Wednesday, September 22, 2021

Home Users: IT’s Cross to Bear

Home access to the corporate enterprise is on the rise, according to

industry watchers. Gridlocked highways, skyrocketing fuel costs, and the

desire for a better work/home life balance have employees clamoring to

telecommute.

This sea change could mean big headaches for IT managers who are caught

unprepared.

Chris Hernandez, senior network engineer at Holtzbrinck Publishers, LLC,

in New York, N.Y., knows this first-hand. A year ago, a lax remote access

strategy led to someone transporting a virus onto the corporate network.

”It shut us down for a few days,” he says.

Today, Hernandez and his team have an aggressive program to train and

support day extenders and home users. The program includes best practice

guidelines and how-to brochures for setting up home machines.

Experts warn that companies need to be savvy about managing home users —

especially if their industry falls under compliance restrictions, such as

the Health Insurance Portability and Accountability Act (HIPAA) or the

Sarbanes-Oxley Act of 2002.

”Home users using their own computers pose the biggest risk to the

corporation,” says Doug Neal, vice president of product management at

iPass, a security software developer in Redwood Shores, Calif. ”They are

purchasing their own equipment with varying standards. They probably have

the worst scenario: They may have no firewalls and use wireless networks.

The threats in that environment are broad.”

He adds that always-on access provided by cable and DSL connections leave

these machines even more vulnerable.

On the flip side, some companies do not want the expense of buying and

managing PCs for all their employees. Mark Gibbs, president of Gibbs &

Co., a network consultancy in Ventura, Calif., says IT groups can spend

as much as $5,000 to manage a $1,000 laptop. This can get pricey for a

large enterprise. Add to this the fact that some employees don’t want the

hassle of carrying a laptop home.

To adequately deal with the pressure to provide secure home access, IT

groups should follow some basic guidelines.

Have a dedicated security guru managing home access.

Enterprises make the mistake of assigning IT support for telecommuter

access to junior members of their security team, says Allen Gwinn, senior

IT director at Southern Methodist University in Dallas. But remote access

is one of the most critical parts of the network and should be handled by

a senior security expert.

”The enterprise must have very, very good security management in

place,” he says. ”How secure your home access is is going to be

directly related to how experienced the person is who’s managing it.”

Hernandez agrees. He says his security specialist determines how home

users access the network. ”He manages and monitors the firewall. If it’s

being used in the wrong manner, he is the one to report it [to

executives].”

The security manager should work with other departments, such as legal

and human resources, to set policies and make sure users are compliant.

Study what your users need for access before giving them access

Gwinn says IT managers must carefully plan what parts of the network are

going to be open to the real world. ”What can you realistically

support?” he asks. ”You can go very simple or very complicated, but you

need to do a complete assessment ahead of time.”

Gibbs says IT groups should work with corporate executives to determine

who should be allowed home access based on what they’ll be doing. For

instance, an HR manager updating staff records might not pose a threat,

but a hospital administrator downloading patient files would be in

violation of HIPAA regulations.

He adds that companies should set policies around these access

constraints. ”You can set privileges, access durations, and allowable

behaviors,” Gibbs notes.

Companies should not be afraid to be too strict, either, according to

iPass’s Neal. ”I think it’s acceptable for companies to lay down

policies that would restrict network access,” he says.

Develop a standard baseline for home computers

Companies allowing home access should develop minimal requirements for

anti-virus software, firewalls and intrusion detection/protection

systems, says Doug Faith, product manager at Fiberlink Communications

Corp., a mobile software maker in Blue Bell, Penn. ”It’s very important

for IT organizations to maintain a level of governance around hardware,

software and access methods,” he says. ”They should develop a

configuration that meets their compliance needs.”

Faith says creating a baseline gives IT groups a minimal level of control

over the home user environment. ”The majority of people working from

home will want to know what to do — what the company recommends,” he

says.

Hernandez has strict guidelines for home computer users. ”I even tell

them what version of Microsoft Internet Explorer and Windows to use,” he

says. He adds that companies should streamline their operations to

support these standards. For instance, he moved from a mixed

Novell/Microsoft environment to a Windows-only platform. This helped in

deciding what platform home users should employ.

Enforce the policies you’ve created

Hernandez warns that baseline standards are only useful if IT enforces

them.

Although some companies require users to sign a document that outlines

the terms of network access, experts warn these often do not cover

regulations surrounding hardware and software. In fact, some users might

agree to employ a firewall, but then turn it off it becomes too

cumbersome.

Hernandez says he uses automated tools from Fiberlink to guarantee

hardware and software compliance. When a user tries to connect to the

corporate network, his machine is checked to make sure that anti-virus,

firewall and Windows patches are all up-to-date. If they aren’t, the link

is quarantined and users are told what they need to do to comply with

baseline standards.

Train and support your users

Experts say the biggest mistake companies make is not training and

providing help desk support for home users. They simply let them run amok

until a crisis happens.

”If you consider all the initiatives on an IT manager’s plate, the last

thing they want to deal with is the home user,” says Fiberlink’s Faith.

”If a user does something wrong, IT simply shuts off their access. But

the risks are so high that [providing training and support] is something

they should think about foremost.”

Hernandez’s team creates a brochure of do’s and don’ts for home users.

They also take advantage of everyone gathering for company conferences to

do face-to-face training on new applications and standards in home

access.

Companies should develop a safety checklist and review it with their

employees, Neal says. ”They should provide training across the board, a

cheat sheet for common problems and even specialized training.”

In the end, experts agree that the more attention paid to home users, the

less likelihood the company will suffer a network mishap.

Similar articles

Latest Articles