Security and Telecommuting

One question that is often asked of us is what can we, as an organization, do to allow our employees to work from home, but at the same time ensure that the security and integrity of our network is maintained.

This subject is a very valid one, and one not to be taken lightly. Below are general guidelines to help ensure that your workers are productive while working form home, and more importantly, your network is secure. This is not an end-all be-all document. It’s merely some important steps that can be taken to ensure that your organizations data is secure and that your telecommuting workers are productive.

The first step is the physical security of portable computers. Will the company provide computers to their employees, or will employees work with their own personal computers? If the company provides the computers, it’s a lot easier to maintain control over security.

Physical security of a computer is important. Laptops are easy to steal, whether at the employees home or at the office. Measures should be taken to ensure that this couldn’t happen. These are some things that can be done to prevent this:

• Security cables – These are attached to the computer (laptop or desktop) and to the desk, and are locked.
• Software solutions that cause the stolen computer to “call home”, similar to Find my iPhone, iPad or Mac. This has a GPS type capability that can show exactly where the devise is. In addition to this, software technology that allows the stolen computer to be remotely wiped clean
• Start-up security, such as having to enter a passphrase before the computer boots up.

In addition to these measures, ensuring that employees do not leave their computer unattended while logged in is important. When employees are traveling, make sure that they know never to leave the computer unattended in a hotel room, and carry it in a case that does not make it obvious that there is a computer inside. When employees are traveling, make sure that if they have to work from a hotel, that they do so for only as long as necessary, and by all means, shut the computer off when they are done. Many computers have been compromised when left on and logged into the hotel network.

Another vulnerability is the use of wireless technology. It’s tempting for an employee who is telecommuting to go to the nearest coffee shop or fast food restaurant and work from there, using their unsecure wireless network. Encourage your employees not to do this. It’s not difficult for a hacker to sit inside that same business, and snoop around looking at what devices are logged onto the network, gain access to that device, and proceed to steal data – potentially sensitive corporate data. If the employee has a wireless network installed in their home (as the majority of households have), ensure that they are using the latest encryption technology:

• 11ac (Click here for specifications) wireless router
• WPA2 Encryption (WPA is acceptable, but WEP is not)
• Don’t broadcast the SSID
• Create a hard to crack password (Example here)
• Create a guest account for friends and visiting family

Ensure that anti-virus and anti-malware software is installed, and that automatic updates are enabled. Also, set up a policy where computers are automatically scanned at a specific time each day or week, preferably during off-work hours so as not to impact your workers productivity. Ensure that a firewall is also used, and that unnecessary ports are not left open.

Email is one of the most vulnerable pieces of technology an organization has. Countless viruses have been passed around via email attachments that employees open inside the network. Adopt a policy that only specific email clients are to be used, and educate employees on the hazards of opening attachments from people that they do not know, or that seems suspicious in any way. In other words, trust, but verify.

Knowing who to report suspicious security issues to is important as well. Ensure that each employee has the phone number of the IT security department so that they can alert them of anything they feel is suspicious. An ounce of prevention is worth a pound of cure.

Make sure that your policy states specifically what employees can and can’t do with company equipment when they are working off-site. There are many questionable website on the Internet, including freeware or share-ware sites, pornography sites, etc.… If the computer is a company computer, installing website filtering software will go a long way to preventing malicious software to be downloaded and installed on a computer. If employees are using personal computers, ensure that they understand the potential risks of visiting these same sites with their own computers.

One way to ensure that employees are doing the right thing is to have them access the company network with tunneling software. This allows the worker to access the network via software such as Microsoft Terminal Services. In this way, the worker is accessing the server or a local computer located inside the network, and the company has complete control over the users profile and session. If your company has a VPN (Virtual Private Network), make sure you have policy in place outlining what can and can’t be done when logged in. Also, ensure that your policy outlines what protocol to use (L2TP instead of PPTP).

Password policies are another important topic. There is software available that can automate the creating of strong passwords. Make sure that employees are not writing their passwords down and keeping them at their workstation. This happens more often that you would believe.