How to Maintain Security When Employees Work Remotely
Thanks to significant advances in networking and mobile technologies, more people are working less and less from the office. Increasingly, we work from client locations, hotels, home offices and sometimes even from summertime beach cabanas.
This unprecedented ability work from anywhere has enabled companies to keep the best employees, regardless of where they may live, and swelled the ranks of “virtual” companies, whose employees meet constantly online, but rarely in the flesh.
But as computing infrastructures become more diffused and decentralized, keeping machines and data secure becomes more challenging. All those far-flung devices can become infected with malware that may also infiltrate the company’s network and make off with valuable company data. Mobile devices also are susceptible to data leaks because they can be lost or stolen, as well as more easily accessed by an outsider. When data disappears, financial, legal and reputational problems can quickly follow.
Here are guidelines on how to tighten security, while leaving workers free to roam:
Protect remote users’ devices.
Most data-stealing malware that infects PCs arrives via the web and email. In an ideal situation, you’d reduce the chances of a security breach by barring personal web browsing and emailing by workers on work computers, says Alan Paller, director of research at the SANS Institute, a non-profit that trains computer-security professionals.
Of course, even if you provide and own the devices in question, that could be a tall order. “Unfortunately, in practice, it’s a very hard thing and a very costly thing to enforce,” says Jon Ramsey, chief technology officer at Dell SecureWorks, the security-services unit of Dell Inc. “Ultimately, we want the machine to be able to go anywhere and still be protected.”
To reduce the chances of a malware infection, use security software and practice good computer hygiene by using the latest versions of all applications and installing new security patches immediately. It’s risky to rely on workers to take care of updating applications, so activate automatic updates from software makers or use a patch-management tool — such as Windows Intune for Windows users ($11 per user per month) — to distribute updates to remote computers yourself.
To mitigate potential damage from a lost device, install whole-disk encryption software, which can keep unauthorized people from accessing any of its data. Also, install remote-wipe apps on mobile devices so you can erase data if the device is gone forever.
Use cloud applications.
By using web-based applications to handle business tasks, a small business can let its employees work from any location, while handing off most data-security responsibility to cloud-service providers who are often better equipped and staffed to lock it down.
For instance, Microsoft Office 365 lets users access office applications and email, calendars and file-sharing tools using computers, the web and mobile devices (plans range from $4 to $20 per user per month). Many small companies use Google Apps for office applications (free for up to 10 users, $5 or $10 per month for more users). There are cloud applications for more specialized tasks, too, such as Salesforce.com (plans range from $5 to $250 per user per month) for customer relationship management.
Note that it’s vital that your employees — and especially your administrator — use strong passwords for their accounts and refrain from reusing passwords they use for other applications or sites, says John Pescatore, an analyst for Gartner Inc., a research firm based in Stamford, Conn. If the application offers an authentication option that’s stronger than a simple password, use it. For example, Google offers free “2-step verification,” a second one-time code you must enter that’s sent to your mobile phone.
You can even use cloud applications to secure employees’ use of the web. Such services are available from companies such as Zscaler ($1 to $5 per user per month) and Cicso’s ScanSafe (starting at $32 per user per year for 25 to 199 users).
There are, however, some privacy issues associated with working in the cloud. For instance, your cloud provider could comply with subpoenas for your data that you might have chosen to fight.
Create a secure connection to the company network.
You could also set up a system to provide remote workers with secure access to your corporate network.
Traditional systems include technologies like virtual private network (VPN) software, which encrypts remote workers’ internet traffic, along with tools that make sure remote computers have security patches installed, are configured correctly and are monitored for signs of infection. For example, Dell SecureWorks offers “unified threat management” systems to small companies using technology from Dell’s SonicWALL unit or Fortinet (starts at $150 a month).
Many small companies ensconced in the Windows world use Microsoft’s Windows Small Business Server to enable remote network access and protect data, among other things (SBS 2011 Essentials, $545, 25-user maximum). The software giant recently announced a new version due out this year called Windows Server 2012 Essentials that’s more cloud-centric ($425, 25-user maximum).
Those less committed to Windows might consider products such as Cisco AnyConnect (about $11 per user per year for 25 to 199 users) or Juniper’s Juno Pulse ($90 per user for 500 users, $135 per user for 100 users, plus hardware), Pescatore says.
Riva Richmond is a freelance journalist who has covered technology for more than a decade. She focuses on computer security, privacy, social networking and online business and has written for The New York Times, The Wall Street Journal and other national publications. Previously, Riva was a technology reporter at Dow Jones Newswires and regular contributor to The Journal’s “Enterprise” small business column.