Home access to the corporate enterprise is on the rise, according to
industry watchers. Gridlocked highways, skyrocketing fuel costs, and the
desire for a better work/home life balance have employees clamoring to
telecommute.
This sea change could mean big headaches for IT managers who are caught
unprepared.
Chris Hernandez, senior network engineer at Holtzbrinck Publishers, LLC,
in New York, N.Y., knows this first-hand. A year ago, a lax remote access
strategy led to someone transporting a virus onto the corporate network.
”It shut us down for a few days,” he says.
Today, Hernandez and his team have an aggressive program to train and
support day extenders and home users. The program includes best practice
guidelines and how-to brochures for setting up home machines.
Experts warn that companies need to be savvy about managing home users —
especially if their industry falls under compliance restrictions, such as
the Health Insurance Portability and Accountability Act (HIPAA) or the
Sarbanes-Oxley Act of 2002.
”Home users using their own computers pose the biggest risk to the
corporation,” says Doug Neal, vice president of product management at
iPass, a security software developer in Redwood Shores, Calif. ”They are
purchasing their own equipment with varying standards. They probably have
the worst scenario: They may have no firewalls and use wireless networks.
The threats in that environment are broad.”
He adds that always-on access provided by cable and DSL connections leave
these machines even more vulnerable.
On the flip side, some companies do not want the expense of buying and
managing PCs for all their employees. Mark Gibbs, president of Gibbs &
Co., a network consultancy in Ventura, Calif., says IT groups can spend
as much as $5,000 to manage a $1,000 laptop. This can get pricey for a
large enterprise. Add to this the fact that some employees don’t want the
hassle of carrying a laptop home.
To adequately deal with the pressure to provide secure home access, IT
groups should follow some basic guidelines.
Have a dedicated security guru managing home access.
Enterprises make the mistake of assigning IT support for telecommuter
access to junior members of their security team, says Allen Gwinn, senior
IT director at Southern Methodist University in Dallas. But remote access
is one of the most critical parts of the network and should be handled by
a senior security expert.
”The enterprise must have very, very good security management in
place,” he says. ”How secure your home access is is going to be
directly related to how experienced the person is who’s managing it.”
Hernandez agrees. He says his security specialist determines how home
users access the network. ”He manages and monitors the firewall. If it’s
being used in the wrong manner, he is the one to report it [to
executives].”
The security manager should work with other departments, such as legal
and human resources, to set policies and make sure users are compliant.
Study what your users need for access before giving them access
Gwinn says IT managers must carefully plan what parts of the network are
going to be open to the real world. ”What can you realistically
support?” he asks. ”You can go very simple or very complicated, but you
need to do a complete assessment ahead of time.”
Gibbs says IT groups should work with corporate executives to determine
who should be allowed home access based on what they’ll be doing. For
instance, an HR manager updating staff records might not pose a threat,
but a hospital administrator downloading patient files would be in
violation of HIPAA regulations.
He adds that companies should set policies around these access
constraints. ”You can set privileges, access durations, and allowable
behaviors,” Gibbs notes.
Companies should not be afraid to be too strict, either, according to
iPass’s Neal. ”I think it’s acceptable for companies to lay down
policies that would restrict network access,” he says.
Develop a standard baseline for home computers
Companies allowing home access should develop minimal requirements for
anti-virus software, firewalls and intrusion detection/protection
systems, says Doug Faith, product manager at Fiberlink Communications
Corp., a mobile software maker in Blue Bell, Penn. ”It’s very important
for IT organizations to maintain a level of governance around hardware,
software and access methods,” he says. ”They should develop a
configuration that meets their compliance needs.”
Faith says creating a baseline gives IT groups a minimal level of control
over the home user environment. ”The majority of people working from
home will want to know what to do — what the company recommends,” he
says.
Hernandez has strict guidelines for home computer users. ”I even tell
them what version of Microsoft Internet Explorer and Windows to use,” he
says. He adds that companies should streamline their operations to
support these standards. For instance, he moved from a mixed
Novell/Microsoft environment to a Windows-only platform. This helped in
deciding what platform home users should employ.
Enforce the policies you’ve created
Hernandez warns that baseline standards are only useful if IT enforces
them.
Although some companies require users to sign a document that outlines
the terms of network access, experts warn these often do not cover
regulations surrounding hardware and software. In fact, some users might
agree to employ a firewall, but then turn it off it becomes too
cumbersome.
Hernandez says he uses automated tools from Fiberlink to guarantee
hardware and software compliance. When a user tries to connect to the
corporate network, his machine is checked to make sure that anti-virus,
firewall and Windows patches are all up-to-date. If they aren’t, the link
is quarantined and users are told what they need to do to comply with
baseline standards.
Train and support your users
Experts say the biggest mistake companies make is not training and
providing help desk support for home users. They simply let them run amok
until a crisis happens.
”If you consider all the initiatives on an IT manager’s plate, the last
thing they want to deal with is the home user,” says Fiberlink’s Faith.
”If a user does something wrong, IT simply shuts off their access. But
the risks are so high that [providing training and support] is something
they should think about foremost.”
Hernandez’s team creates a brochure of do’s and don’ts for home users.
They also take advantage of everyone gathering for company conferences to
do face-to-face training on new applications and standards in home
access.
Companies should develop a safety checklist and review it with their
employees, Neal says. ”They should provide training across the board, a
cheat sheet for common problems and even specialized training.”
In the end, experts agree that the more attention paid to home users, the
less likelihood the company will suffer a network mishap.