Big freeze home workers highlight security failings

UK businesses have coped well in keeping productivity up through the big freeze, but many may be putting themselves at risk by allowing staff to work from home without proper IT security.

UK businesses have coped well in keeping productivity up through the big freeze, but many may be putting themselves at risk by allowing staff to work from home without proper IT security.

Only one in 10 people were able to get into work at the height of the snow travel chaos, according to estimates by the Federation of Small Businesses (FSB).

But most medium and large businesses were better prepared than they have been in the past. Service-based companies such as British Gas have switched to automated web-based systems for dealing with customer queries.

Smaller businesses have learned from the floods in 2007 that were followed by heavy snow in February 2009 and the swine flu outbreak last summer and autumn. Many have flexible work policies in place to allow staff to work from home.

The problem is that most businesses have neglected security in pursuit of better business continuity and allowing staff to work from home, says William Beer, information security director at PricewaterhouseCoopers (PwC).

Organisations typically think very carefully about how to make corporate information available to staff when they work from home. But they do not necessarily think through the security implications of having data stored in more locations than ever before, says Mark Carter, partner in enterprise risk services at Deloitte.

"Remote working often clears the way for employees to save corporate e-mail attachments on their home computers, but few organisations make it clear that doing so is inappropriate from a security point of view," he says.

Organisations need to be more responsible about classifying all corporate data and educating employees on how each category of data should be handled, particularly when working from home, says Carter.

Any organisation using business continuity tools needs to ensure systems are password protected, passwords are changed regularly, and that employees are aware of the importance in protecting access to these systems, says Beer.

"We are seeing an increased concern about electronic espionage and businesses need to understand that remote working and conferencing systems can be weak links in their overall IT security," he says.

Employees that use portable storage devices such as USB memory sticks to transfer documents and data between work and home computers also present a security risk, says Greg Day, analyst at security firm McAfee.

"This practice brings with it risks of importing viruses and Trojans as well as exporting sensitive business documents that could easily fall into the wrong hands," he says.

Leaving the office often means leaving behind any network security measures that are in place, says Day.

"It is crucial that up-to-date security and encryption software is installed on any computer or portable device that is connected to a corporate network, including personal computers used by employees forced to work remotely," he says.

Businesses need to keep IT policies up-to-date to ensure employees know what is expected of them when they are working from home and how their actions can impact their organisations.

Although the business case for remote working is strong, many companies find considerable resistance to using new technologies says Roger Rawlinson, managing director of the assurance division at IT consultancy NCC Group.

Remote working often requires a dramatic shift in business culture and working practices, including security policies, he says.

"Training is essential to ensure employees at all levels can use the technology and that they are aware of their responsibilities when working remotely," says Rawlinson.

Although remote working is now a reality for most UK businesses to cushion the blow of lost productivity, industry consultants are warning that continuity without security may be costlier in the long run.

Read more on IT risk management