Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Confident Cloud

Home working – getting the balance right

Created: 18 Dec 2012 • Updated: 03 Jun 2014 • 3 comments
Jon C's picture
0 0 Votes
Login to vote

Home working was once the domain of the few, from teachers with stacks of exercise books, to executives taking home briefcases full of paperwork. In general, the ‘work’ was limited to what people could carry. Successive generations of technology, from portable laptops to cloud-based services, have all had an impact on what it has been possible to do at home.

Waves of home working

We saw the first wave of technology-driven home working in the 1990s, when the price of personal computers dropped to ‘just’ a few thousand pounds. Most computer-based work took place ‘offline’ with data transfers initially by diskette; then, with the arrival of laptops, documents and data were synchronised by plugging into the corporate network.

Reliable, adequate bandwidth signalled a second wave in home working, initially limited to data transfers via modems and using rudimentary email. The rapid growth of Internet capabilities and the arrival of broadband enabled home workers to carry out their activities and collaborate with their colleagues online, in real time.

But still, the model was largely to enable remote access to the office. By the turn of the Millennium, application service providers started to offer Internet-based services that could be accessed just as easily from the office or from the home. With the increasing availability of broadband, coupled with workable remote access tools, corporate IT managers had more of a choice about where IT facilities could be situated – signalling the third wave, and the dawn of cloud computing.

In the same time frame, mobile telephony moved from devices so heavy they could only be installed in cars, to the highly portable handsets we see today. With the kinds of services now available, social networking, tablets and no end of increasingly smart devices, the fourth wave is always on, and the boundary between home and work has all but disappeared.

Good for business?

Unsurprisingly, businesses are encouraging home working for one simple reason: buildings are expensive. In recent years organisations have been looking to increase how their staff work from home. Some workplaces, such as Vodafone’s headquarters in Newbury, have a hotdesk-only environment for all but a core of essential (largely administrative) staff.

But while home working is cheaper, is it actually better for business? From a risk management perspective, the benefits have to be weighed against the costs of things going wrong. Each new technology has brought with it a wave of potential downsides, not the least in that it presents new security challenges that need to be understood and addressed.

Given the wealth of possibilities that technology makes available, the biggest challenge for many organisation is simply trying to understand what the issues might be. For example, are mobile phones a security risk? Should certain web sites be blocked, or only certain USB sticks authorised? What patches should be installed, and should home-working staff be expected to do this themselves?

Faced with such complexity, it can be difficult to see any other option than a draconian, ‘lock-it-all-down’ approach. Not only would this require a vast amount of effort, but it could also be ultimately counter-productive, as it restricts what workers can do at home. At the other end of the scale, and no less satisfactory, is to let home workers do what they want in the hope that nothing bad happens.

Finding a middle ground

Is it possible to find a satisfactory answer that balances the needs of home workers at the same time as keeping risks in check? The answer is yes, but with one caveat: that it is not possible to protect against absolutely every type of threat. A child knocking a computer off a table can cause as much damage as a rogue piece of malware deleting the content of the hard drive.

To square the circle we can consider protective measures in three areas: devices, data and services. First, just because we’re in a complex world, it doesn’t mean we should simply leave the technological doors wide open. There is still a place for having an up-to-date antivirus program running, for password protection of both computers and mobile devices, and for a straightforward acceptable use policy which sets out what can be done with corporate devices.

More important than the devices, however, is the data that they store. Even the smallest of businesses can build a picture of the different kinds of data it needs to conduct its activities: financial data, customer data, product data and so on. While devices may change, the data we are trying to protect remains relatively static; and every company has an obligation to ensure that it is managing such information in an acceptable manner. Devices, ultimately, are disposable and technologies exist to enable their ‘remote wipe’ to ensure any data they contain is rendered inaccessible if they are stolen.

Which brings us to services. Organisations can choose the tools they use to store, access and manipulate data, and in doing so, make decisions about risk. For example, using a Cloud-based customer relationship management tool requires due diligence about the service provider and whether it will protect the data it manages – the level of protection can be weighed against the alternative, of staff members storing local copies of customer data on their own devices. Equally important, however, is that the work force will be able to access the service from wherever they are.

So, yes, we are moving into a more complex world, with more choices about how we do things. It simply isn’t possible for any firm to keep up with the complexity. However, businesses can ensure that corporate devices have the minimum necessary level of protection in place and that managers have agreed with staff what constitutes ‘acceptable use’. They can make choices about the services they use, and balance the risks of online access versus local resources. And most of all, they can think about the data itself. New devices, new capabilities, new working practices will pear all the time but we can at least ensure that this, above all, is protected.

Comments 3 CommentsJump to latest comment

Rob.Wilcox's picture

I think the last paragraph is worthy of a comment.

You mentioned 'corporate devices'.  In some organisation that too is blurred with many organisations supporting a 'bring your own equipment' stance when it comes to IT equipment.

Personally I'm not sure that I agree with that level or relaxation, but then I am also not sure I agree with mega-locked-down corporate devices too.  I have worked for some companies where you end up having to carry two smartphones around simply because the corporate body won't let you configure the corporate device to view your personal email (as well as the corporate ones)....  or take photos, etc, etc.

0
Login to vote
hforman's picture

We still have users carrying two cell phones.  The latest "experiment" we did was to start BYOD with a single department.  We are a government agency so that should explain what happens next.  Most of the people refused to partake in BYOD even though they would be paid a stipend.  So now, it is not just being able to carry only one smart phone but also being paid to do so.  Why was adoption so poor?

The answer is in the data.  If the user is using Personally Indentifiable Information (or PII) that data needs protection.  Maybe excessive protection or, at least, more protection than you can imagine.  If the data is governed by government regulation (here in the U.S. we have HIPAA for patient medical records, criminal records governed by CJIS and credit card information governed by DSS-PCI).  If you put this kind of data on a portable device and than lose that device or have it stolem, not only is your company/agency liable to contact each and every person whose records were on that tablet or smart phone, but you may have to pay a huge fine.  Add on paying for credit watch services for the data owner.

 

So, what do we do?  It seems Rob does not understand why we need "mega-lockdown" for the portable devices but I can tell you why.  You can't put company, clientele/constituent data on something that can be lost, stolen or easily hacked.  It is just NOT allowed.  Supposing it is YOUR data that can be found on a stolen phone?  Suppose that it is government secets?  Supposing it is the home telephone number of some business or government official?  No, you don't have insurance to cover what can happen in this event.

So, why don't people want BYOD?  Simple.  If they misplace the phone, it has to be immediately remotely wiped clean.  The person doesn't realize that, if you are dilligent about backups for the device, there is no big deal but people are lazy.  They also don't want to enter a code to get into their telephone. They don't want a lot of "inconveniences" of the "mega-lockdown".

I've been at places where you cannot walk out tof the door without going through scanners and having all of your pockets checked and CDROM disks confiscated along with jump drives.  Where the PC you work on has no internet connectivity whatsoever nor any USB or serial ports.  But the average company knows that, if their data gets exposed, especially PII, then the cost to that company will be outrageous.  Just having the name of the company on the front page of a national newspaper.

Howie

 

0
Login to vote
rdbrooks's picture

Great read =D

0
Login to vote