No matter what the size of your IT department, chances are that you've been called upon to support one or more members of the growing phalanx of telecommuters. These "work at home" individuals range from full-time home office warriors to the overworked executive who tries to knock out a few e-mails between his shower and morning coffee. Let's face it --
If you quickly answered "yes," take a moment and think again. If you answered affirmatively while thinking to yourself, "We have a $100K VPN and all of our telecommuters have client software installed on their systems," you're probably overconfident. A VPN is not enough. It's certainly the most expensive component of a telecommuting security arrangement, but you need to mind the basics as well. Remember that VPN clients have some degree of access to the corporate network. You certainly wouldn't want Bill CEO to connect to the VPN using Little Johnnie's computer which, by the way, was recently infected with a virus during Little Johnnie's P2P music swapping.
It is essential that you take steps to ensure that telecommuting computers are up to snuff from a security point of view. Let's take a look at a few options you have up your sleeve, ranging from the most drastic (and most expensive) to the absolute minimum effort:
- Provide work-at-home users with company-owned computers that enforce corporate security
policies and have appropriate software installed. This is the simplest solution from an
administrative point of view, but it could also be costly. Consider a variation on this theme -- is
it possible to provide telecommuters with a laptop that they can use both at home and in the
- Provide telecommuters with security software and require that they use it on systems used to
access corporate computing resources. This is definitely not as ideal as using corporate
computers, but it's much less expensive. Don't forget to provide a virus
definition file update subscription as well!
- Ask telecommuters to sign an acknowledgement that they understand the importance of securing their home computer before granting them access to the VPN. If you simply don't have any money in the budget for the first two solutions, at the very least ensure that users understand their responsibilities regarding security of home computing systems.
Don't waste any more time! Get out there and implement a strong telecommuting security policy!
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
This was first published in November 2003