This guide offers tips on equipping a remote office in an employees home, and points out common security vulnerabilities and how to fix them.
Employees are increasingly clamoring to work from home, especially given today’s high gasoline prices, congested traffic and long commutes. They see the advantages of lower expenses and the enviable, if clichéd, option of attending a meeting in their pajamas.
But there’s a more serious side to teleworking. Many of us could be forced to work from home due to a natural disaster, terrorist attack or even a flu pandemic. (See “Out Sick ” on page 16.)
Obviously, some jobs will never be done from home. However, those that can may help improve morale, lower turnover, and even alleviate traffic and parking congestion. While equipping your staff to work effectively from home is important, home office security can be a challenge. Your IT staff can’t just drop by to fix a configuration problem, and providing physical security is obviously impossible.
In some ways, the home office is more physically secure than a typical office. If there’s only one employee present, you don’t have to worry about disgruntled workers stealing a colleague’s ID or sabotaging their work by using their computer while it’s unsecured. Plus, your workers’ homes are no more inviting a target for thieves than any other — there’s no added expectation of finding multiple computers and other technology products. On the other hand, home workers have to be vigilant against inadvertent data loss and security breaches.
The following guide offers tips on equipping a remote office and points out common security vulnerabilities and how to fix them.
Today’s home office typically has a high-speed data connection, either a cable modem or a Digital Subscriber Line (DSL). While some claim that DSL is theoretically more secure than cable, the difference has been eliminated by modern cable modems and implementation schemes. Your workers’ connection to the office should be via a virtual private network (VPN), which obviates any concern about digital eavesdropping.
Even if your workers have only one computer, insist that they use a router. The non-routable addresses that it assigns make any number of home-based computers invisible to the thousands of attempts that are launched each day against the workers’ Internet address.
Never permit employees to check the “allow remote administration” option on their router if they own the equipment, and advise them to change the default administrator name and password. You may prefer to provide the router and have your IT department administer it remotely.
A Wi-Fi router costs only a few dollars more than a “wired-only” product, which may be a good investment for the future. Workers should keep wireless turned off when they aren’t using it. When they are using it, ensure that they turn on the security option, so the router requires a password before a device can use it.
They should change their router’s network name from the manufacturer’s default name, but not use their family name or the name of your office or department. For added security, they can “stealth” the wireless router so it doesn’t broadcast the network name. They should also use WPA (Wi-Fi Protected Access); it’s more secure than the older WEP (Wired Equivalency Protocol) security.
Many home office printers are multifunction devices that scan, copy and fax. The printer may be located in another room, which makes wireless printing attractive, although your workers will need a wireless network. They must ensure that their wireless printer adapter allows WEP or WPA wireless security — otherwise, someone could be getting a copy of everything they print from afar.
All critical information should, of course, remain on your main office’s servers, and home workers must adhere to standards that have them save work in progress to server-based storage. Many state offices, however, use contractors for some tasks and special assignments, and it’s more difficult to impose standards on them.
If contractors are handling critical information, they should be contractually obligated to handle it correctly. A backup tape or disk device that’s always in their home office is a waste of money from a security perspective.
A backup device must have removable storage, and the tapes or cartridges must be stored somewhere that would not be subject to theft or to the same natural disaster that might wipe out a contractor’s — or worker’s — home office. Encrypted backups are safer from a theft standpoint, but they may be more difficult to restore.
A worker’s computer is far and away the most vulnerable device in the home office. Employees should run the same commercial antivirus and Internet security suite that you run throughout the organization, and it should be configured for automatic updates.
Encourage or mandate the use of a separate spyware scanner from another vendor. Caution workers against using “remember my password” features — especially for departmental logins, VPN, e-mail and other sensitive online applications.
Some workers prefer notebook computers for mobility reasons. It’s for that very reason that the biggest danger with your workers’ notebook PCs is loss or theft. They’re likely to have a significant amount of personal data, as well as business information.
If a notebook is issued, it should be set up so it requires a password when booted and even when it returns from standby. For greater security, choose a notebook with a fingerprint scanner. Two-factor authentication maximizes security. Even so, a thief could pull the hard disk, so some vendors offer notebook PCs with hardware-based encryption of the disk drive.
If confidential business is to be transacted from workers’ home phones, they should be aware that older 900MHz telephones can be tapped. Newer wireless phones have security that defeats casual eavesdropping, but 2.4GHz phones will generally break your workers’ Wi-Fi network connections. Advise them to choose a different operating frequency if they’re using Wi-Fi.
Workers who lose a personal digital assistant (PDA) or a smart phone with PDA functions may lose entire contact lists, as well as a history of all their phone calls. If this information is critical, ensure that you have a procedure for backing up each PDA’s data. Workers should use a password, just as they do on their PCs.
Use of a home-based computer as a Web server should be forbidden. Most users do not have the technical skill to secure a server against sophisticated attacks, or even many common hacks.
If anyone else has access to your workers’ home office, it changes the security game. Key loggers (see below) and simple theft become possibilities.
A small plug inserted between the end of the keyboard cord and the computer can record hundreds of thousands of keystrokes. Keylogging software can also make this function available to intruders. Have staffers use security software to block keylogging and other forms of spyware.
Rifling through the trash or through to-be-recycled paper is the oldest trick in the book. Discourage workers from printing sensitive materials at home or discarding office materials there. All confidential materials should be shredded.
If your workers have children in the house, they should be forbidden to use the home office computer. Children are indiscriminate when clicking on sites and “panic” messages that claim that the computer is infected — and then try to infect it.
Equipping a home for a business or for teleworking requires more than a computer and a high-speed Web connection. Other equipment includes:
1. Multifunction color printer
Scanning, faxing and copying should be included.
2. Fax machine
A separate fax machine will always be available for incoming faxes and won’t use up color printer supplies.
3. Wireless networking
Mobility, even in a one-room office, is handy, and can be a boon to auto-syncing the worker’s personal digital assistant or notebook PC.
4. Digital camera
A simple photograph can save pages of explanation. It’s also a handy security tool for recording inventory.
5. Accounting software
If you audit your contractors, make sure they have something to audit. Don’t work with people who run their business on scrap paper notes.
This lets remote workers attend virtual meetings visually.
7. VoIP phone
An Internet Protocol-based phone cuts calling costs. Workers should also have a landline and/or cell phone for backup.
A high-quality headset helps workers hear and be heard better, and frees their hands for other tasks.
9. Backup device
Removable storage that can be carried to another location can be critical.