Business Report

The Risks of Telecommuting

Without thorough security considerations, remote workers can open holes in business computer networks.

Letting employees work at home and in coffee shops, trains, or anywhere else with Internet access cuts costs and increases productivity, but it also poses significant security risks. Many computer security experts say companies don’t do nearly enough to reduce the chance that an employee will lose data or intellectual property while outside the office.

Many organizations protect their networks with firewalls that restrict access to particular resources, a step akin to putting a lock on a door. Many also have virtual private networks (VPNs) that encrypt data traveling from the corporate networks to remote employees. But just how effective this is depends on how access to the VPN is granted; given that basic passwords can be guessed or “phished” out of employees, it’s safer to add an additional step.

For some organizations, that step involves hardware tokens—small devices that generate one-time passwords every so often—or software equivalents. (Recent hacking attacks on token provider RSA, which led to a follow-up hack on Lockheed Martin, do not appear to have permanently undermined the underlying cryptographic technology used in RSA’s tokens.) When used correctly, VPNs with strong authentication procedures are difficult to hack, even over public Wi-Fi networks where eavesdroppers otherwise sniff out traffic easily.

But securing data requires more than setting up firewalls and VPNs. Although “social engineering” attacks, in which a victim is tricked or forced into giving up passwords or other sensitive information, are not unique to telecommuters, the scams can be harder to pull off in the face of the organizational security an office offers, says Steven Chan, a research fellow and chief software architect with MIT’s engineering systems division. To approach an employee who handles sensitive information, “you can pretend that you’re a bike courier or FedEx guy, but you still have to get past the security guard, receptionist, and so on,” Chan says. People who work alone are more vulnerable.

Chan adds that many employees who work from home probably don’t have network security as good as what’s in their office. “If I know that your home office is that extension off the house or that your den is on the first floor, all I have to do is to steal your laptop or get past your [Wi-Fi security],” Chan says. “Perhaps your Verizon router is still set to the default password. Overall, I know exactly where your critical files are, and if I’m [really good at what I do], the target is toast.”

Remote workers are also vulnerable to the loss or theft of devices carrying their organizations’ data. In 2006, an employee of the U.S. Department of Veterans Affairs lost a laptop and hard drive that had sensitive, unencrypted information on more than 26 million veterans and their families.

To prevent such losses, experts recommend, at a minimum, encrypting the most sensitive materials on a teleworker’s hard drive. For thorough security, the entire hard drive should be encrypted and should be accessible only through strong passwords—Microsoft recommends passwords of at least 14 characters, some of which are letters, numbers, and symbols. Furthermore, tracking software can be used to locate a lost laptop, phone, or tablet and remotely wipe it clean of data.

Chan also suggests credentialing, which means employees should get access only to the information they require for their work. The permissions should be rethought regularly and not just set in place when employees are first hired. Such a framework can also help an organization keep track of when its most important data has been accessed—making it less likely to escape notice, for instance, that any single worker was regularly leaving the building with personal details on 26 million veterans.

Another potential source of problems is that telecommuting employees use a variety of mobile devices for their work. Today, many devices have been thrust upon organizations by the employees, rather than the other way around, notes Rich Campagna, who oversees security products for Juniper Networks. One way to prevent this from compromising security is to have servers in a network identify and authenticate all devices attempting to gain access. In a step known as device fingerprinting, the network can try to distinguish a legitimate remote employee from a rogue hacker by looking at the IP address, device serial numbers, and other settings on the user’s computer. If an unfamiliar device attempts to access the network—even with the correct passwords and IDs—either entry is denied or the request is evaluated after further authentication (by a phone call to the user, for instance).

Such automatic procedures are better than expecting employees to make wise security choices themselves, Campagna says: “There’s a good chance it won’t happen if the end user has to make a conscious decision about it.”

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Business Impact
Securing Data

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.