Living in Hong Kong, SARS has had my attention in recent months. Thankfully, at the time of writing and due to excellent work by many people, it appears to be under control here. However, there has been a surge of interest in and promotion of teleworking. It makes a lot of sense as a solution to the business continuity problem - if key staff, or even all staff, have been confined to their homes by a quarantine order but are otherwise currently healthy, teleworking can empower them to keep working. What are the security implications?
Most of the teleworking packages do consider security, they include a broadband connection, so you can reach your data, and a VPN, to protect it in transit, but there is a lot more to the problem than that. A full VPN provides a seamless connection, making the home computer part of the office network, but the corporate internet connection has been sized for normal use. The traffic associated with staff working as though they were still in the office could overload it. Business continuity does not mean continuing without change, so providing access methods that force staff to work differently and make it less convenient to eat bandwidth may be better. Protocols like SSH and SSL can be used to tunnel specific connections so the remote worker gets what is required for essential work.
Protecting data in transit is only one part of the problem; the endpoints also need protection. Hopefully the office already has adequate security in place, but the average home PC is vulnerable - personal firewalls are not very common, and the only anti-virus software used might be the free version, bundled with the new PC and now hopelessly out of date. A hacker or virus that takes over the home PC can then make use of the secure VPN connection to access corporate information.
Companies, particularly SME's, might dismiss the hacker threat - there are only a limited number of hackers, and why would they be interested in attacking one particular SME among thousands? There are many answers to that, corporate espionage might be unlikely, but customer data can be generally valuable, especially if it includes credit card information. Of course, companies have an obligation to protect personal data under privacy laws in many jurisdictions so if any personal data is accessible through the VPN then the home computer must be carefully secured. But the more likely threat is viruses. Viruses are generally indiscriminate, and, because they replicate, there is no limit to the number of simultaneous attacks they can make. Many home PCs are probably already harbouring a variety of viruses, using those machines all day is giving the viruses more time to act, staying online is giving them more time to spread and connecting those machines to corporate networks is giving them access to new address books to contact and new data to damage. The result of large numbers of people teleworking could be a sudden jump in computer virus incidents. Fortunately, no one is going to die from a computer virus and we should try to prevent the avoidable damage caused by computer viruses. Fortunately, many anti-virus licenses allow for home use, and there are remote update mechanisms that can keep the protection in-sync with the office. The licensing terms of other software required might not be so convenient, this must also be reviewed before teleworking can start.
Another issue is the retention of data. Many organisations ensure that the hard disks of their old computers are securely wiped before they are thrown out. What about the corporate data now left on the home computers? Asking the staff to delete all corporate files at the end of the teleworking period will be ineffective, files can be easily overlooked and there will be temporary files or fragments of data elsewhere that could still be recovered. Should the company require the disk to be securely wiped when the teleworking ends, or when the home computer is thrown away? How can they enforce the policy?
How much control over home computers can companies demand? Some companies address this by providing staff with a dedicated computer and connection for teleworking, and insist it is only used for office work. This might also provide some relief from a problem that afflicts many teleworkers: harassment by children, as the children can continue to use the home computer for schoolwork or games. Unfortunately, it is expensive; the company now buys two computers and software for each employee.
So, companies considering implementing teleworking should remember to secure the endpoints as well as the communications channel. The home PC should be protected to the same level as the corporate network, which probably includes patching with the latest security patches, installing up-to-date anti-virus software (and keeping it up-to-date) and installing a personal or distributed firewall. Educating the teleworkers about their essential role in corporate security is also essential. A computer virus is not going to kill you, but it might be the last straw that breaks a company facing a difficult economic environment.