Letting employees work at home and in coffee shops, trains, or anywhere else with Internet access cuts costs and increases productivity, but it also poses significant security risks. Many computer security experts say companies don’t do nearly enough to reduce the chance that an employee will lose data or intellectual property while outside the office.
Many organizations protect their networks with firewalls that restrict access to particular resources, a step akin to putting a lock on a door. Many also have virtual private networks (VPNs) that encrypt data traveling from the corporate networks to remote employees. But just how effective this is depends on how access to the VPN is granted; given that basic passwords can be guessed or “phished” out of employees, it’s safer to add an additional step.
For some organizations, that step involves hardware tokens—small devices that generate one-time passwords every so often—or software equivalents. (Recent hacking attacks on token provider RSA, which led to a follow-up hack on Lockheed Martin, do not appear to have permanently undermined the underlying cryptographic technology used in RSA’s tokens.) When used correctly, VPNs with strong authentication procedures are difficult to hack, even over public Wi-Fi networks where eavesdroppers otherwise sniff out traffic easily.
But securing data requires more than setting up firewalls and VPNs. Although “social engineering” attacks, in which a victim is tricked or forced into giving up passwords or other sensitive information, are not unique to telecommuters, the scams can be harder to pull off in the face of the organizational security an office offers, says Steven Chan, a research fellow and chief software architect with MIT’s engineering systems division. To approach an employee who handles sensitive information, “you can pretend that you’re a bike courier or FedEx guy, but you still have to get past the security guard, receptionist, and so on,” Chan says. People who work alone are more vulnerable.
Chan adds that many employees who work from home probably don’t have network security as good as what’s in their office. “If I know that your home office is that extension off the house or that your den is on the first floor, all I have to do is to steal your laptop or get past your [Wi-Fi security],” Chan says. “Perhaps your Verizon router is still set to the default password. Overall, I know exactly where your critical files are, and if I’m [really good at what I do], the target is toast.”
Remote workers are also vulnerable to the loss or theft of devices carrying their organizations’ data. In 2006, an employee of the U.S. Department of Veterans Affairs lost a laptop and hard drive that had sensitive, unencrypted information on more than 26 million veterans and their families.
To prevent such losses, experts recommend, at a minimum, encrypting the most sensitive materials on a teleworker’s hard drive. For thorough security, the entire hard drive should be encrypted and should be accessible only through strong passwords—Microsoft recommends passwords of at least 14 characters, some of which are letters, numbers, and symbols. Furthermore, tracking software can be used to locate a lost laptop, phone, or tablet and remotely wipe it clean of data.
Chan also suggests credentialing, which means employees should get access only to the information they require for their work. The permissions should be rethought regularly and not just set in place when employees are first hired. Such a framework can also help an organization keep track of when its most important data has been accessed—making it less likely to escape notice, for instance, that any single worker was regularly leaving the building with personal details on 26 million veterans.
Another potential source of problems is that telecommuting employees use a variety of mobile devices for their work. Today, many devices have been thrust upon organizations by the employees, rather than the other way around, notes Rich Campagna, who oversees security products for Juniper Networks. One way to prevent this from compromising security is to have servers in a network identify and authenticate all devices attempting to gain access. In a step known as device fingerprinting, the network can try to distinguish a legitimate remote employee from a rogue hacker by looking at the IP address, device serial numbers, and other settings on the user’s computer. If an unfamiliar device attempts to access the network—even with the correct passwords and IDs—either entry is denied or the request is evaluated after further authentication (by a phone call to the user, for instance).
Such automatic procedures are better than expecting employees to make wise security choices themselves, Campagna says: “There’s a good chance it won’t happen if the end user has to make a conscious decision about it.”