Securing Your Company's Information

We originally developed this guide for healthcare companies to help them secure their networks and critical information, but it applies to virtually every company, because almost everyone has some sort of sensitive data on their computers.

Click here to access our Top 10 Tips for securing your sensitive information, particularly as it applies to networks with remote access requirements.

Five key questions your telework policy should answer

When establishing a telework program for your company, you should strongly consider having a formal telework policy. This written document will outline the program, eliminate gray areas, and help to prevent future disputes. As with any business planning document, it should be considered a "living document" and therefore should be revisited at least once a year.

Your telework policy may contain a wide range of terms and conditions, but should definitely include answers to the following five questions:

1) Which jobs within your company are telework-friendly? Not every job is well suited for remote execution, and some job titles that are easily teleworked in another company may not be in yours. Along the same lines, what types of employees are best suited for telework? Be honest. Elements from previous performance appraisals can provide clues - generally, you're looking for self-starters, those who produce quality work on time and without a huge amount of oversight, and employees who are comfortable working independently.

2) Where can a teleworking employee consider a suitable "alternate work site"? For some people, like computer programmers, a coffee shop may work fine, but for others, like salespeople or customer support reps who are on the phone all the time, a dedicated home office may be required. Again, be honest, and do all you can to get buy-in from the employees so they don't find this decision to be a burden on their productivity.

3) What sort of equipment does a teleworker need, and who's going to pay for it? Does the remote worker need a dedicated laptop, or can they use their personal home PC? Do they need a dedicated phone line, a special phone, or a high-quality headset? Will they be handling company paper and require a fireproof safe or other locking file cabinet? What kind of software will be available to get them to company IT resources (VPN, Remote Desktop, etc)? If answered incorrectly - or worse, ignored - these details can impact efficiency and cause even the best worker to become less productive. With the right environment, that same worker is likely to gain productivity, so pay careful attention to these items.

4) What sort of communication schedule should the teleworker adhere to? Are there daily or weekly team meetings or conference calls already? If so, is there a good way for the teleworker to participate (i.e. conference bridge or WebEx/GoToMeeting)? If you don't have regularly scheduled communication opportunities, perhaps now is the time to implement them. What times of day should the teleworker be available for ad-hoc communication from colleagues, and, just as importantly, what times will colleagues be available for communication from the teleworking employee? Does everyone have email / IM / Twitter / Facebook to allow for comfortable interaction? Communication is perhaps the most subtle, but most critical stumbling block for telework - when we're not all in the same physical location, it takes a little bit of effort and forethought to ensure that teams still cohere, and that the company doesn't lose its sense of shared purpose. By scheduling regular communication opportunities, and establishing a solid calendar of coworker availability, you can achieve purposeful and productive communication rather than the random and often distracting communication at the water cooler.

5) Is telework right for you and your organization? We generally advise against full-time telework all the time. A day or two in the office each week, or at least each month, can be very valuable. Relationship-building, brainstorming, creative thinking, and many other aspects of business life simply work better when conducted in person at least some of the time. Working entirely distant from colleagues can be successful, but it requires such an extreme effort that the benefits are generally outweighed by the cost. For some, it is undoubtedly the right decision - but a decision that should be made with great care. In most cases, research and anecdotal experience points to 3 telework days each week (give or take 1) as the ideal scenario. In-office days can be used for creative, synergistic, team-oriented activities, and work-at-home days can be used for document creation, phone calls, and other more solitary work. When balanced properly, tremendous productivity gains are possible, so think long and hard on this question.

Netbook as Remote Access Device

There's lots of buzz in the market these days about mobile devices - particularly the latest round of iPhone / Palm / Blackberry smart phones. I love my iPhone, but I still can't imagine doing any real work on it. It's amazing for email, getting a map, seeing the weather radar, updating Facebook, and so much more -- but the screen is too small, and the navigation and keyboard too cumbersome, to possibly do substantial work. If I need to work on a Powerpoint, dig into some Excel formulas, or update the content and images on our websites, I simply can't do that from my iPhone. I need a bigger screen, a full-size keyboard, and preferably, a mouse.

That's where a Netbook comes in. Small but not too small, and coming in at only a few hundred dollars, a netbook (also known as UMPC or Ultra-Mobile PC) can be the perfect on-the-go computer for the mobile knowledge worker. Netbooks all have built-in wifi, and many even have built-in cellular broadband coverage (with a plan from Verizon, AT&T, or Sprint, of course), so you're able to be connected all that time.

That connectivity is critical, because you don't want to fall into the trap of loading all your data and software onto the netbook device itself. That'll tax the capabilities of the device, use the battery faster, and increase the damage if the device is lost or stolen.

Instead, you should think of the netbook as a portable terminal to your information. Don't carry the info with you - reach out across the Internet and work with it in its native location. That means using a secure remote desktop solution to log into your main PC back at the office, or a VPN to connect to the office network. Tools like chat, IM, and even Twitter help to keep you in the loop even when you're miles away. Google docs and other online applications provide another way to leverage ubiquitous connectivity without overstepping the bounds of what the netbook can handle.

What are your experiences with netbooks? Any favorite brands or models?

Security Alert Shows Web Remote Access Weaknesses

Remote computer access users beware - several new vulnerabilities have been revealed in existing solutions. One solution, LogMeIn, was noted to have such vulnerabilities with the exploits to take advantage and control your PC without authorization. More info here: http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/

This announcement leads to a critical question in today's hyperconnected world: just how secure is the web? The answer, sadly, is "not very secure". With the rapid proliferation of web browsers (IE, Mozilla, Chrome, Opera, Safari, and so on), the arms-race style of releasing new version upgrades before the ink on the last version is even dry, and (relatively) new technologies like PHP, CSS, javascript, and so on, browsers are increasingly vulnerable to attack.

Factor in the ever-targeted SSL / CA infrastructure at the core of browser-based encryption and site authentication, and you've got fertile territory for malicious forces.

So what's the solution? Don't use browser-based interfaces unless you absolutely have to. "Real" desktop software is remarkably portable these days - on USBs directly or via U3 or VMWare Pocket Ace, or via download on broadband that's available anywhere you have cell coverage, or even installed directly on the disk of a lightweight UMPC. These solutions can provide additional security through 2-factor authentication. There's no need to risk your critical information on web-based access tools. If you need to have a more secure solution you might want to look for a GoToMyPC alternative or a LogMeIn alternative.

Why Authentication Matters Most

Most websites and remote access tools use encryption as a way to imply security. The more encryption - measured in bits (i.e. 256 bit is better than 128 bit) - the better. Statements like "128-bit encryption, as strong as online banking" are common across the industry. While encryption is important, and such statements are true, they are also misleading.

Encryption strength only tells part of the story - the less important part, in my opinion. That's because no matter how strong your encryption is, your overall security is only as strong as the authentication used to begin the user's session.

Think about it this way: thick walls, barred windows, and barbed wire fences don't keep prisoners in jail if they can just walk out the front door without someone checking their ID. Similarly, you can have the best encryption, firewalls, and network intrusion detection tools in the world, but if your systems don't properly validate users, those measures won't keep attackers out. Poor authentication is the weak link in the chain, the wide-open door in an otherwise impenetrable fortress.

The problem is that if someone can defeat your authentication, the rest of the defensive systems don't know they're the bad guy. In fact, the rest of the systems - firewalls, etc - think they're actually one of the good guys. Once through the door and inside the walls, the attacker can act as if he or she were a real employee, and your perimeter defenses are rendered useless.

So, what can you do about it?

The answer is simple: implement 2-factor authentication (or 3-factor or more). 2-factor authentication - or multi-factor authentication in the general case - is achieved when a user's identity must be validated by two distinct types ("factors") of authentication. Typically, this means combining something you know, something you have, and (optionally) something you are.

The best real-world example is an ATM. The machine requires you to present both your ATM Card (something only you should have) and a PIN (something only you should know). If one is presented without the other, no money is dispensed. So, a stolen card or a stolen PIN is useless on its own. A retina or fingerprint scan may be added for additional security.

In the case of computer logon, the elements are typically a password (something you know), a USB authentication device (something you have), and an optional fingerprint or retina scan (something you are).

A good multi-factor authentication system thwarts most common break-in attempts, which are based on attacking passwords. Even if your password is lost, stolen, purchased, phished, or otherwise obtained by someone with bad intentions, they won't have your USB device or your finger (hopefully!), so the password does them no good. And passwords are compromised all the time. I've personally run across dozens of documents and pages on the web with passwords for the world to see, and those with more nefarious goals have access to thousands more. With passwords getting weaker and less reliable all the time, it is more important than ever to implement multi-factor authentication.

In the case of remote access, more so than almost any other application, it is absolutely critical to use multi-factor authentication, because compromised remote access systems open your entire network to attackers.

Top 5 Tips for a New Teleworker

If you are new to teleworking, there are a few things that might be important for you to consider in order to be as productive as possible. These basic things might help make the transition from the traditional office to the home office go smoothly. You should also recognize the your situation could be a little different, but for most part these are good ideas that can help keep you as productive at the house as you are in the office.

1. Have a separate and specific workplace.

Creating a separate and specific workplace is critical to being an effective teleworker. It doesn't mean that you can't mix it up on occasion, but when you are getting started you need to know where everything is and be able to access it quickly. Often as a teleworker you spend a considerable amount of time on the telephone. You don't want to have to jump up and look for the phone when your manager is calling, especially if they are not as sold on the telework idea as you are. It is important that they feel like you are in a productive environment.

2. Try to avoid Distractions

This tip is both for productivity and perception. Distractions while on a skype call or the telephone can be perceived as less than professional. You want to be sure that you have a distraction free area that you can work in during the day. Of course, less distractions will also mean better productivity. Another thing to consider is that home distractions are a little different then office distractions. Some people get distracted by a messy living room or a sink full of dirty dishes. If this distracts you mentally, then be sure to have the house "picked up" before you start your work day.

3. Take a lunch break

Teleworkers sometimes feel that they have to be at their computer for the entire day in order to respond to instant messages, skype requests, and emails immediately. But to be productive at home you need to take the same short breaks that you take at the office. Get up, take a walk, and eat a healthy lunch. One of the benefits of telework is being able to go to lunch in your own kitchen.

4. Get a great telephone

This tip really depends on what type of work you do. If you are a manager or part of a sales team then you might have to spend a lot of time on the telephone. If you are a computer programmer then maybe not. If you are going to be on the phone a lot, get a nice phone with a good "hands free" or speaker phone option. Using a cheap phone will make it harder for you to hear and will require more mental power to listen. Some people like to use headsets as well, so that might be a good option for you. And as a tip within a tip, be sure to have at least one phone at your work area be plugged into a wall. Conference calls can drag on for hours and your wireless phone batteries will not last that long.

5. Check in often

It is important that as a teleworker you initiate communication back with your group throughout the day. This gives your team a feeling that you are part of the group. Hoever, be sure that you are adding value to the goals of the team and not just being annoying. After your work routine gets established this need to connect may go away, but early on you want to be sure that you are adding value and contributing and you team knows that you are easy to reach.


Now, what are some of your top tips? Post any tips you have in the comment area or link back from your blog. Thanks.