Every time I sit on a panel, give a speech, or host a webinar, I invariably get asked about the data security risks of allowing employees to work from home or other remote locations. I find this to be a very interesting topic, but it has little to do with telework, per se. The issue of data security is very relevant and very serious. Groups ranging from pranksters on one end of the spectrum to foreign intelligence services on the other and a whole host of malicious actors in between are probing, testing, and, sorry to say, getting into your systems and data every day.
I don't care who you are and how much you spend on your security systems; someone can beat it (and probably has). Earlier this year, the Department of Defense (DoD) disclosed that both DoD unclassified and classified networks were infiltrated in 2008; causing DoD to ban the use of all portable USB memory sticks for a time. In releasing this previously classified information, Deputy Secretary of Defense Bill Lynn said that part of his motivation to make the information public was to help people understand how serious this issue had become. You can read more about this in his article in Foreign Affairs or in the New York Times article on the disclosure.
I received some additional proof that DoD is taking this very at a conference the other day. I attended a panel on cybersecurity and the internet and the panel had a two industry folks, one person from Department of Homeland Security, and an executive from the National Security Agency (NSA). Yes, NSA, in public, on the record talking about how they are trying to cooperate with industry to address this problem. I think it's the first time I ever saw anyone from NSA in a room with windows. While I applaud DoD leadership for their efforts, it's a clear sign that this is a big problem.
So if security is such a critical issue, why would we let anyone work from a less secure location? The answer it turns out is that hackers don't care if you are at your office, in a hotel, at home, or sitting on the beach. Unless your computer system is physically separated from the Internet (what the techies call an "air gap"), some hacker will find a system vulnerability or other flaw in your security and exploit it.
So the issue is not where you work, but how you work that creates the vulnerabilities. Do you have the latest security updates? Are you saving sensitive data to your hard drive or some other removable media? When you have a good telework policy and proper training for your teleworking employees, you minimize these opportunities for hackers to get in. When we talk to IT security managers about the technical risks of telework, they often say it's the unofficial teleworking that keeps them awake at night. It is the guy who forwards his work e-mail to his personal account, or downloads it all to a flash drive because the organization won't give him secure remote access from home and his boss needs that report at 8am tomorrow.
If you want to keep the network secure, the best approach is not to try to lock everyone in the office, but rather to have good security policies and training for all of your employees. The tools and systems to allow secure remote access to your systems is not only available, it's very inexpensive and helps you prevent the really dangerous informal remote work that goes on in most workplaces, regardless of policy. Teleworkers often are more security conscience than office workers because they have been better trained and equipped.
I would love to hear from some IT security managers as well as others who have some input on this issue.