Remote working from home or any location away from the office, is a rapidly expanding practice. By 2005, 8.3m people in the UK will be working from home and of these, 75% will be in the private sector - mostly professionals, senior managers, or officials.
There can be significant advantages to remote working. My own organisation recently launched a 'Death of the Office' campaign, recognising that technological advances provide the opportunity for organisations to introduce more flexible working and reduce overall costs. Remote working can also enhance productivity and improve service delivery.
However, while the benefits of remote working are being recognised, the potential IT security risks are less heralded. For remote working to be effective, IT practices and systems need to change. We have developed a 3T healthcheck framework to ensure the successful delivery of home working.
The three principal considerations, or 3Ts, are:
- THREATS - Security risks associated with remote/home working must be identified and addressed
- TECHNOLOGY - In order to establish effective practice the appropriate technology must be selected
- TRUST - Through consultation, training and communication, management and staff can confidently adopt new working practices.
Threatening behaviour
A business should ensure that it has assessed all possible risks before introducing remote working. The appropriate systems and procedures must be in place before people start accessing the corporate network.
For example, businesses should make sure that a person accessing the corporate network uses a company laptop. This will guarantee that the equipment is regularly checked and contains the appropriate security measures.
However, this brings the added threat of theft, and stolen laptops present a number of risks to a company. If they are not set up securely and shut down correctly after use, a thief could have a direct link into the company network. In our experience, many of the laptops tested even have the 'save password' box ticked.
Businesses also need to review the information held on a laptop. If a laptop was stolen, would it hold personal information, thereby falling foul of the Data Protection Act, or commercially sensitive or even embarrassing information? Then, if laptops are only backed up when the individual is back in the office, a theft could result in work being lost, at considerable cost in both time and money.
In order to ensure business continuity, companies need to introduce policies to ensure that corporate data on the laptop is regularly backed up. Businesses must check that information is regularly uploaded onto the corporate network, or indeed never downloaded, and that someone is given the responsibility to monitor this.
Our security reviews have found entire sales databases held on a laptop, containing customer contacts, prices and new business leads, which, if released, could jeopardise an entire business. Also, a recent security review of a European football club found that the club secretary's laptop held details of players' addresses, salaries, fitness reports and information on the club's financial performance - all unencrypted. Imagine what would have happened if that laptop had been stolen and the information got into the public domain!
Technology
Authentication to ensure that the person accessing the network remotely is, in fact, an employee should be considered. Ideally, remote access should be protected by a two-factor token-based authentication system, and businesses should ensure they run a regular penetration test on all laptops to ensure they remain secure.
In the case of workers who are only in the office a couple of times a month, keeping laptops updated with the latest anti-virus software can also be a problem. For example, if an organisation had protected or cleared itself from a virus, an unprotected laptop plugged straight into the network could (and did, in two major corporations we are aware of) reinfect the network - causing major problems.
Another primary consideration is whether the technological support is in place to facilitate a home working plan. Enabling remote support will benefit business performance but will put additional pressure on the help desk.
Building trust
While risk assessment is key, so too is trust between the employer and employee. This not only means following the risk mitigation practices outlined but also affects the management process in terms of trusting employees to work effectively and to target without constant supervision or face-to-face support.
Home working will inevitably present challenges for supervisors in managing, motivating and communicating with remote workers, so organisations must recognise and reinforce the benefits of team working and implement initiatives that serve to counteract the lack of contact between remote working staff.
Additionally, managers may need to adapt their leadership style to a more trusting approach.
In short, businesses can only ensure secure remote working by taking a holistic and continuous approach to security. This includes having the correct security policies, systems and audits in place, as well as management protocols to allow home working to be mutually beneficial.
- John Eary is senior consultant at NCC Group, Tel: 0161 209 5200, E-mail: John.Eary@nccgroup.com