“We immediately started having problems with our computers,” recalls Derek Kemp, chairman of Human & Legal Resources. “But our IT person immediately focused on that laptop.”
A check of the lawyer’s laptop computer revealed the presence of 990 viruses, which had infected it as she had conducted her research on the internet. When the laptop was plugged in at work, the viruses then invaded the company’s system.
Fortunately, the problem at Human & Legal was solved. The computer, which had served as a ‘Trojan Horse’, was removed from the network, thoroughly cleaned, and the system set right once again.
“It [one of the viruses on the laptop] was attacking one of our word processing procedures, and it had to be dealt with quite quickly,” Kemp says.
Human & Legal Resources is far from being the only UK company to have fallen victim to such a problem. The Department of Trade and Industry recently revealed in the DTI Information Security Breaches Survey 2004, that workers’ remote access to company information systems is increasingly becoming a worry for UK businesses.
With home and mobile working on the rise, the risk of information system invasion through PCs, laptops, floppy disks, personal digital assistants (PDAs) and the internet is not being taken seriously enough by businesses, the DTI contends.
“Despite the obvious threats, it is not always the case that companies providing remote access deploy additional security controls. A quarter of businesses rely on their normal network password controls, despite the fact these are often easy to crack,” the report says.
What can HR do to help combat this potentially crippling problem? Plenty, agree HR, IT, legal and other experts.
“When it comes to homeworking, HR is very much involved in changing how people work – ensuring that if there is a change of culture, people understand the security issues,” says John Parker, director of improvement services for the Corporate IT Forum, a subscriber group with more than 2,800 corporate IT user members, including senior HR managers.
“The way employees are managed, and the way they are trained and motivated to understand their security responsibilities should be a joint thing between IT and HR,” Parker says.
The HR director of a UK charity, who wishes to remain anonymous, with 30 out of a 450-person workforce working either from home or on the road says: “I think HR has to be at the core of these things or the way they develop is not coherent, or joined up across the organisation.”
The charity itself supplies PCs and laptops for its home-based and mobile workers. For home-based workers, the charity conducts a review of the premises where the work will take place to make sure health and safety requirements are met, as well as assessing any potential security implications for the computer.
“Some assessment is made of the situation. I think HR’s role has to be to ensure where people are based is appropriate to the organisation, and how they are resourced is the right thing to do,” says the HR director.
The remote access security of this organisation’s computer network, he says, is built around establishing ‘identities’ – personal characteristics that identify the particular computer user.
Chief security officer for Microsoft Europe, Stuart Okin, says: “HR can become great enablers. The first challenge is to make sure a flexible worker or homeworker views accessing the corporate system in the same way they do when they’re actually in the office. It’s making security a part of their mindset.
“At home, you’re not in a corporate environment, and you may start to become a little bit more lax on security,” Okin continues. “It’s the aim to embed the culture of security into what they’re doing.”
Viruses can all too easily be picked up on the internet. Malicious attacks by hackers pose threats. And then there’s even the low-tech, but high-risk threat to top-secret corporate information via the age-old technique of theft or the accidental loss of a laptop or PDA.
“In most large organisations, and, increasingly, smaller businesses, laptop users are recognising the need to make sure there’s protection for that data,” says Andrew Beard, information security advisory director at PricewaterhouseCoopers, which was a co-sponsor of the DTI survey.
“If a laptop is stolen, there may be a financial loss in terms of the computer, but the data should be safe. It should be protected by some cryptopgraphic methods,” he says.
PDAs are a particular worry because most are owned by individual users and not the companies themselves, yet the devices may contain company sensitive data for the ready use of their owner. Beard points out that while the users may “get great benefit out of this, because they can take all this useful data round with them in an easily transferable form, the data is not protected”.
Another situation that occurs all too often is that high-level executives spot their golf mates with a flashy new office-related toy and, on returning to the office, demand one – without regard to the potential security risks.
At global delivery service UPS, a wide-ranging company electronic communications policy has been developed by HR and the IT department, which means that not even the chief executive can avoid security responsibilities.
UPS information systems director for Europe, Graham Nugent, says: “We’ve got a full set of policies that cover everything – remote access authentication, but also what we allow people to do on the web. It’s a document that everyone in the company has to sign, and it is held in the personnel file. That ensures no-one can come to us later and say ‘we didn’t know that’.
“If we give one of our executives a laptop or another device, they have to sign off on all these policies, effectively saying: ‘I have read those policies, I understand them, I agree with them, please give me my device’,” he adds.
To gain access to the UPS network, Nugent says, “everyone has an ID and a password, but we also use stronger authentication in the form of a security token – basically a microchip in a plastic container that you put on your key fob”.
“Obviously, people can steal my ID and maybe find my password. But unless they’ve got my security token, they won’t be able to log on remotely,” he adds.
Lending further urgency to UPS’ system security for HR purposes is a conversion to a self-selection HR software system that will allow employees to update their part of the HR database from anywhere at all, as long as they have access to a computer.
“That’s another reason why we feel we need a formal policy, if we’re actually going to open up our database to employees remotely,” says Nugent.
Despite the potential threats to corporate information security, however, remote working is a fact of modern life that’s here to stay.
“We certainly believe there is danger if (corporate systems) are not properly secure,” says Nugent, “but we don’t believe we can survive without giving remote access. We could not do our job properly in the world today without giving people remote access to our computers. So we have to come up with a method of allowing access, while at the same minimising risk to the business.”
Timescale of the problem
All sizes of UK business have significantly increased their use of remote access since 2002 when the DTI Survey was last carried out
Some 35 per cent of businesses use PDAs; that figure rises to 57 percent in the case of large businesses
One in seven companies identified more than 100 attempts at unauthorised access to information systems
74 per cent of all UK businesses and 94 percent of large companies had a security incident in the past year.
The average UK business has roughly one security incident a month and larger ones have around one a week
The average cost of an organisation’s most serious security incident was around £10,000, with that figure rising to £120,000 for large companies. The biggest contributor to these costs was the impact on availability
Virus infection and inappropriate usage of systems by staff were the cause of most incidents
Source – Information Security Breaches Survey 2004
Conduct a risk assessment of the location where the work is likely to take place, if possible (difficult with mobile workers)
Regularly distribute anti-virus and other security software updates
Install strong cryptographic controls on home-based or mobile computers to prevent the loss of sensitive data if the machines are lost or stolen
Consider installing a virtual private network – a private data network that uses the public telecomms structure – to link between the office and the home-based worker.
Consider limiting remote access to e-mail only
Develop a policy that covers company-wide computer usage, and train staff. “It’s training by giving examples of what can happen,” says Human & Legal Resources’ Derek Kemp.