Safeguarding Telework

By now, most public-sector organizations recognize the merits of telework. It can boost productivity, foster work/life balance, and aid in continuity of operations while reducing real estate costs, gridlock and pollution.

Despite those benefits, security concerns still make some state and local governments wary of implementing telework initiatives. Leaders have raised concerns about users losing notebook computers, leaking sensitive data, and malware or hackers gaining access to the network. The threats are real but can be mitigated, and hesitation only means these organizations miss out on valuable benefits. Organizations that don't let security hold them back confront the challenge head on and take action to minimize the risks involved in supporting remote workers.

Simply put, the advantages of telework are too worthwhile to ignore. The key is to properly apply policy and technology to temper the risks and protect government assets and citizen data. Agencies must lay a solid foundation for telework by adopting common security tools and practices.

Protective Action

Taking the lead is the California Office of the State CIO, which in March issued a policy for securing remote access for state employees. The Telework and Remote Access Security Standard 66A calls for network access control and "up-to-date operating system software and security software [antivirus, antispyware, firewall and host intrusion prevention] every time a remote connection is initiated."

California gives network access only to state-owned computers; no personal devices can connect unless the owner has obtained written approval. Among other requirements: Teleworkers must protect their physical environment, including paper files and gear, and use encryption for all connections and personal wireless networks.

Another security tactic involves tapping technologies such as desktop virtualization and thin clients. When combined, a virtualized thin-client infrastructure can minimize the potential for security breaches because the computing takes place in the data center, not on the client device. Nothing is stored locally. Web interfaces to e-mail systems offer an easy first step toward telework.

For any information that users need to store on their computers, consider encrypted USB drives or another form of secure storage; and guard against theft with physical security measures such as notebook-tracking software and cable locks (see "Anti-Theft Measures").

Everyone's Job

Just as critical as the tools used to safeguard systems are the people entrusted with doing so -- and we're not talking about just the IT team, but all users. Everyone in the organization must assume responsibility for IT security, and that starts with user-awareness training.

In California, agency leaders must ensure that users authorized to telework have been trained regarding their roles and responsibilities, security risks and requirements.

Telework requires state and local government to strike a balance between worker freedom and security. Entrusting workers to do their jobs offsite provides productivity gains and a morale boost. That said, telework should be a privilege and not a right, and users must do their part not only to keep their organizations safe but also to use these tools to enhance productivity.

Applying the appropriate mix of security tools, policy and education are sure to increase the comfort level that agency leaders have for telework, allowing both the government and staff members to benefit from such initiatives.