Telecommuting is an emerging aspect of business that allows employees to work from home, or a place near to the home, with the same basic productivity and functionality as at the office. There are numerous benefits, several downsides, and many articles written about telecommuting and I encourage any curious readers to spend time reading before drawing conclusions.

My personal experience is based on telecommuting over the last ten years, all in the consulting and/or systems engineering sector. And more specifically, the information security portion of that field.

Security is often overlooked by both employees and management during the telecommuting trial period, and later is often pushed aside until an event forces the organization to deal with the issue.

Security focus areas for telecommuting revolve around two basic changes. First, the physical security perimeter of the office environment is destroyed. Second, the communication security controls of the office may not effectively extend to the home office.

Physical security is the first layer of defense in any organization, whether a sandwich shop or an international banking company. The security controls that make up the physical security layer include the obvious protections of locked doors, alarm systems, and guards. They also include less obvious protections against shoulder surfing (people reading over your shoulder), wireless network hacking, and similar proximity-dependent attacks.

Communication security controls are typically unknown to most users but of high importance to the CIO. These include encryption of data on the network (and perhaps on individual computers), firewalls, denial of service protections, intrusion detection, and many other esoteric technologies. Let it suffice to say that these controls are generally not setup to effectively handle telecommuting. This means that telecommuters enjoy known, or very few, of the communication controls afforded them in the office.

Key focus areas (that can reasonably be solved):

  • encryption of data (both during transmission and on the local computer);
  • firewall to limit exposure to hackers;
  • physical security of papers and files;
  • intrusion detection (limited capability).

A later post will lay out potential solutions for each of these focus areas.