As increasing numbers of employees work from home, organizations often overlook the security needs of remote workers.
Telework predates the BYOD phenomenon by decades. Despite Yahoo!’s move to the contrary, many organizations are shrinking their office spaces and expanding their employees’ ability to work from home. Employees value the flexibility and the lack of a commute, while employers value lower operating costs and workers who happily blur the line between home and professional life, working extended hours long after they might have left the cubicle for the night. Even companies that don’t encourage telework specifically frequently have employees working remotely, whether for travel, to accommodate a sick child, or simply to eke out some extra hours of productivity.
Market research firm, Gartner, even confirmed in a June 2014 study that the desktop computer is, in fact, not dead. Of the 40% of respondents who reported using personal devices for work, the most common device was a desktop PC, presumably in a home office since they don’t tend to fit very well in a messenger bag. The bottom line for all of this, though, is that organizations need to take the security of their employees’ home offices seriously.
Let’s take a step back and think about what actually constitutes a modern home office. For some, it’s clearly a space in the home, quite possibly occupied by a desktop computer discarded by the kids in favor of a shiny new i-Device. For others, it might be a desk in the local library or a comfy wing chair at their local coffee house. I’m partial to the passenger seat of my car (the steering wheel isn’t in the way) while I wait for my kids to wrap up after-school activities. In our exceptionally mobile world, our “home offices” can literally be anywhere that isn’t company property.
What this means is that “securing the home office” is really about taking a holistic approach to endpoint security and remote access rather than making sure that employees have something more than WEP securing their wireless routers at home. Here are some critical best practices for creating secure remote work environments, wherever they might be:
This is a big one. No matter how an employee accesses corporate resources, if done with a correctly implemented VPN tunnel, content moving to and from employee resources is secure. There are even VPNs offered as a service to secure mobile sessions over public WiFi, but building VPNs under corporate control is easy, cost-effective, and ultimately safer than relying on VPNs in the public cloud.
Multi-layered approaches to security are critical to ensuring their effectiveness, both within corporate networks and outside of them. At the same time, it can be difficult to ask users to protect themselves or their employers’ networks. Running antivirus updates and OS patches tends to fall fairly low on their list of priorities so implementing services that enforce automatic updates on clients outside of corporate networks is a must for remote workers.
As consumer cloud storage products like Dropbox and Google Drive have become more full-featured and easy to use, it becomes very tempting for users to simply upload work files to the cloud, alongside Grandma’s pumpkin pie recipe and pictures from last summer’s vacation. Unfortunately, when employees leave a company, there is no way for employers to ensure that corporate assets don’t stay on that desktop computer in the ex-employee’s home office. Preventing access to these services while employees are on the network provides a layer of protection and control, not to mention regulatory compliance for many industries.
Of course, if users can’t upload their files to their personal cloud-based storage account, they’ll be tempted to load them onto flash drives or other removable media to access them at home. Well-publicized vulnerabilities on these types of media, though, make this a dangerous prospect. The solution? Provide business-grade tools for secure file sync and share and enterprise collaboration so the temptation of thumb drives and cloud storage are easy to resist.
While it isn’t possible to go to every users’ home to deploy a FortWiFi unit, and centrally manage them as one can do in a corporate network with optimized security settings, it is possible to require home office users to implement strong encryption on their home routers. Even if that means stepping a user through the setup or offering 4G hotspots at a discount to employees (that use encryption by default), it makes sense to take steps to ensure a relative degree of security on home networks.
This is the “½ a consideration” because it seems as if it should go without saying. But recent research suggests that a lot of organizations have no written policy on personal devices, home offices, or remote access to company networks and assets. Perhaps this should have been #1 - good, well-thought out policies that both IT and employees can live with is a cornerstone of good security. To implement policy with technology, companies need the underlying policy. Without it, we all too often end up with the us against them mentality that gets in the way of both effective security and high employee productivity.