Telecommuting Security

After the February snow storms in the DC area there was a plethora of articles advocating the expansion of telecommuting in the Federal Government. The contractors that support the government didn’t close doors. They continued to work because many of their employees already work remotely in structured and unstructured telecommuting. Telecommuting brings new security risks.
Joan Goodchild writes about Four Telecommuting Security Mistakes in ItWorld and CSOOnline. That s the starting point for this post.
1. Careless use of wifi and accessing unsecured networks
I don’t think people understand the security implications of “borrowing” someone else’s wifi or even using the free wifi hotspot at Panero/Wegmans/local shop.
Wireless is a shared medium. You don’t know who is listening in or even potentially hijacking your connection.
2. Letting family and friends use work issued devices.
We’ve seen laptops destroyed by letting the kids use them. (Although we could wonder if the user didn’t want to fess up that they were the one dumping the drink on the laptop repeatedly).
The kids violate security policy by installing P2P software, potentially sharing out all company data on the laptop. My favorite was the time the VP who signed the memo banning P2P was caught with P2P on the computer. Must be the kids.
If you allow your users to use USB thumb drives and the drive is shared with the kids, the data could easily be formatted or stolen.
3. Altering security settings to view blocked sites
Sadly this isn’t an issue for us because there is no filtering when you’re not at work.
People are apt to disable any security control that keeps them from their goal.
4. Leaving work issued devices in an insecure location
This is the standard problem. What is a secure location. Laptops are stolen at work. Laptops are stolen from the trunks of cars. You’ll recall the Veterans Affairs case where a laptop was stolen from home.
When you’re at the Starbucks, do you leave the computer on the table while refilling your drink, or hitting the restroom. People are far too trusting. Particularly when its not their property that will be stolen.
5. “Backing up” corporate data to a home computer or NAS
This should be against your companies policy. Proper enterprise backups don’t occur by copying files to what is probably an insecure location. Its just bad.
6. Emailing corporate data to your personal email account
Corporate and customer data have no place in personal email.
7. Secure disposal of papers
While at work its easy enough to put documents in the document destruction bin (which is pulped). At home if you’re lucky the data is shredded. Then again, dumpster diving at the CEOs house might turn up a lot of corporate data.
8. Incident Response
Was incident response built into your telecommuting program. Do users know who to call?

One Comment

  1. You list of 8 items in this blog are an excellent starting point for conducting a threat risk assessment around telecommuting. Tie this in with a good understanding of the business needs for telecommuting and the IT department would be able to come up with excellent controls to mitigate most of the risks identified.

Comments are closed.