Martin Allen, managing director of specialist firm Pointsec, looks at the practical issues of setting up an ICT strategy providing flexible data security...
The recent publication of the authoritative Acas and DTI sponsored workplace employment relations survey (WERS) 2004 highlighted the fact that the number of workplaces offering staff the opportunity to work flexibly has almost doubled in the last six years and the trend is being boosted by legislation.
There is a growing realisation among employers that "productive work" and "access to corporate systems" does not equate to "physical presence in the office" and there is a better way of working that addresses some of the issues of achieving a work/life balance.
The world is opening up, as the " workplace" is redefined from being a common static location, which everyone travels to every day, to the "place where staff can work productively without making un-necessary journeys".
The spread of broadband, wi-fi etc means that employees can now access the same information in a remote location as they could historically at an office desk.
Reports can be written, email dealt with, databases updated and consulted - even while the employee sits at home, in their car, or even in a park or hotel in a foreign country and often more productively as they are without the distractions of an open plan office.
However, there is a price to pay for all this flexibility and not just in monthly payments to ISPs or buying new portables for everyone - that price is vigilance and security.
Lack of either will lead to someone saying something along the lines of: " Everything was fine until. . ."
The first issue of flexible working starts as soon as staff leave the office to visit a client, or go home carrying any device that can store valuable or sensitive information including notebook computers, PDAs, Smartphones, USB tokens and CDs.
It follows the basic rule of life that anything being carried will, sometime during its life, be dropped, temporarily misplaced, left behind or stolen.
A risk analysis will quickly identify that it is preventing unauthorised people using the portable ICT equipment to gain access to corporate networks and the actual data itself that are the critical things we have to protect, not the actual equipment, which gets cheaper to replace every week.
This should be written into the security policy, so that everyone is aware of what information and equipment is allowed in the teleworking environment.
So we must ensure that users take certain mandatory actions, including backing up their data on a regular basis; implementing on-board security features and installing additional password access to corporate data & communication programmes, and encrypting the data.
Network security should also include a VPN ( corporation firewall); personal firewall and antivirus/anti-spyware.
To ensure users follow these mandatory requirements we must make the whole process both transparent and easy to use.
It is worth investing in the best encryption software that does not affect the performance of the device and therefore the user will not be encouraged to try and circumvent the access control or encryption on their device.
Transparency can be achieved by only allowing "certified" equipment to be used to access the corporate system(s).
Certification is achieved by the IT section ensuring that both password and encryption software are installed and running and cannot be by-passed by the user.
They can also install sub-routines that ensure data is backed-up automatically to a remote location at set intervals.
This makes the processes both mandatory and transparent, as the user does not have to decide what should, or should not be encrypted, or backed-up and is therefore adhered to as in the security policy.
As for "ease of use," be realistic - don't expect everyone to be able to memorise a new 30-digit alpha/ numeric number every month.
Try and find a solution that helps them remember so that they don't feel they have to write it down.
Remember that it is inevitable that equipment will be damaged, lost or stolen and there is no cost effective way of stopping that from happening.
But when it does happen, you don't have to lose sensitive information which typically has a bigger cost impact.
So work on the principle that it is the data and time invested that needs to be protected and ensure that the data cannot be read by unauthorised individuals even if they get physical possession of it.
Data can be recovered from a backup system.
That way you will ensure that you protect your data from both unintentional loss and theft.
If you keep that advice in mind, then there is no reason why adopting flexible and remote working practices will result in anything else than a win-win strategy for both employers and employees.