Aug 21 2008

Do You Know Where Your Employees Are?

IT managers are using a mix of hardware and software tools and targeted usage policies to keep tabs on remote workers.

Jason Prescott, CEO of JP Communications, is troubled but not surprised by the numbers: 38 percent of U.S. workers take documents out of the office each week on portable devices, and 23 percent use web-based e-mail to do so, according to a survey by security software maker McAfee. Prescott, after all, had to fire one of his sales reps for e-mailing pilfered customer contacts to his home computer.

What the sales rep either forgot or ignored, says Prescott, was a warning on his first day on the job that JP Communications uses security software that lets Prescott see every instant message, every e-mail and every file sent by or received on company computers. That includes the notebook computers some workers use on the road and at home and messages sent from personal e-mail accounts on company-owned systems.

“You don’t want to be Big Brother. But you want to protect your company and data,” says Prescott, whose San Marcos, Calif., company operates TopTenWholesale.com and other business-to-business websites. “We have had employees visit prohibited sites for hours upon hours. We’ve had parts of our database accessed by employees who did not have permission to do so. Without monitoring software, we would not have known that.”

Prescott insists he isn’t being heavy handed, and he’s not alone. Ninety-one percent of IT executives say there is a greater risk of sensitive data being leaked when networks are made accessible to remote and mobile workers, according to research by AEP Networks of Somerset, N.J.

That’s why small-business executives like Prescott have begun using a combination of powerful hardware and software tools and stringent employee policies to keep remote workers productive — and in line.

A typical mix includes software, such as RSA’s Endpoint, that monitors and blocks the movement of sensitive data from notebooks and desktops to mobile devices; and firewalls, such as Check Point Endpoint Security and Novell ZENworks Endpoint Security Management, that report on which websites remote users are attempting to access through the desktop firewall or VPN client.

The mix also includes software that blocks access to gambling, pornography and other prohibited websites, based either on the URL or the bandwidth consumed. Products in this category include Websense Security Suite and GFI WebMonitor.

“Controlling external websites visited by staff reduces risk, helps monitor usage where needed and helps provide automated controls to back up rules of use or acceptable-use guidelines,” says Barry Lewis, owner of Cerberus ISC, a data security consultancy in Toronto.

Fabiana Gower, the director of IT for Martin, Fletcher & Associates, a medical staffing firm based in Irving, Texas, swears by her three-layered security mix.

The first layer is network management and monitoring software from Lumension Security that prevents unauthorized devices — whether they use Wi-Fi, USB, Firewire or Bluetooth — from connecting to the corporate network. The second layer is a firewall from WatchGuard Technologies that limits web access, creates a VPN, and reports on which websites remote users are attempting to access. A third layer is Microsoft Active Directory, which controls which users in one domain are allowed to access resources in another domain. So far, so good, says Gower: “We haven’t had any unauthorized users access our network,” she says.

Throughout the year, as many as 50 of Martin, Fletcher’s 200 employees visit hundreds of hospitals equipped with either a notebook or tablet PC capable of tapping into the company’s database of hospital administrators, physicians and other healthcare workers. Each device is monitored. In addition, a handful of these workers now use Treo smartphones. For now, Gower has blocked the handhelds from accessing the company network altogether.

Protection Policies

Any effort to keep close tabs on remote workers requires very specific usage polices. Start by notifying your employees, explaining to them what online behavior is expected and what is forbidden, says Darren Scully, director of information technology at Brent Coon & Associates, a Beaumont, Texas, law firm.

“Your policies and process should be the same whether that user is in the office or in the middle of an airport,” says Scully. “Prepare your firm, your clients and your users the same way you prepare your kids before they walk out the door for the first day of school: Educate them. Advise them of the equipment, the ramifications of the use of the equipment as well as what the guidelines are.”

Scully says before Brent Coon instituted its current guidelines, employees paid little heed to data security warnings. “Before I changed my thinking, we had notebooks left in airports, lost, stolen, broken beyond repair as well as one user who threw it away in a dumpster out of anger. I’ve seen it all.” Now, when employees are issued any portable device, they must fill out a form, acknowledging their responsibility for the device and its content. “Your data is more secure because the user guards it.

JP Communications’s Prescott agrees with such up-front policies. “We have strict confidentiality and data-protection clauses in our employee contract and in the company handbook. It’s all spelled out on the first day of employment,” he says.

But most of the time the threat of being caught — and the technology to back up that threat — is usually deterrence enough to stop the most egregious PC-related behavior, says Prescott.