Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:28 AM

Two Ways For SMBs To Secure Their Home Workers

Giving work-at-home employees unfettered access to your systems is so 1999; now, clean virtual private networks or terminal services can help

In the slowly recovering economy, telecommuting has become an essential way for businesses to retain valuable workers, increase productivity, and support "green" initiatives. But from a security perspective, telecommuting can also be dangerous -- if you don't have the right technologies in place.

For small and midsize businesses (SMBs), telecommuting is taking off. Nearly 60 percent of SMBs plan to increase their use of telecommuting to cut costs in the next 12 months, according to survey conducted by Staples Advantage, the IT service of the well-known office-supply chain. Yet many SMBs don't have the expertise in-house to deal with security -- about 40 percent rely on external IT support to run their operations, the study found.

"Technology has now made it a lot easier for people to telecommute, and the evolution of this technology is such that we are going to see more and more organizations have people working from home," says Jim Lippie, president of Thrive Networks, which handles Staples' IT service.

Managing the security of telecommuters is a challenge, especially if workers share their computers with other family members. Tackling the problem generally involves one of two solutions, according to security experts. You can leave management of devices in the hands of employees and use network access controls to enforce controls. Or you can give the telecommuter a "virtual desktop" hosted on your company network, enabling you to manage the home worker's devices from the data center.

Pairing network access controls with a virtual private network can give SMBs some control over their remote employees' systems and help ensure the most obvious security measures have been taken, says Dave Ahrens, security architect for Internet telecommunications firm Avaya.

"Some solutions do push down a system check to make sure that the end user's PC is up to date with patches and up to date with antivirus," Ahrens says. "Those are all capabilities that VPN vendors are providing."

In addition, current virtual private networks allow the company to put stronger authentication controls in place, deterring potential attackers. Companies should not, however, treat the data coming from their employees' systems as clean.

"It depends on the budget for a small or medium enterprise, but once you have the VPN, you can put a firewall behind it to filter out any traffic that is coming through ... or an IPS [intrusion prevention system] or an IDS [intrusion detection system]," Ahrens says.

For companies that want to centralize the management of their telecommuters' desktops, a terminal server is an ideal solution, Thrive's Lippie says. The telecommuter logs into the terminal server using strong authentication and is presented with a desktop on which to work. However, the desktop is running on the terminal server, not on the worker's home machine.

The ability to separate a telecommuter's system from the corporate network makes terminal servers very secure, Lippie says.

"When they are in the terminal server, it does not matter how messed up their home computer is," he says.

Thrive recommends terminal servers to its clients as the preferred method of allowing employees to work from home securely and still access corporate resources. While Citrix is the most well-known vendor of terminal servers, Microsoft's Small Business Server also has the option to run terminal services.

"Having a terminal server -- or something of its kind -- is absolutely essential," Lippie says. "The last thing you want from an IT management perspective is to have multiple different people working from their home machines with very little oversight or policy enforcement."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-12
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
PUBLISHED: 2020-08-12
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
PUBLISHED: 2020-08-12
When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not consider Server Name Indication (SNI) field within ...
PUBLISHED: 2020-08-12
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerabilit...
PUBLISHED: 2020-08-12
Eaton's Secure connect mobile app v1.7.3 & prior stores the user login credentials in logcat file when user create or register the account on the Mobile app. A malicious app or unauthorized user can harvest the information and later on can use the information to monitor and control the user's ac...