ICT supplement:
Remote control

With increasing numbers of employees working remotely, a raft of new IT security issues has arisen. Gary Flood looks at the controls organisations can put in place to avoid nasty security breaches and frustrating data loss

When asked if they support remote working, managers are likely to say that it’s not so much that they’d like their staff to do it – they basically have no choice but let them.

On the one hand there is a raft of pro-family legislation from Brussels and Whitehall, such as the EU Working Time Directive, UK government emphasis on work-life balance legislation and the right to request flexible working and the like. On the other, to be frank, the horse has long bolted out of this stable door thanks to technology.

Communications watchdog Ofcom last month noted that more than half of the country’s adult population has access to broadband at home – 13 million homes and small businesses are now hooked up to fast Internet pipes, compared to 9.9 million a year ago.

And the pace is quickening, too: the same study says the average domestic connectivity speed is a very healthy 3.8 Mbit/s compared to 1.6 Mbit/s at the close of 2005. Allied to all of this is the push for laptop tapping on the train, overpriced coffee chains and other public spaces – indeed, if market watchers IDC are right, the desktop PC will soon be the minority in terms of computers, given its prediction that laptops will become the most popular type of computer by 2011, the vast majority of which will be wireless-enabled.

“Remote working is increasingly just taken as read by staff,” points out John Tate, chair of charity IT body CITRA. “The technology is well in place and BT is already talking about 20 Megabits to the home, and technically we could soon see 100.”

The point being that if remote working – defined as members of an organisation logging in to work email and web sites from their homes or on the road – is on the rise, the onus is on the IT manager to make it safe.

Why is this an issue? There are several aspects, says Matt Fisher, European vice president of network security specialist Centennial. “What we’re seeing is more and more sensitive information drifting away from the controlled environment of the corporate network. This means donor information and other sensitive data is open to loss or theft.”

There is also the danger that home access using something like PC Anywhere, if unprotected, can be easily polled by hackers doing so-called ‘war dialling’ to get possible modem numbers, leaving the system totally open for abuse or meddling.

Fisher also says that if the information is seeping out to employees outside the four walls of your buildings, they are also bringing a lot of stuff in. “So many of us now have iPods and MP3 players, digital cameras, memory sticks, USB devices and so on that are getting plugged in to devices at work. There’s a productivity issue here – why let people play with their music collections and holiday snaps 9 to 5 – but also security. People can walk in with such devices and walk out with things they shouldn’t have, be that sensitive HR documents or spreadsheets with customer information on them.”

Thus responsible managers need to look at ways to support remote working but also make sure it’s done responsibly. For Tate, the word ‘manager’ is key in that statement. “The fact is that security is just not given the attention it should be given in the third sector, and that is an issue for trustees and chief executives more than IT managers, to be frank. It’s my experience that the higher up the organisation the less appreciation there is about these issues. It strikes me as odd that boards are happy to pay for financial audits but leery of conducting security audits. And for smaller charities you often see no effective policy in place at all.”

“I’ve seen the best and worst in this sector around this issue,” claims Paul Vlissidis, technical director of IT security consultancy NCC Group. “I’ve seen really bad practice, like just letting people dial in from home to the central database with no controls at all, to people getting procedures around only using sanctioned equipment over safe lines.”


The good news is that where sensitive information is being used daily, like advice lines for vulnerable sections of the population, IT security discipline is strong, he adds. But it’s the vast majority of non-profits, where a lot of volunteers or home workers may be the norm, that may be exposing themselves to potential harm.

What can technology do to help? Most commentators recommend only allowing staff to connect to the home IT system via secured VPN (virtual private network) channels. However, technology like this can’t help that much when the remote device, laptop, PDA or what have you, is lost, stolen or damaged. A better approach would be to effectively return to client/server days: hold and control all information as centrally as possible and not let local copies proliferate.

This would also, arguably, make staff’s lives easier. “Let’s face it – a volunteer working at home for the cause they love isn’t interested or up to encrypting and decrypting data; they’re not IT administrators,” says Mike Oliver, European marketing manager for Sybase iAnywhere, which makes software to help administer remote working. “Take away from the end user as much as possible the work of managing security and getting updates etc and this will give you and your donors a sense of security.”

This is fine if you can do it, but some may baulk at potential cost issues around this level of security software. In saying that, there are other more basic steps that don’t involve purchasing new equipment at all. As Vlissidis points out: “The simplest and best approach here is to just lay down rules such as never letting people work from things like Internet Cafes, making sure if sensitive data does leave the building it’s encrypted and discourage too much local use of information.”

Niroo Rad, chief executive of data management firm ASI, backs up the idea that simple is effective. “Just ensuring that passwords are regularly changed can be a real step forward here. It may strike staff as a bit regimented but it can be a very useful way of enforcing a more security conscious perspective.”

The message is clear – remote working is here to stay but there are steps responsible IT managers and organisations need to take to make sure it is done in the safest and most rewarding way for the staff, organisations and supporters involved. All key stakeholders ultimately want to feel their information is as safe and secure on the 5.15 to Brighton as it is locked in the HQ’s safe, after all.

Case Study – New Charter Housing Group

One UK non-profit that has taken active steps to better safeguard its systems in the era of a more mobile workforce is the New Charter Housing Trust Group. One of the UK’s largest social housing organisations, New Charter, which manages over 15,000 properties, is the result of the takeover of properties formerly owned by Tameside Council near Oldham.

“We hold a lot of very sensitive client information,” says its IT infrastructure manager John Westwood. “We have data on tenants’ personal details as well as confidential material such as anti-social behaviour orders, among other things. It was very important to ensure this couldn’t be abused, either wittingly or inadvertently, as it would both break data protection regulations and betray tenant confidentiality.”

The organisation was already data security conscious, having implemented rigorous network monitoring and anti-virus controls. But employees need to go out of the office and take electronic equipment with them, such as digital cameras to take snaps of properties.

“We recently moved to a new central building and as part of that process undertook a major security review,” he says. “We found through that exercise that while in general we had a nice robust IT security usage policy, when it came to things like memory sticks and movable devices we had a loophole. There was just no way to enforce or regulate controls here.”

As a result, New Charter, after an extensive review of the market, has picked DeviceWall, a security software tool, from Centennial (see main story). This allows connection of things like USB ports but only within parameters set by the organisation, he says.

“We knew a blanket ban wouldn’t work. Users like this solution as it lets them do their work, such as downloading photos, but every time they do it the system asks for a temporary password so everyone knows they are working responsibly.”


current magazine cover
 E Newsalert 
 Charity services
 Past issues
 Site map
navigation UK Charity Awards
navigation Charity Buyers Guide