SMEs at risk from casual remote working practices

Most organisations have remote workers, whether teleworkers working from a home office, or mobile workers who work from a variety of locations. However, some organisations do not know who is working remotely, how much of the time, or which tools and services they need. This creates not only business risks, but potential IT security risks, as no defined and agreed mechanism is in place for ensuring that the right people gain access to the right corporate resources securely.

Indications are that remote working was able to reduce the financial impact for those companies that have enabled it, but very few small and medium businesses have the budget or technical ability to implement and manage secure virtual private networks (VPNs) with sophisticated network access control.

Remote working - how risky is it and what can small businesses do to enable it securely?

Most organisations have remote workers, whether teleworkers working from a home office, or mobile workers who work from a variety of locations. However, some organisations do not know who is working remotely, how much of the time, or which tools and services they need. This creates not only business risks, but potential IT security risks, as no defined and agreed mechanism is in place for ensuring that the right people gain access to the right corporate resources securely.

Remote workers rely heavily on potentially non-standard service, support, backup and security systems to ensure that they maintain connectivity and have effective use of their IT environments. Small businesses in particular often fail to either provide such facilities or block the use of non-standard systems, leaving users to find and deploy consumer-grade products, the security implications of which are not monitored by the business.

From a technology perspective, user and device authentication protect both the organisation's virtual private network (VPN) and its servers, and the user. Secure-sockets-layer (SSL) VPNs, which allow users to gain access to corporate applications and data from any device at any time, have become widespread, but should make use of on-demand security systems delivered by software suppliers and service providers in the form of downloadable Java applets or ActiveX to invoke protection at sign-on.

Typical functions include:

  • network access control (NAC) health check to allow/deny network connection based on the user identity
  • browser cleanup of potentially sensitive cache data
  • mini-anti-virus for major virus signatures
  • mini-firewall facilitates dynamic and temporary changes to network port settings
  • malcode scanner performs behavioural analysis for unwanted program activity
  • virtual session simulates a simple virtual machine to isolate user activity and file systems

Converged security systems, covering core functions such as VPN, encryption, anti-virus, anti-spyware, patch management and personal firewall offer a trade-off between cost effectiveness and best-in-class components. Users of these "complete" packages are more broadly protected than users with a more patchy set of best-in-class products.

Gartner analysts discuss the security issues around remote working at the Gartner Identity & Access Management Summit 2009 on 23-24 March in London.

Scott Morrison is a research vice-president at Gartner

Read more on IT risk management

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close