Teleworkers Know (And Ignore) Security Risks, Study Says

The majority of telecommuters are aware of the security dangers that go along with using mobile devices and remotely logging onto their employers' networks, yet their behavior for the most part contradicts this awareness, according to a study issued Monday by Cisco Systems and research firm InsightExpress.

Of 1,000 teleworkers contacted across 10 countries, more than one of every five allows friends, family members, or other non-employees to use his/her work computer to access the Internet. The top five justifications for doing this were that workers didn't see anything wrong with it, their companies didn't mind, they didn't think that letting others use company-issued computers increases security risks, they doubted their companies would care, and their co-workers did it, too.

About one-third of the teleworkers admitted using work computers for personal computing, while nearly half of the respondents indicate that they download personal files onto their work devices. One of every four remote worker surveyed indicated he or she opens unknown e-mails when using work devices.

Despite this risky behavior, don't expect companies to corral their remote workers anytime soon. Telecommuting and remote access are "an unstoppable force, so we have to build security for it," says Bob Gleichauf, CTO of Cisco's security business unit. This means security has to be taken out of the hands of end users as much as possible. Security in the future has to be "security out of the box, building security into processes and technologies," he adds.

It may not be security out of the box, but Driscoll Children's Hospital in Corpus Christi, Texas, does keep close tabs on its teleworkers to head problems off at the pass. The hospital relies on Microsoft Windows Server 2003 Terminal Services or a virtual private network to deliver secure access to staff that works from home and to workers at different clinics across 33 counties that the hospital serves. Of the thousands of health-care workers at Driscoll and this network of clinics, only about 80 require this sort of remote access, but even a handful of remote users improperly managed can expose the health-care facility's IT systems to a virus, spyware, or a data breach.

Teleworkers "present an interesting twist to security," says James Ballou, Driscoll's HIPAAsecurity officer and IS security specialist. Ballou's response is to give most teleworkers access through Terminal Services to only the applications and information they need. Other users, mostly at the administrative level, who require more flexibility, can access their applications and data via a VPN.

Driscoll audits workers' laptops three times each week to make sure there's no contraband software installed--such as iTunes or games--and to check for malware. "If we find something that shouldn't be on the computer, we'll go to that person and talk to them," says Ballou, who adds that he's never seen a worker dismissed from the hospital as a result of this sort of cyber contraband. "We have good policies in place and good ways to enforce them."

The security challenges that Ballou faces are a lot like those his counterparts face worldwide. The Cisco study, fielded by research firm InsightExpress from July 28 to Aug. 13, 2006, included responses from more than 1,000 teleworkers in Australia, Brazil, China, France, Germany, India, Italy, Japan, the U.K., and the United States. Workers who were surveyed connect remotely to their employers' networks at least a few times per year using a PC, laptop, or mobile device provided by the employer.

Among the countries included in the survey, China had the greatest percentage, 78%, of respondents who said they were aware of security when working remotely. Yet Chinese respondents were also the most likely to use their work computers for personal reasons, open e-mails from unknown senders, allow others to use their work computers, and download personal files to their work computers.

Cisco commissioned the study because "so much of security is about better visibility into your user community," Gleichauf says. "Companies have [security] policies that help them sleep better at night but that don't reflect reality." The global scope of the survey also provides a perspective on the way other cultures work. IT management can either adapt to these methods or try to change them, but they can't do either if they're not aware of them.

Companies have to think twice before they allow security measures to erect barriers around mobile devices that make their workers more productive, Gleichauf says, adding, "it's the job of the security people to enable the business and protect it from failure but not become a barrier to competitive efficiencies."