Teleworkers Know (And Ignore) Security Risks, Study Says
Courtesy of Information Week
OCTOBER 10, 2006 | The majority of telecommuters are aware of the
security dangers that go along with using mobile devices and remotely
logging onto their employers' networks, yet their behavior for the
most part contradicts this awareness, according to a study issued
Monday by Cisco Systems and research firm InsightExpress.
Of 1,000 teleworkers contacted across 10 countries, more than one of
every five allows friends, family members, or other non-employees to
use their work computer to access the Internet. The top five
justifications for doing this were that workers didn't see anything
wrong with it, their company didn't mind, they didn't think that
letting others use company-issued computers increases security risks,
they doubted their company would care, and their co-workers did it
too.
About one-third of the teleworkers admitted using work computers for
personal computing, while nearly half of the respondents indicate
that they download personal files onto their work devices. One of
every four remote worker surveyed indicated they open unknown E-mails
when using work devices.
Despite this risky behavior, don't expect companies to corral their
remote workers anytime soon. Telecommuting and remote access are "an
unstoppable force, so we have to build security for it," says Bob
Gleichauf, CTO of Cisco's security business unit. This means security
has to be taken out of the hands of end users as much as possible.
Security in the future has to be "security out of the box, building
security into processes and technologies," he adds.
It may not be security out of the box, but Driscoll Children's
Hospital in Corpus Christi, Texas, does keep close tabs on its
teleworkers to head problems off at the pass. The hospital relies on
Microsoft Windows Server 2003 Terminal Services or a virtual private
network to deliver secure access to staff that works from home and to
workers at different clinics across 33 counties that the hospital
serves. Of the thousands of health-care workers at Driscoll and this
network of clinics, only about 80 require this sort of remote access,
but even a handful of remote users improperly managed can expose the
health-care facility's IT systems to a virus, spyware, or a data
breach.
Teleworkers "present an interesting twist to security," says James
Ballou, Driscoll's HIPAAsecurity officer and IS security specialist.
Ballou's response is to give most teleworkers access through Terminal
Services to only the applications and information they need. Other
users, mostly at the administrative level, who require more
flexibility, can access their applications and data via a VPN.
Driscoll audits workers' laptops three times each week to make sure
there's no contraband software installed--such as iTunes or games--
and to check for malware. "If we find something that shouldn't be on
the computer, we'll go to that person and talk to them," says Ballou,
who adds that he's never seen a worker dismissed from the hospital as
a result of this sort of cyber contraband. "We have good policies in
place and good ways to enforce them."
The security challenges that Ballou faces are a lot like those his
counterparts face worldwide. The Cisco study, fielded by research
firm InsightExpress from July 28 to August 13, 2006, included
responses from more than 1,000 teleworkers in Australia, Brazil,
China, France, Germany, India, Italy, Japan, the U.K., and the U.S.
Workers who were surveyed connect remotely to their employers'
networks at least a few times per year using a PC, laptop, or mobile
device provided by the employer.
Among the countries included in the survey, China had the greatest
percentage, 78%, of respondents who said they were aware of security
when working remotely. Yet Chinese respondents were also the most
likely to use their work computers for personal reasons, open E-mails
from unknown senders, allow others to use their work computers, and
download personal files to their work computer.
Cisco commissioned the study because "so much of security is about
better visibility into your user community," Gleichauf says.
"Companies have (security) policies that help them sleep better at
night but that don't reflect reality." The global scope of the survey
also provides a perspective on the way other cultures work. IT
management can either adapt to these methods or try to change them,
but they can't do either if they're not aware of them.
Companies have to think twice before they allow security measures to
erect barriers around mobile devices that make their workers more
productive, Gleichauf says, adding, "it's the job of the security
people to enable the business and protect it from failure but not
become a barrier to competitive efficiencies."
