I’ve been spending a fair amount of time looking at home working recently, and the one big topic that comes up regularly is security. Interestingly, the feedback that has come up from organisations who are more experienced in this area, is that a lot of the issues are perception rather than actual. Companies who have tried home working have actually experienced the same or lower number of security issues compared to those who kept people onsite. This appears to be driven by two reasons
1) The demographic of a home agent is very different to that of an onsite agent (on average). Home agents are 38 (15yrs older than onsite agents) and have higher than average education
2) Working at home is seen as a very big benefit for people, and the threat of losing this benefit is in many cases a very good deterrent to criminal behaviour.
Sensible precautions still need to be taken though, so I’ve split these up into 3 areas
This is about making sure the transport of data to the home, and its use on a PC is secure. It is a familiar area for IT managers, as it encompasses using a VPN to securely transport data, and using a thin client session to display the CRM data. The thin client sessions are set-up to stop any other activity on the PC at the same time to ensure that data cannot be copy/pasted into other applications.
One area that is less familiar to IT managers is PCI (Payment Card Industry) compliance. The PCI rules are complex, but relate to ensuring that the 16 digit credit card number and the 3 digit security code are not stored or accessible to unauthorised people. The best solution I’ve seen to this so far is from a company called Veritape that asks the end user to enter their credit details using the phone keypad. The tones made are then masked so that the agent cannot hear them, and the system enters the details on screen as **** (the same way that passwords work). This way the agents never see the credit card details.
Are you who you say you are?
This is about ensuring that the person signing onto the computer or phone is the agent, rather than an imposter. Again, its mostly an area that is familiar to IT managers, and covers basic steps such as asking for password or sign-in data on a more regular basis (compared to when in the office), up to fingerprint scans to authorise sign-in. Some companies are also looking at using web-cams and regularly turning these on to make sure that the correct person is visible.
Who else is in the room?
This is the one that is most troubling for organisation, the perimeter security that a building provides is lost in the home environment, so how do I know that someone isn’t looking over the shoulder of the agent and taking down the sensitive notes. The webcam approach described above is being reviewed by some companies, but is generally an extreme view.
For companies that have implemented home working, the realities are less daunting that the upfront perceptions. With the right recruitment approach, a trial period onsite for 6 months, and the implied threat of losing the benefit of home-working, then most companies are comfortable with home workers as long as the sensible steps of data security are addressed.