Heightened awareness, reinforced products advance teleworkers' security

With roughly 250,000 residents, Virginia’s Arlington County is one of the smallest in the country. The county government prides itself on creating a supportive, family atmosphere for its 3,500 employees, a few hundred of which work remotely. But when it comes to cyberthreats, Chief Information Security Officer David Jordan lays down some strict house rules.

“We work really hard to educate our employees . . . to make them feel responsible about the cybersecurity piece of their job,” says Jordan, whether those employees work in a government office, telecommute, or are out in the field issuing permits or inspecting fire codes with their laptop in hand. Jordan personally meets with every new hire during the training process to make individuals aware of Internet threats and the county’s security policies, outlining rules about Web and e-mail usage. Ongoing awareness-raising includes initiatives such as contributions from the IT department to the weekly employee newsletters about the latest e-mail scam or fraudulent Web site.

But when it comes to securing remote employees, it takes more than awareness. The county has layered a number of technologies in order to secure the endpoints, installing Symantec’s Client Security on government-issued computers that offers virus, spyware, and intrusion protection as well as personal firewall features. The computers are physically protected by Absolute Software’s Computrace – “the LoJack of computer hardware” says Jordan, which lets the county trace the location of a computer. In addition, the county secures network access with firewalls and uses SSL for authentication.

While Jordan believes these technologies combined create “a robust remote extension facility,” there’s more to be done, such as adding layers of protection to the information stored in the county’s databases. Such is the case with most organizations trying to secure their remote workers --there’s always room for improvement.

Click to see: Remote security

“A lot of organizations still believe that a security strategy is antivirus, and that simply doesn’t work anymore,” says Natalie Lambert, senior analyst at Forrester Research.

“Now attacks are nefarious, extracting corporate information, and there’s a lot of organized crime and going after competitors . . . attacks these days are very targeted.”

Forrester recommends some basic elements for remote PCs to make them “well managed, well secured,” says Lambert. The list includes client management software so that the central IT department can keep control over what’s being installed and executed on remote PCs, as well as basic client security suites with antimalware, personal firewall, and intrusion detection/prevention software. She also suggests full-disk encryption for PCs that travel, so if a laptop containing personal customer or employee information is stolen the company will not be liable should it be taken to court.

One method of giving remote workers a secure, and relatively simple, way to work that’s been gaining popularity is via a terminal server, says Lambert, where remote employees log on to a server and have all their applications and data at hand but don’t cross the network. In this scenario, where all the applications run on data center computers, the aforementioned remote client security software isn’t needed, she says. But once a Web browser is added to that remote PC it becomes vulnerable to Internet threats and needs to be secured like any other computer, Lambert says.