Corporate IT needs to think about securing family PCs
I recently had another demonstration of why telecommuters are the most vulnerable point in a company's IT network. The good news is that we didn't suffer any damage and I found an idea for a column, and the bad news is somebody else's problem. Unfortunately, the bad news means that IT support resources just stretched a little thinner.
Like many of you, I have a small network at home to link my computers and a printer. Also, like many of you, I upgraded from dial-up to broadband access (in my case, DSL) earlier this year. I knew from previous experience with DSL that the always-on connection was a tempting target and that anti-virus tools, although helpful, weren't going to provide enough protection. Fortunately, the personal firewall market has had a number of new entries this year, and it was easy to find protection for my handful of machines.
The best part of the broadband deal for me is that I can do a lot more work from home, which means that I spend less time on the San Francisco Bay area's freeway system, a plus no matter how you slice it. Another advantage for my sweetie and me is that our eBay pages load faster. A lot faster.
I'm not picking on eBay -- it could be any other form of online addiction, but that's the case in my home. It's cool that we have a continuous stream of small packages arriving at the door. But it wasn't so cool the other day when the anti-virus software reported that a virus was infecting a mail attachment from one of our eBay correspondents.
It turned out that the other person had sent some mail from a computer that she "thought" had anti-virus protection. All we could do was wish her good luck and delete the infected mail. But I wondered about something. How many times a day across the country was this scene being repeated? More importantly, how many times a day was this happening without anyone noticing?
The problem is easy enough to understand. You can't settle for simply protecting the computers your company owns. You have to protect the PCs of your telecommuters, and if they share an Internet connection, you also have to worry about the other machines in their households.
How far your company goes in doing something about those other machines is a sticky question. A completely hands-off policy ignores the seriousness of the threat. On the other hand, a highly managed solution that would be appropriate for corporate desktops might pose privacy problems when implemented on home systems. For example, IT has no business determining what's appropriate content on a family-owned computer. That's a parental responsibility.
A sensible compromise involves making telecommuters accept a greater responsibility for their security but giving them the tools and support they need to be able to protect the other PCs in the household.
The key here is limiting your liability. Check with your lawyers and your insurance carriers to ensure that, if you do send technical support and he or she trips on a toy, falls downstairs, and is out of commission for days (or heaven forbid, longer), the company isn't exposed to a damages suit. Limiting the scope of your technical-support activities to purely security-oriented tasks is also a good idea.
It is important to be open, but discreet. Don't collect any information on household computers. Do have your technical support representative take note of machines that can't be secured and try to determine from the owner whether or not they pose a potential threat to IT. If it appears that a problem exists, you might want to follow up by providing resources to help the owner keep his or her computers secure.
Although it's easy to say that "telecommuting is a privilege and not a right" and thus telecommuters are obliged to protect themselves, that's the kind of attitude that got Microsoft in the headlines. IT has training that few users possess, and by using your resources to help secure the home front, you can ensure the overall strength of your IT defenses.