Mitigating Telework Security Risks – Strategies to Protect the Organization

By John Sobczak

Initially considered an employee perk, telework is now considered a business strategy by many organizations, with projections of 35% of the global workforce expected to engage in work outside the traditional confines of an office by 2013. Today, more than one billion people worldwide qualify as remote workers, or teleworkers, according to the IDC Worldwide Mobile Worker Population 2009-2013 Forecast. Spurred by the pervasive adoption of mobile technology and the increase in bandwidth to both homes and personal devices, teleworkers are now performing a wider variety of jobs in an array of settings.

While staff gains the ability to work anytime, anywhere on any device, employers are increasingly opening their organizational, customer, and personnel data to risk. Threats can be as insidious as hackers gaining access through unsecure connections to the benign loss of a storage device containing critical information.

For a simple exercise, Google the words: “Laptop Data Breach.” The results are frightening.

The number of data breaches is staggering. Just one example: from 2008 through 2010, nearly 106 million records were lost on portable devices alone according to the Privacy Rights Clearinghouse. Laptops and USB drives enable employees to take large data files out of the office to work at home, on vacation, and even in remote offices. They also create a security nightmare.

Government agencies, banks, hospitals, universities, and large systems integrators are all losing personally identifiable information (PII) data that is entrusted to them to protect. If these types of organizations are vulnerable, nearly every organization is – and everybody should be concerned because your information is at risk. This breach of information can result in an instant loss of credibility in the eyes of employees, customers, and the public, not to mention the possibility of a lawsuit. This type of publicity can damage your organization for years.

Fortunately, protecting your information can be accomplished with technology that is readily available and proven across all different types of environments. By understanding potential threats and all viable solutions available in today’s market, you can develop your own strategy to attaining the benefits of telework, while increasing your security posture in the process.

Protecting Portable Devices

Since the majority of organizations use laptops or other portable devices, let’s focus on these solutions first. Portable devices accounted for roughly 37% of all data breaches from 2008 through 2010 (Privacy Rights Clearinghouse). While these devices are easy to carry, they are equally easy to lose or steal. There are three very simple solutions every organization should be using to protect all portable devices with any sensitive data:

  • Encryption – encrypt all devices; all laptop hard drives, all USB storage drives with encryption software and encrypt the network connection to your organization with a VPN solution. Solutions are readily available like WinMagic or TrueCrypt for hard drives and USB devices; while many companies such as Cisco, Juniper, Citrix and F5 provide VPN technology.
  • Multi-factor authentication – use an additional method of authentication in addition to a password as second factor. Solutions on the market today include smart cards, tokens, biometrics, and PIV cards.
  • Maintain updates – keep OS patches, virus protection, and malware scanners up to date. It is important that critical patches get applied immediately to systems and that systems that are not in compliance are found and remediated.

In most laptop data breaches, the first two will prevent any data from every being seen and the third will helps prevent hackers from breaking into your system when you are online.

Protecting Data

Rather than providing laptops to teleworkers, one emerging security option is to centralize user desktops using Virtual Desktop Infrastructure (VDI) solutions such as Terminal Services, VMware View or Citrix. Using VDI as a telework solution gives you greater control of desktop security by allowing your administrators to centrally manage patching and keeps sensitive data on your network instead of on laptops that can be stolen. Other security related benefits include: centralized backup and recovery of desktops, logging of all traffic to and from desktops, and the ability to easily monitor installed software on desktops since they are always on the network.

Teleworkers are able to access their workstations through a portal – such as the Citrix or VMware SSL secured websites – using their own computers and devices or organization-issued devices such as repurposed laptops or iPads.

Full Scale Telework Protection

Potentially the most secure option is to combine these two approaches: implement a VDI environment and use an organization-issued, purpose-built USB drive as a secure remote access point that can be used on any computer.

These encrypted USB drives can use multi-factor authentication and your organization’s VPN solution to access the VDI environment securely from any device with a USB drive. Users boot right to the USB drive itself bypassing the host operating system so that there is no risk of malware, viruses, or any security problems that may be present. This approach allows employees to utilize any PC as a trusted access point to their virtual desktop. These solutions come in many varieties and can offer additional security benefits such as:

  • Non-persistent data
  • Integrity checking
  • Built-in firewalls for white listing and black listing
  • No trace of data on the PC utilized by the employee

Bottom line, your workforce can work anywhere they can get access to the internet without risking your data or your environment.

Putting It All Into Practice

Every organization has unique security requirements and policies that must be followed for telework. A telework security policy defines and documents what forms of remote access your organization will permit, types of devices, how provisioning is handled, and your remote access solution design.

Lastly, before implementing a solution, you should perform a pilot, or proof of concept, to evaluate connectivity, authentication, management, logging, performance, and user impact. Most solutions on the market today are available for demos and pilot tests. Work with your solution providers to determine the best possible solution for your environment and policies.

Executed appropriately, a defined telework strategy eliminates existing vulnerabilities, strengthens your organization’s overall security posture, and yields previously untapped benefits.

IDC Worldwide Mobile Worker Population 2009-2013 Forecast,

http://www.idc.com/getdoc.jsp?containerId=221309,

IDC press release: http://www.idc.com/getdoc.jsp?containerId=prUS22214110

Privacy Rights Clearinghouse, http://www.privacyrights.org/data-breach/new

Ibid.

About the Author

John Sobczak is the Director of Govplace.