Letting people work at home or away from the office can be liberating and productive, but watch out for human fallibility and security risks.
There's no doubt that mobile working can increase productivity in medium-sized organsiations. Yet can these new tools be implemented without sacrificing security? We talked to John Lennon of IT solutions company 4Sol, who says that the rules of mobile security need barely differ from best practice in the office.
Flexible working can seem a real challenge for the hard-pressed IT manager, with constant demands for office resources with 24/7 availability. How can you meet these requests without compromising office security- a responsibility which rests firmly at your door?
Scoping out the requirement
As with many challenges, breaking up the problem into bite-size chunks can help us to find practical solutions. There are two key environmental considerations before we get to the nuts and bolts of specific security issues.
- It's a connected world out there: Flexible, remote or mobile working all amount to one thing- a multitude of different devices and standards. Fast moving companies demand IT support for virtual private networks for home-working, wi-fi for working in public places, and support for a growing number of phone, PDA and custom-designed devices.
- Flexible working is not solely the preserve of the IT department: Unlike day-to-day desktop maintenance, for example, the implementation of flexible working technologies is usually led in conjunction with other stakeholders in the company- frequently HR- who are looking for specific business benefits: productivity and employee benefits to name but two.
Flexible working is not solely the preserve of the IT department: Unlike day-to-day desktop maintenance, for example, the implementation of flexible working technologies is usually led in conjunction with other stakeholders in the company- frequently HR- who are looking for specific business benefits: productivity and employee benefits to name but two.
There's a simple trade-off between business benefit and business risk, and this needs to be established at the outset. Simple measures like consistently using the same equipment for everybody will reduce risk and the support requirement." This leads us to the second point- demand from other stakeholders. A classic example in medium-sized companies is pressure from a senior manager for their own custom set-up. "Unfortunately, it's the IT manager's role to speak up and highlight the fact that the convenience of a tailored solution for one member of staff may not make economic sense- and certainly won't make good security sense."
Top of page
Begin with a security policy
That sort of argument needs backing up with hard facts, and those facts should come from a pre-defined security policy. Many mid-size companies don't have a security policy for their existing IT service provision, and this should be rectified before any attempt is made to implement a mobile working regime- it should by now be apparent that the success of these projects stands or falls at the planning stage.
The reason for defining your general security policy first is that exactly the same considerations apply for internal security as for the mobile or post-perimeter environment. For example:
| Consideration | Internal | Mobile |
|---|
| Authentication Passwords for PC's and network resources | Passwords for external access. | Extra security for perimeter access points, consider dynamic security e.g. RSA SecurID |
| Acceptable Use | Define access to software and hardware according to each user's requirements; and define specific acceptable activities | Define access to software, hardware and transmission resources according to each user's requirements; and define specific acceptable activities |
| Data integrity and Encryption | Public and private key encryption for email and other internet services | Public and private key encryption for email and other internet services |
Further to these considerations, you'll notice that above we mentioned the importance of a risk assessment. John Lennon again: "A company's security policy must also contain a fully researched risk assessment, linked to the value of each mobile proposition to the business. The essential questions are:
- What technology is proposed?
- What risk does it present to security?
- And balanced against that risk, what benefit to the business is anticipated?
Top of page
The human factor
Lennon identifies one further caveat to consider at the outset. "Mobile security has made a quantum leap in the past couple of years- if a mobile phone is lost, for example, it's now possible to wipe the phone remotely, reducing the chance of information falling into the wrong hands. Wireless security systems have been similarly upgraded. But no matter how much security manufacturers embed on-board, the one weak link in the chain is the users themselves."
Typically, poor practice includes the use of obvious passwords, bad home and car security, or failing to secure home PC's as efficiently as office PC's. If security becomes too much of a burden, users will simply abandon the project- leading to failure. "It is therefore the IT manager's job to explain the importance of security measures and make the process simple, whilst not making it too intrusive or complicated". Mobile implementations of Exchange and Outlook are good examples of programs which use the same user interface on the road as in the office- reducing the need for training and support, and simplifying the user experience.
Another useful way to assess the risks is practically; based on user activities. Lennon says "A typical example we often deal with is the use of laptops. Rather than just saying ‘how can we secure this laptop', we instead see how it is actually used in practice: taken from within the office out on the road, used in a client office, and then returned to base. That opens up the concern of viruses at the client side being imported to the base network- a consideration which might otherwise have been forgotten."
Top of page
Key considerations in a nutshell
The essential starting point for a flexible or mobile IT implementation is to begin with a general security policy; as we noted above the rules are the same beyond the fence as within it:
- Decide who is going to be allowed to connect to your network and why
- Maintain adequate and current antivirus protection
- Stay on top of new developments, updating the policy, software and hardware as necessary (e.g. when a member of staff leaves).
- And don't try to deliver an all-embracing solution at once; give specific services to those who need it on the basis of a sound business case.
And don't try to deliver an all-embracing solution at once; give specific services to those who need it on the basis of a sound business case.
Top of page
