Chan adds that many employees who work from home probably don’t have network security as good as what’s in their office. “If I know that your home office is that extension off the house or that your den is on the first floor, all I have to do is to steal your laptop or get past your [Wi-Fi security],” Chan says. “Perhaps your Verizon router is still set to the default password. Overall, I know exactly where your critical files are, and if I’m [really good at what I do], the target is toast.”
Remote workers are also vulnerable to the loss or theft of devices carrying their organizations’ data. In 2006, an employee of the U.S. Department of Veterans Affairs lost a laptop and hard drive that had sensitive, unencrypted information on more than 26 million veterans and their families.
To prevent such losses, experts recommend, at a minimum, encrypting the most sensitive materials on a teleworker’s hard drive. For thorough security, the entire hard drive should be encrypted and should be accessible only through strong passwords—Microsoft recommends passwords of at least 14 characters, some of which are letters, numbers, and symbols. Furthermore, tracking software can be used to locate a lost laptop, phone, or tablet and remotely wipe it clean of data.
Chan also suggests credentialing, which means employees should get access only to the information they require for their work. The permissions should be rethought regularly and not just set in place when employees are first hired. Such a framework can also help an organization keep track of when its most important data has been accessed—making it less likely to escape notice, for instance, that any single worker was regularly leaving the building with personal details on 26 million veterans.
Another potential source of problems is that telecommuting employees use a variety of mobile devices for their work. Today, many devices have been thrust upon organizations by the employees, rather than the other way around, notes Rich Campagna, who oversees security products for Juniper Networks. One way to prevent this from compromising security is to have servers in a network identify and authenticate all devices attempting to gain access. In a step known as device fingerprinting, the network can try to distinguish a legitimate remote employee from a rogue hacker by looking at the IP address, device serial numbers, and other settings on the user’s computer. If an unfamiliar device attempts to access the network—even with the correct passwords and IDs—either entry is denied or the request is evaluated after further authentication (by a phone call to the user, for instance).
Such automatic procedures are better than expecting employees to make wise security choices themselves, Campagna says: “There’s a good chance it won’t happen if the end user has to make a conscious decision about it.”