Many companies are implementing flexible and mobile working solutions - but how do security concerns in this new regime affect the IT department? Nick Saalfeld speaks to Adrian Polley of Microsoft Partners Plan-Net; and finds that planning and communication in the early stages can prevent security problems later on.
Flexible working is now firmly on the radar of even the smallest companies, because the financial benefits are so clear. Most obviously, management can expect better productivity from employees. But additionally, out-of-hours problems can be solved without a trip to the office and in many cases employees see the ability to work from home as an essential workplace benefit. It may even attract talented staff from a wider catchment area. New benefits, new challengesAs well as homeworking, the umbrella term "flexible working" now also includes mobile tools like phones and PDA's. Laptops of course, have always been taken offsite: but now they may be used across wi-fi networks. These developments bring with them plenty of opportunity, but a certain amount of security risk too. Adrian Polley, Professional Services Director of Plan-Net, a London IT consultancy, believes that whilst security will always be a necessary overhead, it's not unmanageable- particularly if employees can be brought on-side. "The challenge with home computers is that usually employees have bought them themselves, and therefore it's their right to do with them whatever they want: the company can't expect the same standards of behaviour at home as on the office network. Yet you have to find a way to allow these home machines to dial in to the office system safely." Adrian has several recommendations. "I think it's fair to say that most employees today have some understanding of security issues, so we're not starting from a blank canvas. Antivirus and the importance of regular patching are fairly well understood, and in any case, such measures are in the interests of the home user too." SSL (Secure Socket Layer) networks"The biggest technological advance in this sense is the move away from traditional IPSec VPN's (virtual private networks) to an SSL VPN." As well as offering a more secure connection protocol, SSL is resilient enough, particularly with the broadband advantage of fixed IP addressing, to support server-based computing. In this way, applications can be run from the server (office) end, reducing the opportunity for rogue applications to be run locally. "It's all about IT departments being able to regain some of the control that is ostensibly lost to the home machine." The user needs nothing more than a standard browser which makes installation and support easy, and can fully replicate their office environment at home- which also keeps productivity high. "With SSL, you can also build in additional security measures- and some of them are very easy to implement. You might, for example implement access controls which restrict dialing in from home only to machines which have up-to-date antivirus installed. Education, education, education!But technology is no substitute for education. With the best will in the world, flagrant disregard for security is going to cause problems and it's in the IT department's interests to make employees aware of best practice. "Most IT managers understand the need for a security policy- although plenty, sadly, have not got round to putting one efficiently in place. The important thing to say here is that even the most forward-thinking companies are having to revisit their security policies to account for flexible working. A key emerging issue, for example, is where data resides. Should office files and emails be used on home machines at all? And if so, should they be allowed to be stored on the home machine, or rigorously checked out and checked back in again?" The answer, of course, depends on your company and its activities; but these and other issues cannot be ignored. Here are just a few elements which you might consider beyond the usual antivirus advice: | • | Storage and transfer: Hardware like USB keys ("dongles") can store 1GB of data. The latest Blu-Ray CD-sized discs can store an enormous 25GB. What rules on storage, movement and tracking do you require? | | • | Email: Should employees be able to access their office email as well as their office documents from home? | | • | Archival: With automatic archival often a compliance requirement, should users be able to e.g. send emails without an office copy? And if not, employees need to know that the off-the-cuff email sent from home is no longer an option. Passwords: Are all password security options being used? And are the obvious choices (family members' names etc.) being rejected? | | • | Level of Responsibility: And finally, Polley says that employees need to know where their responsibility starts and ends. "If you dropped a laptop, you could expect to be asked to pay for it. It's your responsibility. With home-working comes at least some additional responsibility to the employee. Just because information is invisible doesn't make it any less of a liability if lost. Many security policies for home workers now demand specific levels of security awareness, and that's designed to ensure that the employee understands they're not entirely blameless if a breach occurs." |
When your new security policy is in place, Adrian also has advice on communicating it. "I don't think it's right to haul employees over the coals. It's a classic case that a security policy for homeworkers is drawn up, pinned on the wall and then forgotten until something goes horribly wrong. A much better approach is a softer, ongoing educational approach. If we're going to expect employees to be vigilant, we need to constantly be relaying that message because it's so easy to fall back into lax ways." Find a compromise based on the business caseIf all the above fills you with fear, Polley advises against IT departments digging in their heels. "I often encounter a very polar attitude to these issues. On the one hand, a strict IT team wants nothing to do with these additional risks. On the other is a board who wants to implement as many of these new technologies as possible, often without the right level of forethought. The answer is always a compromise based on a solid business case and an adequate risk assessment. Avoid a blanket "No" and look to deliver the mobility services which will best demonstrate long-term benefit to the company. "To maintain security throughout a flexibility rollout, also recognise that new skills may be required, sometimes in-house but almost always by engaging the right technical partner; even if ongoing support will ultimately be in-house. And finally, once the project is in action, keep the flow of best-practice communication moving throughout the company at all levels. In that way, security remains front-of-mind and there's a much lower chance of the hiccups that lead to an inevitable confrontation later on." By following these simple pieces of advice, you will not only be keeping your network secure, but engaging in prevention rather than cure; avoiding security problems in the extended workplace rather than fixing them afterwards. Adrian Polley can be contacted on Adrian.Polley@plan-net.co.uk
| |
Subscribe
to feed
