title:

Human and computer viruses are both security risks

By: Scott Bradner

The US Federal government is worried about the Swine Flu (official name: 2009 H1N1 influenza virus). There have been predictions by experts of two or three times the normal number of flu related deaths this coming flu season - maybe as many as 90 thousand deaths in the US - but official government forecasts say that the number is likely to be far lower. In spite of the disagreement over the number of deaths there seems to be a general agreement that millions of people in the US will fall ill from the virus. There also is general agreement among governmental officials that the flu is going to cause major disruptions - including in the workplace, and that could present some significant security challenges.

In mid August the Secretaries of the US Departments of Commerce, Health and Human Services and Homeland Security announced new federal guidance from the Centers for Disease Control (CDC) for businesses in regards to the Swine Flu. (http://www.cdc.gov/h1n1flu/business/) They also pointed at government web site focusing on flu related issues (http://www.flu.gov). The CDC guidance is quite extensive and useful as businesses work out their own flu response plans. One of the clear messages from the CDC is that a lot of employees will be staying at home, some because they get sick, some because their kids get sick and some because their kids schools closed or because a business decides to reduce the spread of the flue among their employees by telling them to work from home. In any case there is likely to be a lot of additional employees wanting to, or needing to, work from home. Are you ready?

Allowing employees to do sensitive company work at home creates a number of security issues. In order to minimize some of these issues companies need to develop and promulgate clear policies on what information employees can access from home and how it must be protected. The newly revised regulations for implementing the Mass Identity Theft Law require companies to develop "security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises." (http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf) This is one of the requirements that survived the recent evisceration of an earlier set of regulations designed to implement the law.

This is a good requirement. Companies should also decide if employees will be permitted to use non-company computers to work from home - you know, the computers that the kids use to run music sharing software that can open access to all files on the computer. (http://news.cnet.com/8301-10787_3-10184785-60.html) Rules for personal use of the computers must be very clear if employees will be required to use company computers. Up to date virus protection is a must and systems need to be patched as soon as updates are issued. Methods of access should also be mandated, for example requiring the use of VPNs to access company resources can help reduce some security risks.

But it is not enough to have rules for the home-bound employees - company services must also be designed to reduce risk - for example servers that store confidential company information should not be directly accessible from the Internet. You do not want your company to be the next poster child for what happens when a corporate web server gets hacked.

Since your company will be impacted by the Swine Flu you might as well use it as an opportunity to strengthen and clarify your remote access and data handling policies if you are like most businesses and have never really thought about the issue.

disclaimer: Harvard's business is getting people to think about things and I have been working on this issue in my day job but the university has not announced a specific remote access policy (yet).