March 30, 2009, 11:30 AM — According to figures released recently by the Nemertes Research Group, an Illinois-based research advisory firm, as many as 71 percent of U.S. companies offer full-time or part-time telecommuting to employees. Despite the large number of employees who work out of office, another recent study from The Center for Democracy and Technology found many continue to sideline the issue of telecommuting security in favor of more urgent needs.
[ For more on telecommuting risks see: Telecommuting Poses Privacy, Security Risks ]
Whether it is employees who travel frequently for their job or staff that work out of a home office full or part-time, their mobility poses serious security risks to your organization. CSO spoke with two security strategists about common mistakes employees often make while telecommuting, and asked for advice on how to put a damper on them.
Careless use of Wi-Fi and accessing unsecured networks
In research released late last year, Cisco polled more than 1,000 end users in 10 countries and found 12 percent of people who work out of the office regularly connect to a neighbor's wireless network when working at home. Another study from Accenture found one in seven Americans admit to "borrowing" Wi-Fi from an unsecured connection
"Today, this is very easy to do," said Ralph DeFrangesco, a computer science professor at Drexel University and consultant who helps companies assess and develop security programs. "You are sitting in a Starbucks or a Borders with your laptop and you need access to the Internet. You open your laptop and connect to the first unsecured network you find."
Firewalls will provide some protection against some malicious wireless intruders, but risks certainly still exist, said DeFrangesco, who recommends companies tell employees to limit their time on an unsecured network and use encryption, like PGP, whenever possible.
"What people don't realize is that hackers sit on these networks, or set up their own, and put password sniffers on them to capture passwords," he said. "I have had many friends that have noticed funny things with their personal e-mail and work accounts after connecting to an unsecured network."
Another thing to consider: In addition to the obvious risks this poses to an organization's sensitive data, it is also potentially illegal.
"The law is very vague here, but you could be committing fraud depending on the network," said DeFrangesco.
Letting family and friends use work-issued devices
It is a fairly common scene: An employee brings a laptop home and later that evening, that person's son or daughter wants to use the device to surf the Web. But can you trust that what they are viewing and downloading is safe?
"I have entered environments where children's games were installed on machines, instant messaging and more," said Jason Hall, president of Stuart Hall Technologies, an Ambler, Pennsylvania-based consultancy. "Something like this can be addressed with local security settings. A user should not be an "administrator" of their machine."
Employees should be clear that the work-issued device is for their use only. And, keep in mind, computers and mobile devices aren't the only place where friends and family can cause problems. DeFrangesco shared a story of a friend with a son in middle school.
"The son was working on a project on his home computer and needed to bring it to school the next day to finish it in class. The father told his son he could have the USB drive in his brief case."
Unfortunately, the son took the wrong USB drive and lost several important documents his father needed for work.
"I know many companies where using USB drives is acceptable and encouraged to the point where they even buy the drives for their employees to use," said DeFrangesco. "I do not recommend or encourage the use of these drives."
If a company does allow employees to use USB drives, make sure the drive has security built in. If the drive does not have security, encrypt the data yourself, said DeFrangesco.
Altering security settings to view Web sites that have been blocked by the company
Cisco in its survey of end users also found more than half have changed the security settings on their company-issued laptop to view restricted Web sites. Those polled said they did so because they wanted to visit it regardless of their company's policy. Another find: 35 percent said it is none of their company's business if they have changed the security settings on their computer.
"I have to admit I have been guilty of this many times," admits DeFrangesco." I do a lot of presentations and frequently need information or graphics for my slides, after gaining the proper permissions of course. However, when I find myself being blocked from a site, I often use a proxy to get around it. A proxy will act as a go between your computer and the site you want to connect to, fooling the filtering software from blocking you."
Both Hall and DeFrangesco point out that organizations can stop some of this activity by adjusting content filtering to block particular sites that allow the bypassing of a firewall or content filter. But, although IT is responsible for locking down these settings, the end-user still needs to be educated, said Hall.
"The end-user has to recognize the risk they pose on the organization and themselves," he said.
Both Hall and DeFrangesco recommend companies train users on proper computer usage and consider having them sign an acceptable use policy every year.
Leaving a work-issued device in an unsecured place
Several high-profile laptop theft cases have many organizations now looking at data loss prevention as a security priority. For example, in 2006, a laptop was stolen from the home of a Veterans Affairs employee. The employee had taken it to a private residence despite agency regulations which forbid this kind of activity. The theft resulted in the possible identity theft of 2.2 million active-duty military personnel. Last year, FEMA was in the news because of a lost laptop that contained the names, social security numbers, dates of birth, and phone numbers of flood victims that applied for federal assistance.
"I like using a laptop and I think they make sense for businesses to issue them to road warriors," said DeFrangesco.
His advice? "Encrypt. I know that I sound like a broken record, but it works and it's cost effective. A lot of encryption software is free today. Even though it is free, there still is a cost to deploy and support it. If you can't afford that cost, then don't issue laptops."
DeFrangesco also recommends tracking devices that can recover lost laptops and issuing cable locks.
Hall believes this is an area where the end user needs to be held most accountable.
"Leaving a laptop in an unlocked car is a user problem, not an IT issue."