Educate the workforce
The security policies enacted within the four walls of a building have to be adapted to include workers beyond the physical confines of the office. Teleworking staff need to be made aware that the websites they visit and emails they send via company laptops must comply with normal company rules and regulations.
"As employees of the company, home workers are subject to the same policies and procedures as staff that work in the head office," says Alan Sherlock, an executive with the Small Firms Association. "Data protection legislation means that measures should be put in place to ensure that the integrity of any third party confidential information is guaranteed."
Developing an 'acceptable use' policy for all staff can help educate workers on the dos and don'ts of IT usage. (For more on usage policies, see Issue 166.) In the case of home workers, businesses should look to extend beyond guidelines and to put safeguards in place in order to protect data. "There are always some people that don't do what they are told," says Chris Mayers, chief security architect with infrastructure software firm Citrix.
Secure the perimeter
Even with a usage policy in place, firms would be well advised to install firewalls on company laptops or home PCs. Firewall software can generally prevent unwitting visits to sites containing malware, and it can also be tweaked to block access to selected websites. Most antivirus software firms provide applications to meet this end.
Data sent via email can be protected by using encryption software; and indeed, encrypting the entire contents of a laptop is also recommended to prevent unauthorised access. (For more on encryption, see the How To section of this issue.)
Laptops are prone to getting lost or stolen, as evidenced by recent high-profiles incidents affecting both the Irish Blood Transfusion Service and Bank of Ireland. Businesses need to set up protective measures in case this occurs. John Power, senior solutions strategist with management software firm CA, says that on top of standard log-in procedures, where the user enters their ID and password, businesses should introduce key fob technology for laptops. This technology involves having a physically separate piece of equipment on a key ring, which generates a special code that is needed in order to log in. Without both the correct log-in information and the code from the key fob, the laptop is rendered useless.
Implementing the right kind of monitoring software to guard against illegal access can also give both firm and employee peace of mind. Remote monitoring software can limit access to the internet to ensure staff only go online for business purposes during work hours. Other options include the ability keep track of the information being sent via email so that sensitive data can be monitored. (For more on monitoring software, see Issue 167.)
Any applications used by a firm to prevent security breaches need to be clearly visible to teleworkers. "It has to be transparent to the user and non-invasive," says Power. He says firms need to be open with staff about security issues and continually educate workers about threats to data.
Remove the removable threat
Removable media such as USB hard drives and MP3 players can pose a security headache for businesses. These devices allow information to be easily moved and copied, and they can make it difficult for firms to keep track of where its information is going.
There are two options when it comes to securing such devices. The 'nuclear' option is to ban any removable media from being used on corporate PCs or laptops and to introduce blocking software to deny access to such media. For firms that truly have no need for such devices, this is a practical and easy-to-implement option.
For some businesses, however, an outright ban is impractical. In this case businesses need to remember three things: encrypt, encrypt, encrypt. "If you are going to use these devices then you had better encrypt all the data," advises Mayers. Encryption software enables firms to protect data that is transferred onto such devices so that information can only be viewed by approved users.
Enable secure access
Infrastructure such as virtual private networks (VPNs) can enable home access to the corporate network, but firms need to ensure this access is secure. VPNs allow remote users to log in to corporate applications and access documents and tools such as work email as if they were in the office. Companies need to make sure their IT provider installs a VPN that is secure so that sensitive data transmitted over the network is protected.
Other applications that are commonly used by teleworkers and that must also be secured include instant messaging and internet telephony, or VoIP (Voice over Internet Protocol). "All of the information sent over these services is clear and can be monitored by third parties," says Darren Craig, senior security consultant with IBM. Craig says this information can be encrypted, however, through a VPN and that businesses should consult with their IT provider to get specially tailored versions of these services.
By taking the right steps for security, you can rest assured that data being accessed and transmitted remotely is as secure as if all staff were safely within office walls.