Insider threat

“Working from Home” – The next insider threat?

March 21, 2013 by Jesse Valentin

Even with all the technical advances of current human society, there are unfortunately certain areas where we have not progressed as a people but instead –REGRESSED. The proliferation of educational material and the availability of these resources have not been able to remedy very basic human problems, among which is dishonesty. This has created problems from many different perspectives. For example, if you’re a creative individual then your concern is that a “dishonest” party may steal your ideas.If you’re a company that offers a work from home benefit, then your concern is that “dishonest” employees may be stealing your money by not properly using the time for which they’re being paid.If you factor in to this equationthe ever-vanishing perimeter and the connect-from anywhere mentality – then working from home has just become the next insider threat vector.This article will discuss certain suggestions that can help managers and companies offering this benefit to address this issue using a layered approach.This will help toensure that they are staying competitive while still being able to offer this benefit to honest,hardworking employees.

So, where do we start?

Defining the Relationship Between Employer and Employee

Since employment is an official agreement of certain terms between an individual and their employer, it must be considered a “business deal” or contract. Before accepting any business deals, both parties need to understand what they require from each other. From the perspective of the employer, hiring an individual is an investment in the current talent and future abilities and that thisperson can develop to further the interests of the employer.

The employee in turn considers accepting the position as an investment in time and agrees to perform a certain function to the best of their ability for an agreed upon price. This “price”is manifested in the form of a salary, benefits and other perks possibly made available by the employer.One of these additional perks is:

Creating the Right Culture

Many companies have also decided on certain strategies to attract and retain talent within their organizations to protect these investments in staff. Among these strategies is creating a corporate culture that gives an employee direction but allows enough latitude to permit them to fulfill their responsibilities according to their own education and experience.

Working in this type of environment can be very gratifying, as the employee develops a sense of purpose in the job they are accomplishing and is motivated to produce quality work. In creating this type of culture, some organizations have opted to allow the work from home benefit and permit their employees to stay productive while in the comfort of their own homes. This allows the employer to experience a cost savings by perhaps not requiring as much real estate, utilities or Internet circuits to run daily operations.

The employee also receives the benefit of reduced commute costs, a more relaxed and familiar work environment and more flexibility in their personal lives.This freedom creates a certain responsibility both from the employer and the employee. The employee obviously needs to honor their employment agreement and utilize the time they are being paid for to address work that is required by their employer. The employer in turn needs to ensure that they communicate corporate objectives to the employee and provide the remote worker with specific direction so they can reach those goals. To accomplish this, an organization needs to create the:

Proper Policies

The organization should ensure that they have proper human resource and information security policies in place to govern the behavior of employees while they are working from home. Among other things, this document should outline the response times that are expected from remote workers and it should be read and signed by the employee.

This will help the employees to fully understand the company’s requirements before agreeing to working from home and will protect the company in the event any behavior that strays from this direction occurs.How can an organization stay abreast of employee work habits in the field? This brings us to our next section…

Diligent Managers

Normally, a large corporation has multiple divisions and geographic locations which make it impossible for one individual to manage the entire organization. This is the reason for the existence of Managing Directors, VP’s, AVP’s, Divisional Presidents and a whole list of other lofty titlesthat are assigned to individuals that compose the management structure for directing multiple areas efficiently. It is the responsibility of the management head on each level to ensure that the efforts of their downstream employees are meeting corporate goals.

This coordination also includes being informed as to what their immediate reports are doing with their time. This is an organization’s first line of defense – its managers. Any manager or director worth their salt must have a very clear understanding of what their employees are doing throughout the day and if they don’t – then they need to communicate with their employees so that they do. Certain communication methods such as status reports and team conference calls are very useful in this regard and help managers to avoid “micro-managing” their employees as this can add stress and negatively impact their quality of work and overall productivity.

It may also be beneficial for a manager to also keep a master list of projects with a progress record that shows which employee has been given responsibility for each portion of the project. At specified weekly or monthly intervals, a manager can request a status report from their employees to determine their progress. This periodic reporting structure will provide a historic metric to the manager to measure the productivity of the employee. Aside from a status report, the final product will also be a tremendous indicator of the employee’s ability and organizational skills.

If the final product is not of the expected quality or clients are consistently dissatisfied with the work, then this provides the manager with “red flags”, where the employee’s work may need assistance or closer scrutiny.If an employee consistently fails to meet project deadlines or even report a status on pending work then the manager should make it a point to address this issue immediately. In this way, non-productive employees can be identified and helped to improve and the work from home benefit retains its value. Wha tis another method of maintaining communication with remote employees?

Interoffice Collaboration Tools

Packages such as Cisco Jabber, Microsoft Lync and IBM Sametime not only provide an instant way of communicating but also integrate with the employee’s calendaring program to provide updated presence information for each individual signed on to the computer.Some of these tools can be configured to show customized presence information for an individual such as Idle,Away, In a meeting, With a Client, etc…–and broadcast this status to all connected users.The majority of these tools also provide support for video conferencing, VoIP calls and desktop sharing functionality.

A company offering a work at home benefit can mandate that if employees decide to exercise this option, that they must ensure they are signed on to the collaboration tool during working hours. If an individual is consistently “Away” or neglects to respond to instant messages in a timely fashion, this can also be an indicator of an employee that may need to be more closely scrutinized.

This needs to be balanced so as not to create a dictatorial culture or burden management but the point being made here is that this method can provide another metric against which an employee’s productivity and diligence can be measured. This protects productive employees by allowing them to enjoy more freedom as their heightened productivity demonstrates that they are a more “secure investment” that can be trusted with this type of latitude.

Aside from providing tools to collaborate, an organization also needs to ensure that the environment in which employees will be working is conducive to quality productivity. This brings us to our next suggestion…

Home Office Assessments

Prior to granting an employee a work from home benefit, an organization should ensure that their work environment is going to help them succeed. Some organizations provide a list of requirements that must be met prior to being able to work from home. Some of these requirements include having a separate office location in the home where the employee can maintain focus without being interrupted. If an employee’s work from home location is the dinner table or the couch in the family room, it will be very difficult to maintain productivity and focus.

This problem is exacerbated if the employee has children that may be in the home as well.At a basic minimum, each employee that wants to work from home should at a minimum have options similar to the following:

  • A separate room with a lockable door (i.e. finished basement, detached garage unused bedroom, etc.)
  • Good lighting and ventilation
  • Proper workspace (This should be a desk with ample space for a computer, monitors, papers, printer, coffee mug and other items that will be necessary for use during the work day)
  • Ergonomic Office Chair (This will reduce the amount of physical stress)
  • Live in a location that offers high speed Internet service (This goes without saying but if an employee is located in a place with frequent outages or limited tech service, this can quickly become a productivity issue).
  • For Non-IT personnel, they should live in an area with close proximity to a corporate office so that in the event they require technical support, they’ll be able to drive in to an office to gain assistance.

Each organization needs to carefully analyze their own unique needs but these suggestions can start discussions of specific requirements.

VPN Logs

VPN Logs are antiquated but nonetheless offer another method to gain a high level view of how often an employee connects to your VPN concentrator and how long the person stays connected. I say “high level” because this method will not show you how the employee is using their time instead it will only show that they have connected for a specific amount of time.

A user could potentially stream video from the Internet over the VPN connection and this would show activity until an admin ran a sniffer to determine the type of traffic flowing over the respective link. Although it is possible to gain a detailed view to what the employee is doing, this method is not very efficient and does not truly paint an accurate picture of the employee’s overall productivity.

Client Feedback Surveys

Client surveys are also a very good indicator of an employee’s work ethic and ability to deliver quality work. In the case of IT personnel that may work from home, it would be beneficial to have a method to communicate with the end user groups or other IT groups to gain an understanding of the client’s experience when working with the employee. This can immediately indicate to a manager if the employee is productive and if the organization is experiencing a good return on its “initial investment” in the employee. Employees that are performing above expectations would then be recognized for their hard work while problematic employees could be identified and corrected.

There are many more methods that can be implemented and tailored to help organizations to protect their investments. This article was drafted to provide some suggestions to address potential abuse of the work from home systemand still allow productive employees to demonstrate their commitment to excellence.Since each organization is unique, it is imperative to analyze your own environment to determine which methods will better suit your specific needs.

Regardless of the methods chosen, addressing this situation usinga layered approach will assist companies to ensure their investments are protected.This will allow deserving individuals the freedom and convenience to produce work in a flexible environment and allow the organization to benefit by moving with the progressive trend of eliminating the traditional perimeter from the work place.

Posted: March 21, 2013
Jesse Valentin
View Profile

Jesse Valentin is a security professional with 18 years experience in Information Security. During this time he has worked for various financial firms, security consulting companies and non-profit organizations where he has specialized in areas of Enterprise Risk Assessments, Compliance Readiness, IT General Controls Audits, development of Incident Response plans, Corporate Information Security Programs, Security Awareness Training and Secure Application Architecture.