Out of Sight, Out of Mind? Security and the Home-Based Worker
Jul 21, 2009 4:00 AM PT
Everyone knows the old adage that "out of sight" is "out of mind." There's quite a bit of truth to it. It's a facet of human nature that things that are directly in front of our face get noticed, while things that are out of our scope of awareness don't.
Seems pretty obvious, right?
In fact, it is obvious -- or at least intuitive. However, for those of us who care about and manage information security for the companies that we work for, this seemingly obvious (and, frankly, seemingly unimportant) nugget of information about human behavior can be quite a stumbling block for us if we let it. In fact, this one principle can quite literally be the critical factor between successfully meeting our security goals and not meeting those goals.
Why? Because there's at least one area where the folks that are the most "out of sight" in our security ecosystem are also the very same folks that need to be most "in mind" -- i.e. where the people we tend to think about least really should be getting the lion's share of our attention and diligence. Those folks are remote workers -- the "telecommuters" that either work from home or spend a large amount of their time on the road.
Ignoring the remote worker is probably one of the worst mistakes a security professional can make (understandable though it may be to do so), both because there are an ever-increasing number of them, and also because they might not be playing by the same rules as folks in our firms' offices.
A Growing Trend
In order to understand why this topic is so critical, it's important to understand that the telecommuting trend is on the rise -- a very steep rise. Quite literally, there are more and more home-based workers every day.
As we all know, economic conditions are tough out there right now -- and as employers feel the pinch, they're looking for ways to spend less. Employers realizing the economic benefits of teleworking are more and more likely to jump on the already-full bandwagon.
We've all heard that teleworking saves on facility costs. In the past, increased expenditure in networking and telecom for home-based employees has more or less offset the cost savings associated with reduced facility overhead. Now, though, as telecom and networking costs are further and further reduced, these historical barriers get lowered or removed.
Nowadays, from an economic standpoint, the remote employee is all upside: decent cost-savings today with the promise of even better savings down the road. Couple the economic benefits with the well-documented "soft" benefits like increased employee retention, better employee productivity, removal of relocation requirements for new hires (allowing more options at hiring), and you have a recipe for a pretty serious trend.
So while your organization probably already has a fair number of these folks now, anticipate the growth curve, and it's not hard to envision a future where most -- or all -- of your firms employees might be based at home.
Decentralization of Control
If, like the typical enterprise, you have a growing number of employees based at home, what does that mean from an information security perspective? You might not think so, but it can be a game-changer.
At the same time that more and more employees are working from home, there's also increasing scrutiny and regulation defining what controls you need to employ to protect the data in your stewardship. So while you move to a model of increasingly decentralized control, the impact of control failure is increasing.
Think about it another way: These home workers need to work with much of the same sensitive, confidential, and potentially regulated data that your office-based workers do. In most cases, there's federal or state legislation that governs how they need to control and protect that data. However, you might not have the same assurances with the home-office workers that you do with office-based ones.
For example, in an office context, you have some assurance about how employees access data. You know, for example, that they're located inside a building with locks on the doors that's closed off at night. You know that the file systems where they store data are protected. You know that the network they're using to access data is (mostly) trustworthy. In an office context, you can be pretty certain that the computing devices your staff use are owned by your firm and managed by your technology staff.
What assurances do you have for home employees? Maybe home-based folks access medical records from the local coffeehouse. Maybe they like to do their work at the local fast-food joint -- and that's where they access all those customer banking records. Maybe they use the family PC to access data, saving sensitive documents to untrusted PCs that may or may not have virus protection, may or may not have user access controls (like passwords), and that may or may not be riddled with malware.
Do you have any assurance that they're not doing any of those things? Maybe you've told them not to, but telling someone not do something (and trusting that they're not) is quite different from having "assurance."
In point of fact, you don't have assurance, and not having assurance can be pretty scary.
Stop Being Scared, Start Getting Prepared
It's scary because, as the security manager, it's your head that's going to roll if something goes wrong. Since it's your job to anticipate any unexpected gotchas ahead of time and take precautions, you're where the buck stops. So how do you get in front of potential issues? How do you make sure that remote workers aren't doing things that are going to come around and bite you in the future?
The easiest way to start is to think through ahead of time what permutations of access to data are acceptable in a remote-work context and which are not.
Define ahead of time where it's acceptable for folks to access data from, where it's acceptable to store it to, and what sets of controls are required when accessing data. Whatever you decide, it's important that you think it through from the get-go. Why? Because your home worker aren't going to come to you for approval first when they want to get their work done. Sure, they'll toe the line with what you say is acceptable, but they're really not likely to go out of their way to ask permission before accessing data via a new channel.
Additionally, understand that there are enough permutations of how your employees might access data that you probably won't anticipate them all. So make sure that you get all these folks on the same page regarding what your data security expectations are. That way, when you miss something, they'll know enough to evaluate it for themselves and (more often than not) make the right decision. Most employees want to do the right thing -- and they're more likely to do it if they understand what the right thing is and why. Fully document what is and isn't acceptable and publish it -- saturate them with it. Spam them with it until they start to complain about getting it too much -- and then spam them with it some more. By making your message clear -- and ubiquitous -- you're more likely to instill the right behavior.
Also, don't forget that human nature is to lessen your awareness of the folks you don't see every day -- even though they're the folks you should be paying most attention to. Human nature, powerful though it is, isn't always the best path.
Ed Moyle is currently a manager with CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.