Far from remote: The risks of mobile working

As many as 81 percent of hiring managers have policies in place that allow employees to work remotely, according to a study performed by Yoh, a talent and outsourcing services provider. And the results of a study released by study released by Cisco and Insight Express, an independent surveyor, which polled 1,000 remote workers in 10 countries, found that teleworkers frequently hijack neighbors' wireless networks, share computers with non-employees, and open e-mail from unknown sources.

Bear in mind the huge variety of ways in which employees take information home, such as on laptops, memory sticks, or external hard drives, and the danger of theft increases proportionately. Factor in the way mobile workers connect back to the office, via the Internet, Bluetooth, or wireless, and it becomes obvious that danger can come from any number of directions. No wonder IT professionals everywhere agree that mobile working is a risky proposition.

"The reason firms have a different external security regime is to provide what's called defense in depth. The hope is that if your external password is cracked, your internal password will be able to hold on."

Mark Osborne, chief information officer, Interoute

When you're in the office, your PC will usually be regularly updated, there will be software preventing access to certain websites, your e-mail will be scanned, and there will be a central administrator bearing some sort of responsibility. "When you plug in at home, the connection may be secure but the overall regime may be severely impacted," says Mark Osborne, chief information security officer at Europe's largest independent data network operator Interoute.

"The average firm dives into [mobile working] without considering it properly. You're going to need stronger authentication for a start."

Abracadabra no longer magic

As far as many companies are concerned, IT security stops at the firewall. But remote connectivity requires greater vigilance. Your password at the office may not be particularly secure, but at least you're sitting at your desk, in your office, behind a locked door that is possibly controlled by a security guard. In contrast, remote working environments can be anywhere.

Stronger authentication could come in a number of forms. Osborne lists CRYPTOCard tokens, RSA SecurID, or digital certificates as possible measures. What all these things have in common is they are dynamically-generated, two-part passwords. Often, these are also known as one-time passwords (OTPs). In a token-based solution, for example, the 'token' might be time-synchronized with a clock on the authentication server. A password is generated using an algorithm based on the time of log-in: naturally, even if intercepted, such passwords expire after use.

Some developers are already looking at the possibility of using mobile phones and PDA's as OTP tokens, thus reducing costs. But whatever dynamic password you use, they're essential. "Simply put, without them, you've got bad security," says Osborne.

Worryingly, in a recent survey IT security analyst SafeNet recently found that 61 percent of IT security managers were still relying on static passwords to protect their corporate networks. In the wireless age, that may not be enough.

There are a lot of myths circulating about IT security and one of them may be that people are more security conscious. The rising costs of identity fraud and cyber fraud suggest otherwise. The Javelin 2006 Identity Fraud Report indicates that identity theft cost U.S. businesses and consumers $56.6 billion in 2005. "These things happen because people aren't careful," says Osborne. "The number of times I've been asked by clients if they can have the same password for remote access that they use for internal access because it's more convenient – it shows a complete misunderstanding.

"The reason firms have a different external security regime is to provide what's called defense in depth. The hope is that if your external password is cracked, your internal password will be able to hold on."

The home front

Passwords are of course just one aspect of the remote access which makes mobile working possible. The real driver behind the growing popularity of mobile working is wireless connectivity, and this is fraught with its own risks. While Osborne considers mobile working to be a welcome development, the bad news is that he also believes wireless will always be inherently vulnerable.

Osborne's research in this area has been picked up on by the international intelligence community and featured at the International Symposium of Electronic Warfare. Osborne won't specifically comment on the extent of the work he's carried out in this field, but his work has certainly prompted at last one large, reputable organization to change their plans.

While "chief techie" on KPMG's UK security team, he set up a dummy wireless network around central London, what he refers to as "a honey pot". Accounts had circulated in the press about worrying levels of wireless hacking in the City and Osborne's team wanted to find out just how much was going on. "We found there wasn't a huge horde at the door but despite rain and snow outside, there were still serious attempts on every link we had to gain access to the network," he says.

It's something small businesses need to bear in mind as well. Many employers install a virtual private network (VPN) to facilitate mobile working but never ask what's on the other side. If a mobile worker is working from home on his own terminal, is it a shared PC? Has it got anti-virus software? Is the user able to browse the internet while connected?

Many home workers have little networks of their own, whether they know it or not. House shares are one thing but if the employee owns a wireless router, it's not beyond the realm of possibilities that it's not only his PC that's connecting in – it's everyone in his street.

Loss of control vs. out of control

Given the inconsistency of mobile working environments and the attendant loss of centralized control, the biggest factor in mobile working security will be the mobile worker himself.

"You don't know what someone is doing at home, what system they're using, or who they're in communication with. You have no records or logs, you can't retain e-mails, you can't retain documents, and so you have no real power. You are putting trust in the employee."

Ed Wilding, chief technical officer and director, Data Genetics International

Ed Wilding is chief technical officer and director at IT security consultancy Data Genetics International. He's also the expert that re-constructed journalist Andrew Gilligan's palmtop hard drive for the Hutton Enquiry. "You don't know what someone is doing at home, what system they're using, or who they're in communication with," he says. "You have no records or logs, you can't retain e-mails, you can't retain documents, and so you have no real power. You are putting trust in the employee, which is a probably good thing, but at the same time you are losing that oversight."

As well as technological insecurities, mobile working can put employers on shaky legal grounds as well. Once people are working outside the office, employers don't necessarily have an automatic right of inspection to their hardware. Such problems can be solved with a clause in the employment contract giving companies a right of inspection or access. However, as Wilding knows only too well, such clauses are far from common.

Decent exit and suspension procedures should help employers recover information and lock down systems, as well as secure evidence in some circumstances. All this is an absolute must, especially if the cynicism of some IT professionals is warranted. And the idea that the weakest IT links are found inside of the corporate firewall is not unusual in the computer industry. "Nine times out of 10 it's some kind of inside job," said one source, speaking of the huge number of company laptops that leave the office with huge amounts of valuable data on them, never to return.

After all, unscrupulous competitors or organized criminals will pay large sums of money for such data – which means the final irony about mobile working security may be that employee access is as critical as outside intrusion.

Ed Wilding's top tips for mobile working security

1. Dynamically generated passwords: conventional static passwords are "a menace", says Wilding.

2. Proper exit and suspension procedures: make sure you close the digital door after they've gone.

3. Right of inspection/audit in employment contract: the biggest IT problems can occur outside of the office.

4. Inform employees that data will be monitored: sets the correct tone, and pre-empts accusations of snooping.

5. Total disk encryption for laptops: if information goes astray, prying eyes should be unable to see it.

6. Specific firewall policies about data transmission: don't circumvent the firewall on a whim.

7. Risk seminars for all mobile workers: everyone should know about the dangers of "taking it outside".

Adapted from an article by Rob Lewis, for our sister site, AccountingWEB.co.uk

You may like these other stories...

For the first time in the five-year history of Vault.com’s rankings of the top 50 accounting firms to work for in North America, a firm has held the top spot as best accounting employer for two consecutive years....
With tomorrow being Tax Day, you might see some procrastinators at your office filling out forms, printing out paperwork, or getting last-minute tax advice from their accountant so they can meet the IRS’s filing...
You can read volumes on how to manage an accounting practice. But if you want the quick version, just read the following four points. Everything else is just commentary.  (These points come out of the 1997 book, The...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.