These telecommuters are not the kind who disable anti-virus software to download the latest version of Napster, thereby creating holes that hackers can use to access their company's network. Armed with strict security policies, firewalls on laptops, virus-scanning software and secure dial-up accounts, all Lexis-Nexis employeesâ€"from assistants to the CEOâ€"are so tough about security that they're more likely to wear combat boots than bunny slippers when working from home.
"We're well aware of the exposure telecommuting brings," said Leo Cronin, director of information security at Lexis-Nexis, an information services division of Reed Elsevier. "That is why we have several policies in place that give us control over their environment. The majority of our employees are well aware of the risks [to the company] if they break the policies."
Sound paranoid? Cronin doesn't think so. The recent, high-profile attack on Microsoft via a pilfered telecommuter ID in October was a wake-up call for Cronin and a growing number of corporate security managers like him. The message: At a time when employees are just as likely to log in from home or the road as from a cubicle at company headquarters, securing employees' laptops and other mobile devices, and protecting corporate servers and networks from telecommuter-enabled breaches, is more critical than ever.
So, savvy organisations such as Lexis-Nexis, the state of Arizona and Conqwest are taking action by implementing a combination of strategies to limit their exposure. Those strategies include developing and enforcing strict policies that tell telecommuters what they can and cannot do on their machines and how to physically protect them. They also involve taking advantage of security technologies such as VPNs (virtual private networks), firewalls, anti-virus scanning and call-back software that can be used to locate stolen laptops. And, perhaps most important, they're enforcing selection processesâ€"backed up with trainingâ€"that ensure only those capable of following the rules are allowed to telecommute.
"Telework is a privilege, and our end users understand that they need to constantly prove to us that they are capable of working remotely," said Lee Lane, state wide security manager for the state of Arizona; like Lexis-Nexis, the state has begun enforcing strict telecommuter security controls. "If we can't ensure the security of their connection or their willingness to follow our policies, then they can't telecommute."
Caught napping
Unfortunately, security experts say, not enough IT managers have heard the same wake-up call Cronin and Lane have. While companies have finally begun to busy themselves instituting security measures to block external threats to their Web sites, mobile systems that access corporate systems are still largely unprotected at most companies, experts say. As more professionals, managers and executives have taken their PCs and other mobile devices on the road to keep up with competitive e-business pressures and as telecommuters working from home have proliferated, security breaches traceable to mobile workers have begun to cost enterprises real money. In fact, security problems related to telecommuting contributed to the US$66.7 million in losses due to theft of proprietary information identified in a 1999 survey of 273 companies conducted by the Computer Security Institute and the FBI.
Despite the potential security risks, the tide toward telecommuting is not likely to ebb any time soon. In fact, experts say, it's only going to grow. According to the International Telework Association and Council, in Washington, about 16.5 million Americans telecommute at least once a month. That figure is growing by about 20 percent annually. The association estimates that there may be as many as 30 million regular telecommuters by the end of 2004.
Selecting the right people
In the last six years, the state of Arizona has seen the number of employees who telecommute at least once a week grow to about 3,000 from 71 state agencies. To protect security, the state insists, first, on standard security software for all PCs, whether they're in the office or remote. All employees must sign an agreement that they will install the latest version of McAfee anti-virus scanning software from Network Associates and use the state network for business-related purposes only.
Second, the state doesn't let just anybody telecommute. Arizona officials joke that the telecommuting selection process is even more competitive than the procedure for getting hired as a state employee. Those who wish to work from home must first get approval from managers and a recommendation letter reviewed by John Corbett, the state's telework programs administrator. Once accepted into the telework program, the employee must meet with his or her manager for training. Employees must read a workbook containing the state's policies and security requirements and sign an agreement stating that they understand all the state's policies before they are allowed to telecommute. The 3-hour process also includes watching a video detailing security and other telecommuting measures. Anyone who breaks those rules has his or her telecommuting rights taken away.
Analysts say putting potential telecommuters through a selection process is important because once an employee goes home, IT loses control. "Many organisations focus on securing the devices, not the employees," said Jeff Johnson, an analyst with Meta Secur e-Com Solutions. "By carefully choosing whom you will allow to telecommute, you are limiting your risks."
Watching telecommuters
Just as important as choosing the right employees is implementing the right security policies. At Lexis-Nexis, Cronin and John Davalos, director of infrastructure systems support, regularly review policies in place for the company's 5-year-old telecommuting program. Those policies include asking the company's 2,200 telecommuters to physically protect devices, advising the use of power-on passwords and the installation of personal firewalls.
Lexis-Nexis policies also dictate how users handle sensitive files and documents. Telecommuters are required to store confidential files on servers, not on desktops. If a sensitive document must leave the office, it must be encrypted, the policy says.
Cronin and Davalos have also established guidelines and implemented softwareâ€"which they declined to identifyâ€"that control access between authorised users and the corporate network.
"We cannot be there to watch over all of our telecommuters," Cronin said. "But we have taken steps to implement policies and controls that will provide a barrier between a cracker and confidential data."
While IT managers can't control everything telecommuters do, some companies are using technology to remind remote workers of the need for security. At Conqwest, CEO Michelle Drolet said that even though she's unable to watch over her employees' shoulders to make sure they're following company policy, she's come up with a "Big Brother" way to constantly remind them of her presence. Conqwest, a software VAR, developed a proprietary security policy program called e-Minder, which forces remote users to keep thinking about security. Every time a mobile worker logs on to the corporate network via the company's VPN, e-Minder automatically launches a screen reminding users to change their passwords or update their anti-virus scanning software.
The software can be updated and uploaded every time a user logs on to the corporate network, so that it can be changed whenever a new security threat crops up. To connect to the corporate network, users must read the policies and click on an "I Accept" button before they are allowed to continue. These policies include installing Network Ice's BlackIce personal firewall product and saving only nonsensitive files such as e-mail on mobile devices. Users who decline to accept the rules are refused access to the network.
Since first developing e-Minder for internal use, Conqwest is now selling it to others.
"This ensures that our employees know and understand the rules," Drolet said. "We'd like to allow our employees to be able to walk and talk the same whether they're a telecommuter or an employee working out of our corporate offices, but that's just not possible. Telecommuting means additional measures must be taken."
Tools, too
Even with the best qualification and telecommuting security policies in place, IT managers agree that a combination of toolsâ€"from VPNs to callback softwareâ€"must be in place to secure the mobile users and the enterprise resources to which they connect.
At present, telecommuters at Lexis-Nexis are not allowed to access corporate systems via the public Internet. Instead, they must use a proprietary phone number that dials into the corporate network, where they are required to authenticate their identities twice using passwords and user IDs. Lexis-Nexis also requires telecommuters to use only company-issued hardware and software. IT preloads laptops and desktops with security tools and software such as WebSense's WebSense Enterprise Management product, which is used to block certain Web sites that pose security threats. Employees must sign a written agreement stating that they will not install additional software on company-owned computers.
VPNs, personal firewalls and authentication software aren't the only tools IT managers can use to secure mobile users. With the Microsoft attack fresh in mind, IT managers are using tools to help them prevent hackers from obtaining a user ID and passwordâ€"often by stealing a laptopâ€"and imitating legitimate users to access their corporate networks. The state of Arizona uses so-called callback tools such as ProCommPlus from Symantec to ensure that its laptops are dialing in from authorised phone numbers. Using the software, when telecommuters dial in to the corporate network, the number from which they're calling is checked. If the network does not recognise the number from which a user is dialing, it will deny access. If it does, the network initiates the call to the mobile user to establish the session.
Other software tools are set up to occasionally dial out to a software manufacturer, which then checks to see if the PC has been reported stolen. If it has, the software attempts to record the number it's calling from and alerts law enforcement organisations of its location.
Broadband, big risk
While technology is part of the answer to cutting security risks posed by telecommuters, in some cases, IT managers say, it can open the door to hackers a bit wider. Take high-speed Internet access lines such as DSL (digital subscriber line) and cable modems, which have become increasingly popular with at-home workers. They can raise security risks because they are always connected to the network, making it easier for telecommuters' computers to be discovered by hackers running automated port scans and looking for vulnerable machines. With that risk in mind, many organisations are proceeding cautiously before allowing telecommuters to use broadband connections. Lexis-Nexis, for example, is permitting only a select few telecommuters to use DSL or cable modems while it conducts a pilot VPN program. Lexis-Nexis is looking at VPN options but will not offer any option to telecommuters until the security is right, including strong two-factor authentication and personal firewalls, Cronin said.
"A little over a year ago, there weren't a lot of these types of attacks going on, but now with the advent of DSL and cable modems, attacking an enterprise via telecommuters is now one of the cool things for hackers to do," said Johnson of Meta Secur e-Com.
Although concerned about telecommuter-related security risks, many IT managers are worried about relying on technology fixes for another reason: They don't want to confuse the very end users they're trying to protect by loading them down with the latest and greatest security technologies.
For instance, Gerry Cullen, director of special projects at Detroit Diesel-Allison BC, kicked around the idea of installing RSA Security's SecureID smart-card product on all telecommuter laptops before backing off out of fear that telecommuters would lose the cards. And at Lexis-Nexis, Cronin and Davalos considered installing encryption engines on laptops but then became concerned that end users would forget the keys to unlock files.
"The concern we have is that the cure can be worse than the disease when it comes to encryption," Dava los said. "We don't want to secure to the point where legitimate end users can't access files."
In the long run, analysts say, a successful telecommuting program means a balance of education, technology and policies. And the first step, IT managers said, is to constantly be on the lookout for potential attacks on telecommuters, even if that means being seen as a bit overzealous.
"I'm an IT manager," said Arizona's Lane. "I'm paid to be paranoid."
