Posted by SecExtra on November 18th, 2009

The growth of home or remote working can leave companies vulnerable to security threats if they don’t take some simple steps to securing employees’ computers. This is the warning from managed security company, Network Box, which gives advice to businesses on the issue in a new advisory guide, Securing Remote Workers.

Companies should be particularly vigilant with home workers, according to the guide. Often, home workers will be using a personal home computer (as opposed to a company-provided computer) that is unlikely to meet stringent corporate security standards.

Most often, home and remote users will connect to the company using a secure Virtual Private Network (VPN) so that data can travel securely from the server in the office to the remote workstation. But at the point it reaches the workstation, particularly if this is a home PC, it will be unencrypted and can be written to the hard disk or temporary files, where it will remain, unless carefully purged by the user. A home computer is likely to be used by someone else in the house, who is unlikely to stick to the employee’s corporate security guidelines (on downloading file-sharing software, for example, or visiting websites that could be infected).

Network Box advises companies to take the following steps to ensure that they are protected from security breaches caused by remote workers:

1. Where possible, only allow home or remote workers to connect to the company network from a company controlled computer, not from a home computer
2. Put a system in place to update the approved computer with the latest patches, anti-virus software and endpoint security (particularly important if employees are connecting through open wireless networks, for example in hotels or airports)
3. If the employee does, for any reason, connect from a home computer, put policies in place to ensure this computer is up-to-date with security software (consider issuing an endpoint security license to the user), and limit access to company files and network, to minimise the threat of a breach
4. Keep full control over what’s installed on the approved computer, and how it is configured. Do not allow unauthorised software or applications to be used on it
5. Ensure that the user cannot get onto the Internet using this computer unless connected through the VPN so that company policy on internet access can be enforced at the company’s gateway. There is plenty of software available that will block access unless the VPN is on
6. Ensure that you have strict guidelines in place to prevent others using the company computer (for example children of employees). Educate employees on the risks, and consequences of breaching security policy
7. Ensure that password protection is strong, to minimise the risk of a hack (particularly when connecting through an open network). For more information on passwords, see Network Box’s guide to password security.
8. Encrypt data, particularly for workers ‘on the road’ with laptops that may be stolen
9. Limit risk by avoiding highly confidential data being transferred to the remote computer altogether, by using technology such as thin client (Terminal Services over VPN or third parties like Citrix) which process data on the server, without that data leaving the server.

Simon Heron, Internet Security Analyst for Network Box says: “Companies may have the best security systems available internally, but if their remote workers are compromised, all that good work is undone. The onus is on the IT teams to make sure remote workers understand the importance of security and stick to corporate guidelines.”

For more information on security issues, visit Network Box, see Simon Heron’s blog; or follow him on Twitter.

Securing Remote Workers is available free to download here…