Who would have guessed that telecommuting would get beyond talk for those dependent on IT to get their jobs done? With computing now mobile and offsite, e-security requirements abound. It's now time to practice safe computing for everyone from CEOs to programmer-analysts working online and offsite.
This rubber-to-road realization was caused by new technology capabilities and the work-style efficiencies they support. An American Management Association (AMA) telecommuting survey conducted in November 1999 found that out of 1,265 respondents, only 23% work from regular office locations. Fifty-seven percent work at home before or after regular office hours, 14% work at home occasionally during office hours on no fixed schedule, 2% work at home one or more days per week on a regular schedule, and 1% work at home full time. Major telecommuting problems focused on communication with colleagues, superiors, and subordinates.
What is the new e-security dilemma? It's about safely introducing digital subscriber line (DSL) and other broadband communication technologies to make telecommuting easier, faster, and more available. DSL, designed for use on existing copper telephone lines, is becoming very popular due to relatively low residential cost, an "always-on" high-speed connection, and broadband features (i.e., multiple channel capability, such as high-speed Internet access with telephone available on the same line).
Another broadband residential alternative gaining popularity is cable network access with high-speed Internet interactivity and an expanding portfolio of communication and networking services. Integrated business and "personal" e-security problems
With new technologies comes a new set of e-security challenges. DSL and other broadband consumer technologies are becoming open game for hackers facing an ever-tightening organizational security net. "Always-on" Internet access, combined with ignored or poorly assigned personal software security settings (for example, not disabling the shared file feature in Windows), opens the door for hackers to jump in and gain access to organizational networks under the guise of legitimate employee access. For high-level telecommuters previously considered to be trusted sources, telecomputer threats can now far exceed those currently encountered.
The worrisome mixture of corporate corroboration and personal preference resulting from escalating Internet service provider (ISP) and other broadband selection options is the motivating factor for increased telecommuting e-security. Respondents from the AMA study noted above reported that 58% of those teleworking were either loaned the necessary equipment to telecommute, the equipment was purchased for them, or telecommute expenses were shared with their employer. In other words, 42% telecompute on personal technology. Even with corporate ownership, working offsite is too often "out of site, out of mind."
Which ISPs provide access and security services (if any) can be a function of employer or personal preference. Add the requirements for various security levels associated with employee position, content criticality, and telecomputing characteristics, and new standards for offsite, machine-based e-security are mandatory. A solution is to install offsite procedures.
New motivations for big league "trackers"
A variety of online, offline, and pay-to-access databases are available for hackers to piece together high-value individuals who are likely to be telecommuting. They can check company Web sites for corporate officials. Bios are often available containing details regarding personal history and follow-up information. Hackers (in this case I'll call them "trackers") can quickly identify residential home telephone numbers (listed or unlisted) and remotely crack a potentially high-value system. When we say high value, we're not talking solely about financial accounts, credit cards, and other personal asset information subject to sale or use. Corporate secrets, projects, plans, and correspondence can also yield a hefty price on the corporate espionage market.
For professional-level telecommuters such as programmers and analysts, the theft of source code and other software engineering property could cause significant losses for employers. (Look out for mutations of undercover computer access software such as Gnutella or Napster on the Net in the near future!). A fact of corporate life
Telecommuters and telecomputers are becoming a fact of corporate life in the United States and in Europe. Two parties now present e-security threats--the user and
the machine. The user is associated with errors of commission (active, purposive security breaches) and omission (failure to maintain effective security software settings on the machine). The machine can pose e-security problems involving unauthorized user threats and misconfiguration vulnerabilities.
Now an integrated team, telecommuters and telecomputers are expected to achieve productivity levels rivaling that of the typical office environment. This is a significant security threat, viewed often by IT departments as the tail (client) end of e-security. Be advised that this escalating threat is destined to cause more risk than those dangers surrounding intranets, extranets, and virtual private networks (VPNs). // Dr. Martin Goslar Ph.D. is principal analyst and managing partner of E-PHD.COM, an e-security analysis and intelligence firm. He is on the editorial board of the
International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM
. E-security--it's not just for corporate offices anymore For organizational telecomputers (whether employees, contractors, or clients), take the following steps for offsite e-security:
-- Identify personnel telecomputing levels
(e.g., 50%+, >25%, >10%).
-- Evaluate Internet access resources for telecomputing e-security threats (e.g., ISP, DSL provider, cable services provider).
-- Review interactions among steps 1 through 3 to create telecomputer e-security requirements.
-- Install/recommend computer e-security software that maintains security from the outside in. Establish e-security requirements by:
-- Employee level (i.e., executive, managerial, professional, clerical, contractor, etc.).
-- Content level (e.g., secret, confidential, internal, public).