on end users to do that is risky, says John Girard, an analyst at Gartner Inc. “Typical office applications have the ability to encrypt,” he says, “but the choice is often voluntary, and the user can usually choose a simple, weak password and encryption algorithm.”

That’s why it’s best to run the home PC as a virtual machine that’s encrypted, where the user logs on to bring up an image of a company workstation, he says. Or home users could run an on-demand virtual session that encrypts saved data even if the workstation is otherwise not managed by the company, Girard says. This is possible with software such as Cisco Systems Inc.’s Secure Desktop, Symantec Corp.’s On-Demand Agent and Check Point Software Technologies Ltd.’s Integrity Clientless Security Secure Workspace.

At TriNet, all home laptops are encrypted using software from Beachhead Solutions Inc. in Santa Clara, Calif. The software provides centralized encryption management and remote data destruction if the laptop is lost or stolen.

Dehnhardt uses IPsec for encryption on TriNet’s VPN, and he requires home wireless networks to be encrypted using Wi-Fi Protected Access when accessing the VPN. The only way to enforce this now, however, is through a signed statement and employee training, he says. “We don’t have the [resources] to support home wireless equipment,” he says. “It’s better to educate the users to protect their home environment than to do it for them.”

Dehnhardt also advises home workers to change their default service set identifier and administrator passwords on their wireless access points.

This year, TriNet managers will also periodically visit the homes of remote workers, in accordance with the company’s policy for inspections of home offices for ergonomic, safety and security reasons. “If employees do not agree to this, their VPN access and laptops will be pulled, and they will not be allowed to work from home,” Dehnhardt says.

This is an unusual policy among U.S. companies, according to the Runzheimer study. Only 13% of respondents said they conducted irregular or initial inspections as part of their virtual office policy. “There are some privacy concerns as to how frequently these inspections should take place and what advance notice is required,” says Heidi Skatrud, a vice president at Runzheimer. “But companies absolutely have the authority to enforce security policy in people’s homes.”

For six tips from Gartner on ensuring that home workers' wireless networks don't harm corporate security, see On Guard.

Brandel is a Computerworld contributing writer in Newton, Mass. Contact her at marybrandel@verizon.net.

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
It’s time to break the ChatGPT habit
Shop Tech Products at Amazon