Connect with us

Hi, what are you looking for?


Management & Strategy

Do Remote Workers Require Special Handling?

Corporate use of telecommuters is on the rise. Office space is expensive. Some companies use telecommuting as a way of reducing office space, while others like the fact that a telecommuting workforce gives them more geographic flexibility when hiring. If you can reasonably manage one person in Cleveland, who is the perfect skill match for the job, why try to hire a more expensive, less skilled person Chicago headquarters? Some companies work with telecommuters for the simple reason that employees think it is a benefit.

Corporate use of telecommuters is on the rise. Office space is expensive. Some companies use telecommuting as a way of reducing office space, while others like the fact that a telecommuting workforce gives them more geographic flexibility when hiring. If you can reasonably manage one person in Cleveland, who is the perfect skill match for the job, why try to hire a more expensive, less skilled person Chicago headquarters? Some companies work with telecommuters for the simple reason that employees think it is a benefit. Eliminating a one-hour commute adds an hour to the workday, and benefits everyone.

Security for Remote WorkersTelecommuting is nothing new. It exploded in the 90s, and hasn’t stopped since. But the telecommuting landscape has changed. How? Just look at your house. Most homes have at least one PC, and a significant number of them have multiple. Many homes have wireless routers. Those wireless routers connect to an Xbox, a PS3, a Wii, an iPad, an iPhone, Android phones and other smart devices that support wireless. We also have media devices like a Slingbox, a Roku Digital Video Player, an Internet connected TV/blu-ray player, or other satellite/cable box. On that same network, there may be a wireless printer, a networked storage device, backup server, iTunes server, and/or movie server. A quick count of my own home network shows two wireless networks and 14 networked devices. In one sense, this reflects our connected, high-tech society. But as a security geek, I can’t help but think of this as a lot of entry points.

By now we should all have the basic telecommuting controls down: Telecommuters all VPN in to the corporate network through an encrypted tunnel, and use strong authentication such as an RSA token. If you are not at this point, you probably need to go back to Go. Do not collect $200.

Technically, there are exceptions, such as the case of distributed staff that require little centralized control and access. Perhaps you can get by with Outlook Web Access, and share work files through an outsourced cloud provider. This can be a reasonable business model. But, if you are in a business that requires open communication, and collaboration in a team environment, you may need to connect the users to each other, via a common network.

I hate to say it, but before you have telecommuters, you need some (ugh) policy about what telecommuting means. Do you have core work hour expectations? Clarify staff responsibility for protection of work-related information. Clarify personal use of corporate equipment and information. Clarify the use of personally-owned property for work purposes. Are you sure you want that telecommuter’s office space to be the same t space that his kids use to play Call of Duty? Beyond the basic “protections” you have the fiduciary controls. How much, if any, of the user’s Internet charges are you going to pay for them to telecommute? Some say “If they want me to work from home, they are paying for my Internet.”, while some companies respond, “Everyone already has Internet, so we are not paying for any of it.” Irresistible force meets immovable object.

As long as we have basic policy covered, we need to make sure telecommuters have what they need to do their jobs. The telecommuter needs a work computer. No, not a computer they can work on, a “work” computer, provided by the company. If it is a personally-owned computer you are completely at the mercy of the end-user – what antivirus and other security controls are they exercising, and better yet, are they good at? You would much rather the telecommuter use a company-provided computer, over which you have some real control. You control password, firewall settings, anti-virus, and other relevant controls with group policy settings. Be “Big Brother”.

For that matter, you should consider a company-provided printer, or multi-function device, if they need one. To some extent, you should be exercising the same configuration management for the telecommuter as you do for your in-office staff. Basic IT controls say you want to limit the variability in your networked environment to simplify troubleshooting. Having a problem printing? If you have a standard configuration we know exactly how that works. Otherwise, all bets are off. Already have a personal printer that you want to use? Fine – just make sure you know how you are going to connect to the printer and not the rest of the telecommuter’s home network. And, if your staff are printing any corporate private or proprietary information, it is a good idea to equip them with a crosscut shredder – do you really want them throwing that R&D plan or the third draft of your $7 million proposal in their household trash? (You probably don’t need to keep the shredder under configuration control).

Next, protect your corporate information. Enable a remote backup process so that distributed users are dynamically backed up to a centralized server. It can be batch, overnight or real-time, on-demand. Just back them up, and make it so that the distributed user does not have to do anything. Don’t rely on the user to copy information to a central repository, or to initiate a backup job.

Advertisement. Scroll to continue reading.

You will probably want to help protect telecommuters from themselves. Most security geeks get it, but many “users” do not. If they do stupid things on their own network, it can expose their work computer to undue risk. Assume that the telecommuter’s home network is hostile. If they are connected to the enterprise via a VPN, you can make sure the VPN segregates them from their home network. But it is possible for that same user to connect to the outside world without using the VPN, and perhaps connect to their home network when the VPN is down. At the very least, most of these users have the ability to insert a created CD, DVD, or personally-owned flash drive into their work computer. Yes, this happens anyway, regardless of telecommuting or not. But, when the computer is home all of the time it is much easier and more common. To this end, some of these practices (use of personal information on work computers) should be covered by your policy. And for the rest, you can give the telecommuters a “Safe Computing Practices” guide for their home network. You should include things like requiring wireless encryption (for reference, two of my five wireless neighbors have unsecured wireless networks – just sayin’), acceptable antivirus and anti-malware controls (you scoff, but I know a guy who still insists that viruses are a myth created by antivirus companies just to sell you their software), and related controls. You will have to draw your own line in the sand on your expectations, but you should have some.

Don’t forget to take telecommuters into consideration during BCP/DR planning. Having a large telecommuting staff can help make a building or facility problem transparent, since the home workers may be able to continue to work effectively if the main facility/building is impaired. If “headquarters” is down, they can still potentially work semi-independently, take calls, send emails, and continue to support the organizational mission, especially if data center operations function correctly from an alternate site. Making sure that critical staff can still connect via cellular networking is a great step, but what do you do if you have a regional outage as a result of a tornado, flood, earthquake, wildfire, or some other related disaster? Part of the answer is probably that if it’s this bad you have other things to worry about. However, it is important that your organization maintains consistent operations– you need to be able to accommodate these displaced workers. Say you have 100 telecommuters in Los Angeles when an earthquake hits, and they have no power, no computers, no phones, and maybe no cellular support. How do you continue to provide those services? You need an alternate work plan, including location and staff planning, for all of these people, or your company operations are compromised.

Telecommuters do, after all, require special handling. Not because they are that special, but because they are just different enough to require special attention.. Well, I telecommute so I guess we are pretty special…

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.