Indications are that remote working was able to reduce the financial impact for those companies that have enabled it, but very few small and medium businesses have the budget or technical ability to implement and manage secure virtual private networks (VPNs) with sophisticated network access control.
Remote working - how risky is it and what can small businesses do to enable it securely?
Remote working should be encouraged and embraced, not feared, in companies where the actual work can be done remotely.
The first "fear" that companies may have is how to "control" the work that remote employees do. My contention is that all employees and, especially, knowledge workers, should be trusted and nurtured, as a way to get the performance out of them, for the benefits of the firm's clients and shareholders alike. But, still, some security professionals may hold the view that you should "trust, but verify".
So, let's enable remote workers to work and, at the same time, check or monitor what they do.
Means of verifying work output, usually by the results generated, have existed for many decades and before the internet age. They have been applied mainly to senior management or to travelling sales professionals. As these people mostly need to communicate to do their job, let's enable them to speak and send various documents back to base and to clients.
Means of securing voice conversations, be it digital or analog, exist, but the question is: are they worth the cost? Good security principles should be applied here, as they are in the company's offices. Perhaps conversations over Skype are good enough for certain business interactions, but for some others, a minimum level of protection from eavesdropping should be deployed. Solutions here include: voice encryption, an insistence on the part of the company that the remote employee works from an area designated as their office in their house, the prohibition of discussing certain sensitive details while mobile, etc.
Notice that here we need a combination of technological and policy measures: use this encryption (AES should suffice) to send financial files and do not discuss pricing or contracts when in a public area, such as a restaurant, train station, etc.
The second fear that companies may have is that company information may get lost/stolen/changed without the knowledge or consent of the remote worker.
Here again, a combination of mandatory technical measures and good policy choices (which are also audited and enforced) should prevail over fear.
So, the company could pay for the employee's remote connection, for example by using a DSL connection that prevents "split tunneling". Like this, a program left running by a spouse should not be able to infect data sent to the company's servers.
If the risk tolerance is lower for the company, they could mandate that the remote workers use "Secure Office" solutions, in the form of tokens. Here, the worker has to authenticate first, then establish a VPN tunnel back to base and is only allowed to read or to read&write data as per the company's security policy. Access to certain company applications is restricted and connections are audited on-line and weekly off-line.
For remote and mobile connectivity, these solutions could also include 3G mobile cards that allow data to be encrypted in transit.
Examples of such implementations exist not only in the military, but also for public sector workers such as nurses, doctors and midwives, as well as for private sector employees.
In summary, remote working should be encouraged. It is not only a way to reduce pollution, congestion and the spread of infectious diseases, but also a means for companies to reduce IT costs. In a large telecomms manufacturer, more than $170m were shaved from the IT budget by employing clever and risk appropriate remote working solutions last year.
If risks are appropriately weighed and employees are informed of their rights and responsibilities towards company's data and other assets, why not?
Ionut Ionescu is the director of security services for EMEA for Nortel Global Services and is a member of the (ISC)2 European Advisory Board
Read more advice from the Computer Weekly Security Think Tank >>