Telecommuting: Be Aware Of The Risks
Telecommuting. It’s a wonderful thing, if your organization permits it. Some places of business do, others do not, and the reasons vary greatly. Some executives feel they need to constantly see and physically account for their employees, while other leaders are confident that their employees will accomplish their duties, regardless of location.
Some positions are more telecommuting-ready. Project managers and sales people, for example, often find themselves on the road, between client on-site meetings and the like. For roles like those, the ability to telecommute is invaluable. I’ve been in organizations where senior management would get annoyed if sales staff was in the office more than a day or two a week-reasoning being, if they were in the office, they were not selling.
Being connected while being upwardly mobile is crucial, and as technology improved, so too has the ability to protect it-and attack it. While most users just see telecommuting as an added perk, IT staff should recognize it for what it truly is: another opportunity for networks and devices to be compromised. Whether you allow users to connect from their home computers that you do not manage, or require them to only use corporate assets, any VPN connection extends your network and provides hackers yet another avenue to attack your infrastructure. Recently learning this the hard way was the United States Postal Service (http://www.darkreading.com/attacks-breaches/us-postal-service-suspends-telecommuting-following-massive-data-breach/d/d-id/1317391?), and with the breach, the response was swift: no further telecommuting, by anyone, until systems and security measures can be upgraded or implemented.
Let that decision sink in, for just a moment. Because of a security breach, the USPS has disallowed telecommuting by all of its more than 800,000 employees. And the breach appears to at least partly be from software not being kept up to date.
This brings to the forefront a constant battle that IT professionals fight on an almost daily basis: effectively managing software patching. You don’t usually want to be on the bleeding edge, because you don’t want to make your end-users become unpaid beta testers for a particular vendor. No matter what anyone tells you, no software release is ever perfect. Need proof, just take a look at the recent iOS 8 releases. It’s the reason why many organizations remain at least a release or two behind the current release-it allows them to remain generally current, without risking being too current. At the same time, you need to be mindful of what vulnerabilities your software revisions are exposing you to. You may not want to be on the latest and greatest, but when the absolute latest code is the only version that patches your hardware from say, the Heartbleed issue, and you must patch.
Without having access to the USPS post-mortem, it’s impossible to know what the root cause was, but they seem to at least partly be blaming out-of-date VPN software. Perhaps their IT staff fell behind on updates, but it’s worth using this case as an reminder to remain vigilant with your patches and version updates.
Look for another entry in the future about how else to keep your remote users (and your remote assets) as secure as possible.