Indications are that remote working was able to reduce
the financial impact for those companies that have enabled it, but
very few small and medium businesses have the budget or technical
ability to implement and manage secure virtual private networks
(VPNs) with sophisticated network access control.
Remote working - how risky is it and what can small
businesses do to enable it securely?
Remote working should be encouraged and embraced, not feared,
in companies where the actual work can be done remotely.
The first "fear" that companies may have is how to "control" the
work that remote employees do. My contention is that all employees
and, especially, knowledge workers, should be trusted and nurtured,
as a way to get the performance out of them, for the benefits of
the firm's clients and shareholders alike. But, still, some
security professionals may hold the view that you should "trust,
but verify".
So, let's enable remote workers to work and, at the same time,
check or monitor what they do.
Means of verifying work output, usually by the results
generated, have existed for many decades and before the internet
age. They have been applied mainly to senior management or to
travelling sales professionals. As these people mostly need to
communicate to do their job, let's enable them to speak and send
various documents back to base and to clients.
Means of securing voice conversations, be it digital or analog,
exist, but the question is: are they worth the cost? Good security
principles should be applied here, as they are in the company's
offices. Perhaps conversations over Skype are good enough for
certain business interactions, but for some others, a minimum level
of protection from eavesdropping should be deployed. Solutions here
include: voice encryption, an insistence on the part of the company
that the remote employee works from an area designated as their
office in their house, the prohibition of discussing certain
sensitive details while mobile, etc.
Notice that here we need a combination of technological and
policy measures: use this encryption (AES should suffice) to send
financial files and do not discuss pricing or contracts when in a
public area, such as a restaurant, train station, etc.
The second fear that companies may have is that company
information may get lost/stolen/changed without the knowledge or
consent of the remote worker.
Here again, a combination of mandatory technical measures and
good policy choices (which are also audited and enforced) should
prevail over fear.
So, the company could pay for the employee's remote connection,
for example by using a DSL connection that prevents "split
tunneling". Like this, a program left running by a spouse should
not be able to infect data sent to the company's servers.
If the risk tolerance is lower for the company, they could
mandate that the remote workers use "Secure Office" solutions, in
the form of tokens. Here, the worker has to authenticate first,
then establish a VPN tunnel back to base and is only allowed to
read or to read&write data as per the company's security
policy. Access to certain company applications is restricted and
connections are audited on-line and weekly off-line.
For remote and mobile connectivity, these solutions could also
include 3G mobile cards that allow data to be encrypted in
transit.
Examples of such implementations exist not only in the military,
but also for public sector workers such as nurses, doctors and
midwives, as well as for private sector employees.
In summary, remote working should be encouraged. It is not only
a way to reduce pollution, congestion and the spread of infectious
diseases, but also a means for companies to reduce IT costs. In a
large telecomms manufacturer, more than $170m were shaved from the
IT budget by employing clever and risk appropriate remote working
solutions last year.
If risks are appropriately weighed and employees are informed of
their rights and responsibilities towards company's data and other
assets, why not?
Ionut
Ionescu is the director of security services for EMEA for Nortel
Global Services and is a member of the (ISC)2 European Advisory
Board
Read more advice from the
Computer Weekly Security Think Tank >>