Work Wise Week: Securing the flexible worker

The benefits of flexible working are clear. Employees can see more of their family when they work from home and road warriors will have access to the same information whether they are at the office, on the road, at the airport or at a client's offices. But having confidential information at the touch of a button can also bring its own challenges.

An organisation's data is its lifeblood. If that data falls into the wrong hands it can damage a brand's reputation in an instant, even when it has taken years to build up in the first place. So, what exactly are the security risks posed by flexible working and what can companies do to mitigate risks and increase productivity of employees out of the office?

"Most small businesses believe that providing employees with the technology necessary to work remotely is expensive, a security threat, a logistical nightmare and basically out of their league," says Simon Presswell, MD EMEA of Citrix Online.

Ruth Bowen, who is the head of EMEA compliance team at IT security company Symantec says that there are several risks that organisations need to take in to account.

The first of these is the user's physical location and the risks associated with a laptop or other device outside the confines of the organisation's physical premises but in most cases unlimited access to resources.

"This risk can easily be mitigated through the deployment and enforcement of screen savers which are password protected. User education can also help to ensure that they lock their device when they leave it unattended," she says.

Another risk to take into to consideration is data while it's at rest, when we say at rest we mean data that has been copied from the enterprise onto either the remote device or onto some form of removable storage.

"It is imperative that the organisation knows both what data has been accessed and if it's stored securely in the event of a theft or accidental loss," says Bowen. "The way enterprises can understand what has been accessed by a particular user is through strong audit logs at the file server, application server or database server layer."

The data held on the device should be ideally encrypted using industry standard and accepted encryption technologies - this may be through 'virtual volume' type encryption or through the more secure full disk encryption. These are many products available on the market today that can satisfy this requirement.

Recent news of laptop theft only underlines the importance of encrypting data when it is outside of the protective domain of the corporate network.

"Nationwide has already suffered a hefty fine from the FSA for losing customer details. Yet you'd be surprised by the number of employees who continue to carry sensitive information on their laptop or PDA without it being encrypted," says Damian Coyle, General Manager EMEA of encryption company GuardianEdge.

"California already has a data breach notification law which requires businesses to let their customers know if there is a data breach. While we do not have a law in the UK, the EU is already looking into such legislation."

Years ago, the landscape was simpler. People went to work in offices and the network they accessed was closed off from the outside world. Data was backed up onto tape and securely shipped offsite. The main worry for most organisations was what would happen to data if the headquarters burnt down. Disaster recovery plans meant a second site where tapes could be loaded up onto new computers and workers could start working again with the minimum of hassle.

But now those perimeters have largely gone. Remote workers connected from untrusted sources and these have to be secures and governed according to policy.

According to BT's Global Head of business continuity, security and governance practice Ray Stanton the answer is to focus security measures more on applications and information.

"The key is to be clear about an individual's identity and role and to grant access accordingly, he says. "Robust identity checks are essential, and should ideally involve the use of smartcard or token-based security devices whenever users establish anything other than a direct connection to a corporate LAN."

Stanton says the emphasis needs to be on the individual. "With so many users connecting into the corporate network from outside, it needs to be absolutely clear who is entitled to access what. It is no longer safe to assume that anyone with access to the corporate network is to be trusted with access to everything on offer," says Stanton.

Not only do business need to protect network boundaries with firewalls, they also need to deploy internal firewalls to protect individual devices and smaller sections of the network.

While businesses need to protect internal assets, workers outside of the office need to make sure that they are protected from threats. That person supping their latte at the next table to you at the local coffee shop may be another customer access their email or could easily be a hacker waiting to steal confidential data.

"Public hotspots can be a hotbed of rogue networks waiting to launch a so-called 'evil twin' attack on unsuspecting users," says Roger Hockaday, Director of Marketing, EMEA, at networking company Aruba.

"While the user may believe that they are logging onto a genuine network, they could in fact be connecting to a rogue, with fraudsters logging their every keystroke for the purpose of data theft - not to mention gaining access to the sensitive corporate data held on the device."

Hockaday believes that no mobile device should be allowed to connect to the corporate network - wired or wirelessly - without compliance and remediation. But in practice the preferred method to connect mobile devices to the network is by wireless. Hockaday suggests building a separate (overlay) wireless network that not only secures the connection into the network using encryption to prevent anyone from seeing the data en-route to the core but also uses remediation of the end point as part of the authentication process.

After securing internal network, external access and the end-points from which access is gained, the next step is to put in place policies governing how users access networks securely, making sure that the end-point is patched up and protected against attack from hackers and malware.

According to Graham Cluley, senior technology consultant at anti-virus firm Sophos, Network Access Control is the most effective way of ensuring remote workers do not inadvertently compromise their company networks, as it can both restrict access for devices that don't comply with security policy, as well as determining appropriate access levels based on user and device type.

"In simple terms, this means that if an employee accesses the network from within the office, they may be granted access to all areas of the network appropriate to their job description," he says.

Cluley adds that if staff are logging in from a wireless hotspot, access to sensitive information or files may be restricted as the method of connection is less secure. "If the device they're using doesn't have the correct malware definitions or operating system updates, they'll be refused access altogether," he says.

Cluley says that Network Access Control solutions can also help prevent infection being brought in via applications such as Skype or Kazaa, which, while they might be banned in the office, could still be present on remote devices.

Stanton says that up to 70 per cent of the workforce now aspires to work flexibly and the technology involved is cheap and readily available. "Rather than developing and managing a plethora of policies to oversee and control what staff are doing with all the kit and networks at their disposal, it's becoming easier to consider everyone in the organisation as a mobile worker. It's just that some move more often than others," he says.

He adds that in order for a security policy to be of any use, it has to be properly implemented and communicated. Whilst technology and tools are key to this, security has to be considered holistically and therefore people and processes are just as, if not more, important.

Every person that the IT security policy applies to needs to be made aware of the requirements contained in it that apply to him or her. The employee contract should contain explicit statements or reference to the employee handbook about what the security policies that apply across the organisation, company property and resources. By signing the contract employees are bound to these statements.

"Employees should also undergo regular security awareness training, preferably tailored to them. Such training should be repeated periodically by means of follow-up sessions, Computer Based Training and awareness activities like poster campaigns, all staff emails or company newsletters," says Stanton.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.