The permanently mobile workforce is a powerful tool for reducing costs--from real estate and utilities to travel and equipment--while simultaneously boosting productivity and morale. Put in place a strong telework program, and even the smallest company has access to a multinational talent pool. Blizzards, flu pandemics, traffic gridlock, general pestilence? No problem.

But a productivity win for the business can be quite the opposite for IT teams suddenly facing increased security risks from employee use of uncontrolled public networks and the need to accelerate deployment of collaboration and social networking technologies to geographically dispersed workgroups. Planning for remote access and mobility requires a focus on network security, client management, and Internet-centric communications as well as policies that regulate a new work paradigm.

One CPA firm that supports the federal government makes it clear to employees that mobility and security come with a convenience trade-off. "We use full-disk encryption at the BIOS level for all laptops, standard," a principal with the firm says. On customer sites, auditors employ Seagate BlackArmor NAS devices that provide advanced security capabilities. IT must approve any application installations on company gear. "We try to be flexible, but if IT thinks an application might pose a risk, the employee will need to justify why it's needed."

Setting ground rules up front is smart business, and not just around security. There are many elements to a successful remote worker program, not all of them technology related. We broke our 10 best practices down into hard and soft requirements--those focused on enabling technologies and those dealing with policies, management, and administration.

1 | Build a robust remote network.

Michael Peachey, VP of product management and marketing at cloud provider Pareto Networks, says not to conceptualize a remote office as some one-off work environment, but rather as "a branch office of one," with the same need for IT applications, infrastructure, and services as headquarters. The obvious basis for any such environment is reliable broadband, which used to mean a wired DSL or cable-modem circuit but now includes fiber to the home, such as Verizon's FiOS and fixed 4G wireless like Clearwire's WiMax.

Letting employees find the best service available at their locations and handling the finances through expense vouchers or stipends, as many companies already do for employee mobile phone service, is the most common and usually best route. Given the reliability of today's broadband connections, a backup circuit isn't generally necessary. But if you have employees who require uninterrupted uptime, consider adding a router with built-in failover capability to a wireless mobile broadband connection, usually via a 3G USB adapter. There are models available from CradlePoint, D-Link, Netgear and other vendors.

The broadband connection is just the starting point; employees must be able to securely access applications and data. VPN services, offered by most managed security providers and many major carriers, can obviate the need for IT to operate a VPN gateway by acting as "secure middlemen" between end users and the network, performing VPN termination and user authentication, then tunneling all client traffic over a separate business-to-business VPN to the corporate network.

2 | Explore desktop virtualization.

Having established the network layer, the next component of a mobile worker strategy is providing the PC hardware and applications. This used to mean buying employees dedicated laptops exclusively for business use; however, the consumerization of technology, the shift in content (both information and entertainment) to online venues, and the rise of social media have blurred the lines to the point that the notion of a dedicated "work" computer is about as quaint as a rotary telephone.

The answer, even for small companies, may be client virtualization. Jay Thimmes, IT manager for the greater Columbus, Ohio, chapter of Habitat for Humanity, supports 35 employees and a flexible group of volunteers on a shoestring budget using thin clients and Windows Server 2008 R2 Remote Desktop. Users can check out desktop images either on Habitat's thin clients or remotely on their own devices using RDP. "We get special pricing since we're a nonprofit," says Thimmes. "But any company can do this inexpensively with commodity hardware."

We recommend using virtual machines to segregate corporate and personal personalities. There are two desktop virtualization architectures.

> Client-side, or local, virtualization essentially applies the server virtualization model to PCs, running several VMs (typically personal and business) on a single system.

> Desktop virtualization, aka virtual desktop infrastructure or VDI, is more like a client-server application in which the operating system image runs on a central server, with the desktop remotely displayed on a user's PC.

In either scenario, the employee's native, booted desktop (which doesn't need to be Windows--Mac lovers rejoice), becomes a personal environment, while the corporate VM, whether run locally or remotely, is a standard system image, managed and configured in the data center.

The beauty of virtualization is that it can get IT out of the business of hardware standardization and procurement entirely, since the supported abstraction layer now becomes the workspace. Despite these advantages, fewer than half of the respondents to our recent InformationWeek Analytics Desktop Virtualization Survey say their companies use VDI now, and of those, only 14% have more than a quarter of their desktops virtualized. Our research suggests that use of desktop virtualization will grow dramatically within a few years, however.

3 | Security-screen remote systems accessing your network.

Remote users, particularly those who travel and access many different public networks, are more susceptible to Internet-borne contagions than their office-bound colleagues. We don't recommend letting remote clients access corporate networks without passing a sanitation exam. Network access control is a powerful technology for mitigating these risks. NAC software can ensure clients are virus free, have the right security configurations, and are using the latest anti-malware signatures and OS updates before being allowed on the corporate network. This is a critical aspect of the U.S. Patent and Trademark Office's telework initiative, which allows employees to use their own hardware. PCs failing an initial scan can be shunted to a limited-access quarantine network or a captive Web portal, where they can apply necessary patches and configuration changes.

There are two forms of network access control, pre- and post-admission, which differ in where they apply security controls. In the former model, devices must be authenticated to the network (typically using the 802.1X protocol) and pass a scan before gaining admission. In the latter, all devices are allowed on the network, but real-time security checks against approved policies restrict their behavior. Yes, NAC can be complex and expensive, but it's better than cleaning up a massive malware infection.

4 | Make employee phones location-neutral.

Companies with significant remote worker populations should transition their phone systems to an IP PBX with voice-over-IP call routing. Adding a VoIP-based office number at an employee's home is relatively simple, requiring only an Internet phone adapter and some configuration changes on the PBX. Of course, small businesses may find an IP PBX upgrade a daunting and expensive proposition. For them, a hosted VoIP service (essentially VoIP in the cloud) is often a better choice. Very small or entrepreneurial startups may even consider quasi-free voice and video services like Skype, which has a business portal for managing accounts and tracking usage.

Consider augmenting basic phone service with unified communications capabilities such as instant messaging, real-time presence status, and videoconferencing. Given a telecommuter's physical isolation, these additional communication channels are particularly beneficial.

5 | Create a true virtual workplace.

It's important to create online venues for both formal and informal employee collaboration. The leading collaboration suites (think SharePoint 2010 and Lotus Notes/Domino) have lifted the best features from popular Web 2.0 sites to create a business incarnation of social software platforms such as blogs, microblogs, wikis, and other collaborative authoring platforms; think Google Docs, social networks, and online meetings or videoconferencing.

While these next-generation tools are beneficial in any context, they are even more vital for distributed workforces, as they allow employees to bridge the physical gap and share not only work documents and messages, but also informal comments and even personal information (Facebook-like profiles) with colleagues.

Technology can't substitute for human interactions among employees and customers, but it can certainly enable them: By supporting a broad array of communication channels, both formal and informal, IT can help remote workers feel (and actually be) much more a part of both their teams and the company at large.

6 | Account for smartphones.

Given the potential for data loss--thousands of phones are left in New York cabs every month--and the smartphone's growing potential as a malware vector, IT needs the ability to remotely track and control these devices. Mobile device management (MDM) software, which may also be delivered in a software-as-a-service model, can plug this gap. MDM products let IT enforce strong security policies, track and monitor devices, provision smartphones, manage settings and configurations, back up data, and even perform remote troubleshooting, firmware updates, configuration resets and data wiping. Microsoft Exchange (ActiveSync) and BlackBerry Enterprise Server (BES) include the basics, but dedicated, special-purpose applications or a new set of SaaS MDM offerings, from carriers like Verizon and AT&T and companies including Hewlett-Packard and IBM, come with much richer feature sets.

7 | Look to the cloud.

Even if you're not adopting SaaS or other cloud services in your main offices, the providers of these services often have compelling stories for remote workers. Two prime examples are desktop-as-a-service and cloud-based distributed network management providers.

We've discussed the benefits of VDI, and implementing this technology in-house isn't a major technical stretch for companies that already use virtual servers in the data center. However, those who haven't taken the virtualization plunge may prefer to outsource delivery of virtualized desktops to companies like Desktone, Enomaly, MokaFive, and ThinkGrid; these and other vendors offer intriguing options, including offline access to desktops. Even Citrix is now getting into the act, partnering with CSC.

And security needn't be a showstopper. The CPA firm we mentioned uses SaaS vendors that have demonstrated security that it deems acceptable. "While the rule is company data only on company issued devices--BlackBerrys and laptops, no Android devices or iPhones for now--data that lives in the cloud is accessible on any device," the principal says.

On The Softer Side

Technology will get you only part way to comprehensive telecommuter support. You also need to cultivate support skills within IT and work with the business and HR to ensure policies are in place.

8 | Hone remote system administration skills.

Dispatching a technician for a service call to remote workers is costly and impractical, and mailing laptops to HQ for a fix saps productivity, so it's crucial that IT have the software and skills to perform administration using remote desktop connections, a standard feature of Windows since XP. Ensure employees' routers support remote admin and that IT has access rights.

Moreover, remote workers will likely be on the leading edge of collaboration technologies like VoIP phones, and thus may be much more reliant on these apps than office workers. Consider dedicated remote support staff, or at least some customized training for those doing general support.

9 | Develop online self-help tools.

Another way to ease the support burden imposed by a widely scattered workforce is by taking a page from software vendors and encouraging self-help. This initiative can include several delivery channels, such as searchable online documentation, FAQs, discussion forums (preferably monitored by IT so an expert can chime in when other users don't solve the problem or give erroneous information), and even live chat. Effectively using today's cornucopia of collaboration technologies can minimize costly support calls, and even lead to improved satisfaction and productivity.

10 | Engage HR and legal to develop formal remote work policies.

An often overlooked element of remote access programs is a documented set of governance policies and support procedures. Given the technical, management, and legal issues involved with remote workforces, these policies and procedures aren't just the responsibility of IT, but must be developed with HR and perhaps legal. The goal is to ensure that all parties know the ground rules, roles, responsibilities, and expectations.

In our full report, we discuss five specific areas telecommuting policies should cover. But one area that's increasingly coming into play as companies hire global workforces, according to attorney and author Nicole Belson Goluboff, is that remote workers living in civil jurisdictions outside the corporate offices often fall into a legal twilight zone, subject to a hodgepodge of legal and regulatory standards governing everything from workman's compensation and unemployment insurance to tax treatment and discrimination claims. It may be worth taking some of those facilities savings and consulting a labor attorney.