Letting employees work at home and in coffee shops, trains, or anywhere else with Internet access cuts costs and increases productivity, but it also poses significant security risks. Many computer security experts say companies don’t do nearly enough to reduce the chance that an employee will lose data or intellectual property while outside the office.
Many organizations protect their networks with firewalls that restrict access to particular resources, a step akin to putting a lock on a door. Many also have virtual private networks (VPNs) that encrypt data traveling from the corporate networks to remote employees. But just how effective this is depends on how access to the VPN is granted; given that basic passwords can be guessed or “phished” out of employees, it’s safer to add an additional step.
For some organizations, that step involves hardware tokens—small devices that generate one-time passwords every so often—or software equivalents. (Recent hacking attacks on token provider RSA, which led to a follow-up hack on Lockheed Martin, do not appear to have permanently undermined the underlying cryptographic technology used in RSA’s tokens.) When used correctly, VPNs with strong authentication procedures are difficult to hack, even over public Wi-Fi networks where eavesdroppers otherwise sniff out traffic easily.
But securing data requires more than setting up firewalls and VPNs. Although “social engineering” attacks, in which a victim is tricked or forced into giving up passwords or other sensitive information, are not unique to telecommuters, the scams can be harder to pull off in the face of the organizational security an office offers, says Steven Chan, a research fellow and chief software architect with MIT’s engineering systems division. To approach an employee who handles sensitive information, “you can pretend that you’re a bike courier or FedEx guy, but you still have to get past the security guard, receptionist, and so on,” Chan says. People who work alone are more vulnerable.