Corporate use of telecommuters is on the rise. Office space is expensive. Some companies use telecommuting as a way of reducing office space, while others like the fact that a telecommuting workforce gives them more geographic flexibility when hiring. If you can reasonably manage one person in Cleveland, who is the perfect skill match for the job, why try to hire a more expensive, less skilled person Chicago headquarters? Some companies work with telecommuters for the simple reason that employees think it is a benefit. Eliminating a one-hour commute adds an hour to the workday, and benefits everyone.
Telecommuting is nothing new. It exploded in the 90s, and hasn’t stopped since. But the telecommuting landscape has changed. How? Just look at your house. Most homes have at least one PC, and a significant number of them have multiple. Many homes have wireless routers. Those wireless routers connect to an Xbox, a PS3, a Wii, an iPad, an iPhone, Android phones and other smart devices that support wireless. We also have media devices like a Slingbox, a Roku Digital Video Player, an Internet connected TV/blu-ray player, or other satellite/cable box. On that same network, there may be a wireless printer, a networked storage device, backup server, iTunes server, and/or movie server. A quick count of my own home network shows two wireless networks and 14 networked devices. In one sense, this reflects our connected, high-tech society. But as a security geek, I can’t help but think of this as a lot of entry points.
By now we should all have the basic telecommuting controls down: Telecommuters all VPN in to the corporate network through an encrypted tunnel, and use strong authentication such as an RSA token. If you are not at this point, you probably need to go back to Go. Do not collect $200.
Technically, there are exceptions, such as the case of distributed staff that require little centralized control and access. Perhaps you can get by with Outlook Web Access, and share work files through an outsourced cloud provider. This can be a reasonable business model. But, if you are in a business that requires open communication, and collaboration in a team environment, you may need to connect the users to each other, via a common network.
I hate to say it, but before you have telecommuters, you need some (ugh) policy about what telecommuting means. Do you have core work hour expectations? Clarify staff responsibility for protection of work-related information. Clarify personal use of corporate equipment and information. Clarify the use of personally-owned property for work purposes. Are you sure you want that telecommuter’s office space to be the same t space that his kids use to play Call of Duty? Beyond the basic “protections” you have the fiduciary controls. How much, if any, of the user’s Internet charges are you going to pay for them to telecommute? Some say “If they want me to work from home, they are paying for my Internet.”, while some companies respond, “Everyone already has Internet, so we are not paying for any of it.” Irresistible force meets immovable object.
As long as we have basic policy covered, we need to make sure telecommuters have what they need to do their jobs. The telecommuter needs a work computer. No, not a computer they can work on, a “work” computer, provided by the company. If it is a personally-owned computer you are completely at the mercy of the end-user – what antivirus and other security controls are they exercising, and better yet, are they good at? You would much rather the telecommuter use a company-provided computer, over which you have some real control. You control password, firewall settings, anti-virus, and other relevant controls with group policy settings. Be “Big Brother”.
For that matter, you should consider a company-provided printer, or multi-function device, if they need one. To some extent, you should be exercising the same configuration management for the telecommuter as you do for your in-office staff. Basic IT controls say you want to limit the variability in your networked environment to simplify troubleshooting. Having a problem printing? If you have a standard configuration we know exactly how that works. Otherwise, all bets are off. Already have a personal printer that you want to use? Fine – just make sure you know how you are going to connect to the printer and not the rest of the telecommuter’s home network. And, if your staff are printing any corporate private or proprietary information, it is a good idea to equip them with a crosscut shredder – do you really want them throwing that R&D plan or the third draft of your $7 million proposal in their household trash? (You probably don’t need to keep the shredder under configuration control).
Next, protect your corporate information. Enable a remote backup process so that distributed users are dynamically backed up to a centralized server. It can be batch, overnight or real-time, on-demand. Just back them up, and make it so that the distributed user does not have to do anything. Don’t rely on the user to copy information to a central repository, or to initiate a backup job.
You will probably want to help protect telecommuters from themselves. Most security geeks get it, but many “users” do not. If they do stupid things on their own network, it can expose their work computer to undue risk. Assume that the telecommuter’s home network is hostile. If they are connected to the enterprise via a VPN, you can make sure the VPN segregates them from their home network. But it is possible for that same user to connect to the outside world without using the VPN, and perhaps connect to their home network when the VPN is down. At the very least, most of these users have the ability to insert a created CD, DVD, or personally-owned flash drive into their work computer. Yes, this happens anyway, regardless of telecommuting or not. But, when the computer is home all of the time it is much easier and more common. To this end, some of these practices (use of personal information on work computers) should be covered by your policy. And for the rest, you can give the telecommuters a “Safe Computing Practices” guide for their home network. You should include things like requiring wireless encryption (for reference, two of my five wireless neighbors have unsecured wireless networks – just sayin’), acceptable antivirus and anti-malware controls (you scoff, but I know a guy who still insists that viruses are a myth created by antivirus companies just to sell you their software), and related controls. You will have to draw your own line in the sand on your expectations, but you should have some.
Don’t forget to take telecommuters into consideration during BCP/DR planning. Having a large telecommuting staff can help make a building or facility problem transparent, since the home workers may be able to continue to work effectively if the main facility/building is impaired. If “headquarters” is down, they can still potentially work semi-independently, take calls, send emails, and continue to support the organizational mission, especially if data center operations function correctly from an alternate site. Making sure that critical staff can still connect via cellular networking is a great step, but what do you do if you have a regional outage as a result of a tornado, flood, earthquake, wildfire, or some other related disaster? Part of the answer is probably that if it’s this bad you have other things to worry about. However, it is important that your organization maintains consistent operations– you need to be able to accommodate these displaced workers. Say you have 100 telecommuters in Los Angeles when an earthquake hits, and they have no power, no computers, no phones, and maybe no cellular support. How do you continue to provide those services? You need an alternate work plan, including location and staff planning, for all of these people, or your company operations are compromised.
Telecommuters do, after all, require special handling. Not because they are that special, but because they are just different enough to require special attention.. Well, I telecommute so I guess we are pretty special…
