One of the potential nightmares of teleworking is ensuring that all these people who sit at home, or in satellite offices far from the company’s central location, can connect to the facilities and services they need without compromising the security of the corporate network. Fortunately, it’s not a difficult problem to overcome.
Install virus protection on both the remote PCs and the key servers in the central office. Belt-and-braces is the order of the day. If someone only works a couple of days a week at home, their anti-virus software may be out of date from time to time. As a result, although it will catch most viruses, you can’t be absolutely safe. The remote PC should automatically update its virus signatures at least daily and your office-based systems should check for new signature files several times a day (once an hour isn’t unreasonable).
The remote connection
You have a number of choices with the remote connection, of which the main two are: direct dial-up and VPN. The option you go for doesn’t particularly matter, but remember:
- Choose a system that authenticates with your corporate directory service, instead of having its own username/password tables. The less things you have to administer, the less out-of-date the user IDs are. After all, it’s easy to implement a company-wide regular password change policy.
- Use one-time passwords where you can – SecurID tags or something similar. If you’re serious about security, boring old username/password exchanges are no good.
Make sure your computer usage policy is up-to-date and everyone signs up for it before they’re allowed to telework (note: this doesn’t just mean a policy for teleworkers, it means an overall policy covering every facet of company computer use). Unlike your office systems, home workers' computers are open to abuse by domestic thieves, spouses, children and dogs.
You’ll probably want to restrict usage of the connection into the company network to only your employee. It’s fair to hand the onus for enforcing the remote end of the policy to the employee. Get the company lawyers in and make it full-proof, or you’ll leave yourself open to (for instance) questions of why you allowed someone’s ten-year-old to access pornography over your corporate Internet connection. Once you have a policy, implement it fairly but unwaveringly. People will take the time to conform if they know that you care enough to enforce the policy.
If it moves, log it. If it doesn’t move, log it anyway because it might start moving one day. You should be logging your corporate network usage for both capacity planning and management reporting anyway, but in a world where a manager can’t look over someone’s shoulder and see that they’re playing Quake all day, such information is essential.
If you’re putting equipment in employees’ houses, make sure you assess the value and insure the kit if you think it is of sufficient worth. Remember, their home policies probably don’t cover equipment that’s used for business, so if you’re giving them £500 worth of firewall and £2,000 worth of computer, you need to at least consider the risks of it not being in your office with a burly guard at the front desk all night.
If you’re asking people – and paying them – to work at home, it's an extra complication for your support people. Your support costs will inevitably grow if you want to have teleworkers. No longer can they simply stroll down a couple of floors from their grotto to the user’s desk. Weigh the costs of supporting someone’s home PC against the costs of buying them a computer, setting it up with your standard software and giving it to them to take home (hint: the latter will probably work out cheaper in the end). Consider also the hours that people are working at home – particularly if you’re letting someone telework so they can fit around childcare requirements – and think about them in context of the hours that the support team work.
Give particular attention to the training of your support team. Every call they get from a remote worker will be “urgent”. The remote person will need an instant solution because human nature makes them think “We’ll look into it and call you back” really means “So long, sucker”. Condemn quick-fix solutions from the start – support people must deal with remote workers just as they do office-based employees.