Luddite’s New Target: Telecommuniting
Due to the recent high profile loss of many US Veteran’s personal information, some people are pointing their fingers at telecommuting. They are blaming the ability to bring work home as the culprit for an obvious information security failure. In this particular case, the personal information was taken from a stolen Veteran’s Affairs personnel laptop. Despite years of promoting teleworking by companies large (IBM and HP are some of the biggest fans of teleworking) and small, there are still groups of people who would like to prevent this from becoming mainstream, Luddite Mentality. There is this NetworkWorld article on groups defending telecommuting and why this new attack on telecommuting is ridiculous:
“It’s a perfect example of how telework gets a) instantly blamed and b) held to a higher standard than anything else. The problem was a stupid employee, it had nothing to do with telework,” says consultant Gil Gordon of Monmouth Junction, N.J.
The problem with telecommuting is that there really are “stupid” people and, at times, people can be “stupid”. Even you and me can become “stupid” at times. Admit it! However, this is still no reason to blame telecommuting as a whole. It is like generalizing that working at the office is not efficient because there are certain cases where employees have low productivity. This is just a case of misdirected cause and effect. However, this is not saying that the current telecommuting practices are all sufficient. What we, as information security professionals, can do is devise ways and means of making these systems and practices more secure … especially systems that you take out of the office. As long as information taken out of corporate control, there will always be a risk of lossing it. This is true to any case even one that does not involve telecommuting. If you take a proposal to a client’s office there is always a chance it will get stolen along the way or even destroy by nature (rain). These are the risks we have to factor in. It is just a matter of measuring the gains and risk of telecommuting. Here are some common practices that can be implemented:
- Control information. Information taken out of the office must be properly controlled and tracked. There should be accountability for information taken out of the office.
- Have contingencies in place. Policies and procedures must be in place in the event that a laptop or other telecommuting system is lost.
- Use remote access. Some companies have even resorted to remote access solutions that don’t allow confidential information to be stored on client systems. Client systems are only remote access terminals. They just have a procedure to disable remote access in the event of lost.
- Protect confidential information. Password protect them when possible. For example, some email clients like Mozilla Thunderbird and Mozilla Firefox have master password settings that can protect the entire mailbox and other things. Crypto software such as PGP can be used to protect individual files. For the really paranoid, additional file system protect can be put in place.
- Use physical security. Use locks, biometrics devices and other devices that can protect your remote access device.
There are many more ways of protecting oneself from possible information theft while telecommuting. But, the best way is always vigilance and constant review of information security practices and procedures.
