At least one security company says the number of inquiries for its telecommute-enabling technology have soared since the outbreak of severe acute respiratory syndrome (SARS) in the Greater Toronto area.
But businesses say recent events shouldn’t require them to beef up their current remote access capabilities for employees.
Rosaleen Citron, CEO of IT security specialist WhiteHat Inc. in Burlington, Ont., said she saw the first increase in demand for remote access solutions within days of the appearance of SARS. “Since the beginning of [April], we have seen a 200 per cent increase in normal sales of virtual private networks, tunnelling and authentication technologies,” Citron said.
Business continuity issues were at the top of companies’ lists after Sept. 11, but until now, most policies and procedures revolving around remote access were based on the possibility of floods, earthquakes or other natural disasters, she said. “Now we’re dealing with a human factor – we’ve never seen anything biological or health-related [to drive adoption], since technology blossomed in the ’60s.”
Policies have now been “changed or added to very rapidly” to include health risks – and employee anxiety, she added.
“If you have a health situation, you’re not just dealing with people being quarantined, but you may also be dealing with fear,” Citron explained. “You don’t want to force employees to go somewhere they don’t want to be.” Other times employees have to stay at home because their children have been quarantined. Whatever the situation, she says, “this is a human factor that hit people a little off side.”
Telus Communications Inc. hasn’t had to address any situations in which employees have been quarantined, said the firm’s Burnaby, B.C.-based director of health services, Kendra Innes. But the company has always had a plan for crisis situations. Precautions were taken in the company’s mobility division in eastern Toronto – some employees chose to work from home, although they exhibited no symptoms.
Jonathan Nieuwendyk, manager of workplace technologies for Telus in Edmonton, said Telus has offered employees remote access capabilities for about 10 years. “We have 13,000 employees who use secure ID tokens to authenticate remotely – a good chunk have either dial-in or VPN capabilities,” he said, adding that Telus has not had to ramp up those capabilities in response to SARS-related telecommuting.
According to Citron, secure tunnels – protected areas through which locked and encrypted data can be sent from home – are keys to enabling safe remote access. Another technology that has seen a 230 per cent surge in sales is strong authentication, where the identities of networked users, clients and servers are verified without transmitting passwords over the network. WhiteHat offers this through an authentication token, a keychain-like device on which a one-time PIN appears – the user must enter that number in a dialogue box as the last step to logging in to the network.
Citron recommends leasing laptops pre-configured for optimal security for businesses that want to provide telecommuting capabilities for employees, but are concerned with security issues. There’s no guarantee that employees have adequate antivirus or firewalls installed on their own personal machines, “and if they’re using them to run through the Internet, God knows what they’ll pick up.”
Telus has struggled in the past deciding whether employees should use company assets to log into the corporate network from home, or just use their home computers, Nieuwendyk said – both because of security and budgetary concerns.
“We have limited control over security on home machines,” but with so many people wanting to jump on the telecommuting bandwagon, it can get expensive to supply laptops, he said. Telus used to lease the equipment, but found it was more cost-effective to purchase notebooks, he added.
Nieuwendyk said Telus has guidelines and policies around how to configure machines at home for secure access. “There are always risks, but those risks are often outweighed by the benefits of remote access.” Once there’s a VPN tunnel, there are few issues to worry about. “There have not been, as far as I can remember, breaches resulting from a home PC.”
Citron agreed that offering remote access capabilities could be a balancing act for many businesses that want to give their employees a safe way to work from home, but that also have to explain laptop leasing and security expenses to board members if the technology doesn’t end up being used. “A lot of CIOs I talked to in the last couple of days have had their budgets cut, but are expected to support all this security. Where are they going to get the money? They’re running around trying to pull it from somewhere….They’re probably not going to rent notebooks until they know they’re going to have to do it.”
One note of caution: if companies go the laptop leasing route, they must remember to wipe the hard drives clean of any corporate information before returning the machines, Citron said.
WhiteHat’s chief security officer Tom Slobichak said several software packages are commercially available, which can overwrite files several times so the data becomes unrecoverable. Another strategy, which costs nothing, is to reformat the drive three to four times – seven times to meet industry-standard best practices – “but that takes a long time and can destroy the operating system,” he said.