Home working was once the domain of the few, from teachers with stacks of exercise books, to executives taking home briefcases full of paperwork. In general, the ‘work’ was limited to what people could carry. Successive generations of technology, from portable laptops to cloud-based services, have all had an impact on what it has been possible to do at home.
Waves of home working
We saw the first wave of technology-driven home working in the 1990s, when the price of personal computers dropped to ‘just’ a few thousand pounds. Most computer-based work took place ‘offline’ with data transfers initially by diskette; then, with the arrival of laptops, documents and data were synchronised by plugging into the corporate network.
Reliable, adequate bandwidth signalled a second wave in home working, initially limited to data transfers via modems and using rudimentary email. The rapid growth of Internet capabilities and the arrival of broadband enabled home workers to carry out their activities and collaborate with their colleagues online, in real time.
But still, the model was largely to enable remote access to the office. By the turn of the Millennium, application service providers started to offer Internet-based services that could be accessed just as easily from the office or from the home. With the increasing availability of broadband, coupled with workable remote access tools, corporate IT managers had more of a choice about where IT facilities could be situated – signalling the third wave, and the dawn of cloud computing.
In the same time frame, mobile telephony moved from devices so heavy they could only be installed in cars, to the highly portable handsets we see today. With the kinds of services now available, social networking, tablets and no end of increasingly smart devices, the fourth wave is always on, and the boundary between home and work has all but disappeared.
Good for business?
Unsurprisingly, businesses are encouraging home working for one simple reason: buildings are expensive. In recent years organisations have been looking to increase how their staff work from home. Some workplaces, such as Vodafone’s headquarters in Newbury, have a hotdesk-only environment for all but a core of essential (largely administrative) staff.
But while home working is cheaper, is it actually better for business? From a risk management perspective, the benefits have to be weighed against the costs of things going wrong. Each new technology has brought with it a wave of potential downsides, not the least in that it presents new security challenges that need to be understood and addressed.
Given the wealth of possibilities that technology makes available, the biggest challenge for many organisation is simply trying to understand what the issues might be. For example, are mobile phones a security risk? Should certain web sites be blocked, or only certain USB sticks authorised? What patches should be installed, and should home-working staff be expected to do this themselves?
Faced with such complexity, it can be difficult to see any other option than a draconian, ‘lock-it-all-down’ approach. Not only would this require a vast amount of effort, but it could also be ultimately counter-productive, as it restricts what workers can do at home. At the other end of the scale, and no less satisfactory, is to let home workers do what they want in the hope that nothing bad happens.
Finding a middle ground
Is it possible to find a satisfactory answer that balances the needs of home workers at the same time as keeping risks in check? The answer is yes, but with one caveat: that it is not possible to protect against absolutely every type of threat. A child knocking a computer off a table can cause as much damage as a rogue piece of malware deleting the content of the hard drive.
To square the circle we can consider protective measures in three areas: devices, data and services. First, just because we’re in a complex world, it doesn’t mean we should simply leave the technological doors wide open. There is still a place for having an up-to-date antivirus program running, for password protection of both computers and mobile devices, and for a straightforward acceptable use policy which sets out what can be done with corporate devices.
More important than the devices, however, is the data that they store. Even the smallest of businesses can build a picture of the different kinds of data it needs to conduct its activities: financial data, customer data, product data and so on. While devices may change, the data we are trying to protect remains relatively static; and every company has an obligation to ensure that it is managing such information in an acceptable manner. Devices, ultimately, are disposable and technologies exist to enable their ‘remote wipe’ to ensure any data they contain is rendered inaccessible if they are stolen.
Which brings us to services. Organisations can choose the tools they use to store, access and manipulate data, and in doing so, make decisions about risk. For example, using a Cloud-based customer relationship management tool requires due diligence about the service provider and whether it will protect the data it manages – the level of protection can be weighed against the alternative, of staff members storing local copies of customer data on their own devices. Equally important, however, is that the work force will be able to access the service from wherever they are.
So, yes, we are moving into a more complex world, with more choices about how we do things. It simply isn’t possible for any firm to keep up with the complexity. However, businesses can ensure that corporate devices have the minimum necessary level of protection in place and that managers have agreed with staff what constitutes ‘acceptable use’. They can make choices about the services they use, and balance the risks of online access versus local resources. And most of all, they can think about the data itself. New devices, new capabilities, new working practices will pear all the time but we can at least ensure that this, above all, is protected.
