Secretary Hillary Clinton’s email scandal should make every employer in the private sector and the government take pause.
Telecommuting, whether authorized or not, isn’t just a new fad. It is estimated that 50% of US jobs are compatible with telecommuting, and the pressure to reduce costs pushes many companies and government organizations to adopt a work-at-home model.
This raises many cybersecurity issues. The communication method most used to interact with employees is email. Have you set up a secure company email system? Do you have enforceable policies for your computers and mobile devices located in employees’ homes? Do the employees use their own system with your proprietary information residing on their computer, or do you provide the equipment?
Do you have physical security for your organization’s facility? Does your telecommuter have any physical security in place, or can the neighborhood kids gain access to your hardware and information when they come over?
Remember the John Deutch laptop scandal? Deutch, while Director of the CIA, was issued an unclassified laptop. After he left office, they reviewed his laptop and found classified information on it, and also found that his son had used the computer to surf porn sites on the Internet, thus exposing classified information on the uncleared Internet. This was just after Deutch had testified in our June 1996 Senate hearings on Security in Cyberspace (I was the lead Senate Investigator for Sen. Sam Nunn’s, Permanent Subcommittee on Investigations hearings). Deutch testified on the Information Warfare Capabilities of our adversaries. I even shared my bagel with him the morning he testified. Again, we talk the talk but don’t walk the walk.
In another position, I had a cleared government contractor (Systems Administrator) who worked for me. He was issued an unclassified laptop so he could monitor and perform remedial maintenance on our unclassified network remotely, if the need arose. He came under investigation for computer misuse and we seized his laptop. A couple of hours later, he came to me and asked if he could get his wife’s Tupperware files off of the computer, because she had been running her business on our government laptop. You can guess what my answer was.
Do you do background checks on your employees before entrusting them with your proprietary information and hardware? Deutch and our contractor had the highest security clearances.
Have you trained your employees? Are the company/organization seniors trained properly? Do you conduct unannounced home visits to make sure they are abiding by your policies? Are they held accountable if they are not? Can you get physical access to company-issued equipment when you need to? Do you have a crisis plan in place for when things go bad?
Is your network, and therefore your Intellectual Property (IP) and trade secrets, at risk from telecommuters and mobile devices?
How do you protect your organization’s IP and networks while embracing telecommuting? Want to hear from you.
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.