As the trend towards remote and home working gathers pace, the need to ensure the security of systems used by off-site staff is is paramount.

But an 'out of sight, out of mind' attitude is leaving many organisations wide open to the risk of viruses, hackers and corporate information getting into the wrong hands, at a time when more workers are abandoning their offices in favour of home working.

The government's Flexible Working Regulations came into force last April. Parents with children under the age of six, and disabled children under 18, now have the legal right to get their employers to seriously consider requests to work flexibly, including the right to work from home. It is this style of remote worker, rather than a mobile sales force, that is throwing up new security challenges.

Department of Trade and Industry figures show that more than a third of managers and professionals who are currently office-based would like to work from home on a regular basis. Their wish may come true, according to industry watcher Datamonitor.

It predicts that between 2002 and 2005 the number of home workers in the UK will have increased by 26 per cent to 8.2 million.

"It is less easy for an employer to turn down a request to work from home," explained Danielle Kingdon, partner at law firm Osborne Clarke.

"Home working will soon be part and parcel of working life. We're advising firms that receive such requests to look carefully at the security of processing data at home, including training on data protection requirements, document waste, procedures for changing passwords and virus checking."

The weakest link
The technology is there to support home workers, particularly with the increasing uptake of broadband and wireless internet access. But more often than not, they are proving to be "the weakest security link", according to Paul Vlissidis, head of risk at assurance company NCC Group.

"As broadband sweeps across the country, there's a lot of pressure to connect home workers to corporate systems as people think 'why can't I just do more work from home?'. But many PCs are being plumbed in semi-naked," he said.

A recent NCC Group survey found that hackers are gaining backdoor access to attack corporate networks through poor security on home workers' PCs, with one-in-six found to be without any protection.

"The problem will get worse as wireless technology takes off," warned Vlissidis. "I recently drove through a residential area looking for a BT Openzone wireless network hotspot and was swamped by open wireless networks with zero security.

"The danger is that a hacker could find out where a director lived, go to his house with a connected wireless laptop and steal information just sitting on a home PC.

"There's a degree of anarchy out there as workers are given wireless networks because they are cheap and easy to install, but many don't worry about secure configuration."

The NCC Group's concerns about lax IT security are backed by the findings of a poll of 3,000 IT systems administrators conducted last year by antivirus company Sophos.

It showed that, while 66 per cent of companies are updating their office-based antivirus software on a daily basis, the same rigorous approach did not stretch to remote workers, with 70 per cent of companies updating on a weekly basis and 45 per cent relying on monthly updates.

"That isn't good enough," said Carole Theriault, security consultant at Sophos. "Three years ago it may have been OK, but with viruses such as Blaster and SoBig on the increase, home workers need protection in double-quick time."

According to Theriault, the security risk is exacerbated because home workers are often just a human resources issue. "The HR department doesn't necessarily care if the home worker buys his or her own computer and what they do with it, but there are dangers when such computers don't come under the jurisdiction of the IT department," she warned.

"Home workers may not bother to download 20Mb of up-to-date patches, but the problem is that they still represent the company.

"If children, for example, are using the machines to download games or are opening infected email attachments, and viruses are picked up and sent onto customers, it's the company's reputation at stake."

Campus catastrophe
The Open University's experience of the SoBig and Blaster viruses last year, starkly highlights the need for organisations to educate remote workers on the importance of security.

The University has a multi-layer antivirus and spam strategy to protect its messaging infrastructure, but with thousands of students and professors working remotely and interacting with the university via email, it was severely hit by the viruses.

"Blaster saturated the network. It's OK for guys to work from home but we must protect our core infrastructure," explained Marilyn Moffat, software manager at the Open University.

"We're still struggling to educate users on safe computing, especially with the increasing speed of the exploit lifecycle of viruses."

Despite a university Computing Code of Conduct, which obliges users not to disrupt the network by attaching equipment that could harm it, enforcing policies can be tough.

"The biggest challenge is how to deal with visiting academics and random visitors with their own machines. Trying to make users understand the idea of a personal firewall is all very well when there are all levels of technical ability," said Moffat.

To overcome this problem, the university is planning to distribute a CD to help users tackle security.

Keeping security user-friendly is advisable, according to Cat Maben, principal consultant for networking vendor Avaya's enterprise security practice.

"Unless companies make security relatively easy for remote workers, they will find ways round it as they want to get their work done," she explained.

Virtual private networks (VPNs) that demand complicated passwords before remote users can log on may lead to security breaches.

"Passwords that must have 16-character strings with a certain amount of capital letters and numbers are easy to forget and are more likely to be written down, which undermines security," said Maben. "There has been a turnaround on company policies that are too strict."

Removing unnecessary risk is another way of combating remote workers' security vulnerability. Road warriors, for example, need not access sensitive data.

"Ninety-nine per cent of people on the road only want access to email," said Stuart Okin, Microsoft UK's chief security officer. "A feature in the latest version of Exchange allows Outlook access without gaining full corporate access."

He added that at Microsoft, all remote workers must use its Connection Manager software which "quarantines users from the corporate backbone until security checks are verified".

BT experiment
If an organisation rises to the security obligations of managing remote working, it can reap dividends. For the past seven years, BT has followed a remote working policy built on a strict business case.

With 8,000 home workers contracted to use home as their company headquarters, 40,000 nomadic users who work from a variety of places, and 30,000 engineers who work on the road, the company knows the rewards and responsibilities remote working can bring.

"Maintenance costs are £13,000 per work station per annum in London. Flexible working saves us £50,000 per annum from the cost of running the BT estate," said David Dunbar, head of work style solutions at BT.

The company adopts "an onion approach to security, with automated virus protections and layers of firewalls at both ends: on the employee's machine and the corporate network".

Different remote working styles are catered for, to ensure maximum security. For example, engineers have BlackBerry mobile devices so that email can be checked on the move.

Remote workers dialling into the corporate network use personal passwords and secure ID cards to create a secure VPN. "This gives the same protection you would get on a corporate local area network," said Dunbar.

Home workers are provided with broadband and they must only connect to the corporate network from the PC provided by BT.

"It would be a shame to ban family internet use, so it is permitted via the same line using different dial-up connectivity," explained Dunbar.

He believes that all companies can benefit from home working, but stresses the importance of planning. "Home workers are 20 per cent more productive and staff retention rockets, but if home working is done under the covers then companies are exposing themselves to a security risk that can undermine any gains."

How to keep home working secure:

• Facilitate home working with the backing of the human resources and IT departments, rather than letting it grow on an ad hoc basis.
• Create a security policy and educate remote workers on how it affects them.
• Issue corporate equipment in the home for work purposes only.
• Deploy virtual private networks with two-factor authentication, such as a Pin and password.
• Consider thin-client applications for remote workers so that sensitive data is never stored locally.
• Invest in administration tools to monitor the status of all computers, and check virus updates regularly for remote workers.
• Advise on the use of personal firewalls.
• Insist on shredders in the home to prevent information being stolen.
• Don't make security too restrictive so that remote workers find it a nuisance and subvert it.