Teleworking causes serious security threat

In the wake of the hack into Microsoft's network, many security administrators have turned their attention to what some believe is the greatest security challenge facing corporations: teleworkers.

Network administrator at US firm SR Equipment Craig LaHote is struggling with it now, and just a week ago he had a meeting with executives about it. "We're having a hard time controlling it. It's a real grey area with home computers accessing the network and the Internet," he said. "We really have a hard time enforcing policies there. We have a policy but no real way to audit [users] except basically asking them to comply."

The problem is both social and technical, experts say. For one, users on home machines behave differently, even if they're accessing work assets and if policies are in place. They tend to disable security when they can wanting more control over it themselves.

It's a hard-to-define behavioural issue, one expert said. "Technology will solve less than half this problem," said Fred Rica, a partner in the technology risk services practice at US-based PricewaterhouseCoopers. "The other portion is working with people's behaviours, and I'm not sure anyone knows how to do that with telecommuters yet."

On the technical side, the rise of always-on connections such as DSL (digital subscriber line) and cable at home means users will tend to leave connections open more. Without a personal firewall, such a computer is a gaping hole for an enterprise.

Hackers can either access information off the home hard drive or use that computer to find their way back into the corporate network. VPN (virtual private network) connections also allow email messages with dangerous payloads a free ride right into the corporate network.

"A lot of companies are talking to us about this very issue," said Fred Felman, marketing vice president at Zone Labs, based in San Francisco. "People plug into their DSL or cable line and walk right past security. Or they have a VPN set up, and you're creating a secure tunnel for users who might use that tunnel to send a Trojan horse unknowingly. If that telecommuter is out on the Internet on one side and talking to the enterprise on the other side, you have no security. It's really scary to security guys."

At the same time, technologies such as anti-virus software tend to be less rigorously updated, and others, such as encryption, are hardly used at all, even if they're used at work, experts said.

It is enough to keep Jeff Uslan, security administrator at 20th Century Fox, in Los Angeles, from permitting telecommuters to access the Internet through their VPN lines. And that, Uslan said, is difficult to enforce, especially with many executives working from home. "It's caused a lot of arguments from people who just expect Internet access at home," he said. "But I can't control them at home. I won't give them the slightest chance to open that backdoor. My greatest fear is the person screaming at me, 'How could this have happened?"

Pick your firewall: Protect you and your PC from Internet threats with a personal firewall. We've gathered a wide range of top-rated security tools for every kind of Internet user. Many are free!

To have your say online click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.