02/06/11

By Paul Vlissidis, technical director at NGS
Secure, an NCC Group company

Advances in technology have resulted in many benefits and efficiencies for small and new businesses, and the ability to enable employees to work from home is certainly one of them.

For many, remote working has meant a reduction in overheads, operational costs and also a greater degree of flexibility for both employer and employee. All of these are most welcome during the unforgiving business climate we currently find ourselves operating in. Before employees are armed with a company laptop and told to stay at home, however, companies need to seriously consider the security risk remote working can cause in compromising or infecting networks.

Employees are typically considered to be the weakest link in any network security policy. This link is further weakened when the employee is located remotely and is outside of normal office policy reach. Employees are more likely to take greater security risks when outside of the office: whether that’s downloading unapproved apps from unknown sources or logging on at their local coffee shop and browsing the internet.

With almost all public places such as airport lounges, hotels and coffee shops offering free yet unsecured internet access, the opportunity for employees to work outside of the home is constantly increasing. Without strong controls over the equipment this means potential access without up-to-date protection or detection devices installed, which in turn means a corporate network could become or risk becoming victim to various malware being brought in by laptops or tablets.

In addition to online threats, further risks can come from unforeseen physical threats, such as unauthorised access from people living in the same property or even leaving devices unattended and unsecured in public places. The risk of loss of the equipment exposing customer data or network credentials is also far higher.

Most organisations looking at providing the option of remote working will have already identified and even developed a comprehensive technology policy. This is a good start, but it doesn’t go far enough. Organisations need to treat the highest threat at source: the employees themselves.

Many companies already restrict internet usage, usually as a result of productivity concerns for social media websites, but people will still happily delve into unknown corners of the internet without a second thought. Employees need to be educated - they need to realise that venturing online is the equivalent of walking down a dark alleyway in a city centre on a Saturday night. In the past, security awareness and training has been far too techno-centric and inaccessible, to the extent that most people don’t understand why the internet is such a dangerous place. Most employees’ understanding of a company’s security policy is down to signing the form to say that they’ve read it on their first day in the job.

Just as we rightly expect all car drivers to understand the Highway Code, so must all remote users of internet-connected devices have a better understanding of how to behave in a less risky manner.

But we can’t expect employees to bear all the responsibility for security. Organisations who provide employees with technology to enable remote working also need to ensure that it is checked, updated, supported and monitored regularly to minimise risks.

If remote working liberates employees, security must tether them to good and safe working practices — then the real benefits of working from home can be realised.