Telecommuting Backlash

coondoggie writes to tell us that advocates of the telecommute have stood up against recent finger pointing based on recent telecommuter screw ups. One of the more notable screw up was the recent loss of many veteran's personal information by a VA employee. From the article: "Despite years of growing acceptance, telework still has such detractors. 'The No. 1 challenge is cultural inertia. It's motivating the middle managers, teaching them a new way of doing work,' O'Keeffe says. 'It's the Luddite mentality that we need to change.'"

The problem isn't telecommuting

[Loconut1389]

The problem here isn't telecommuting, it is bad security practices and these problems probably would have happened one way or another, whether it's over a SSH tunnel, VPN, or local on the lan.

Re:The problem isn't telecommuting

[susano_otter]

It's kind of hard to walk off with tons of senstive information when it's being transmitted over an encrypted channel.

I think it really is about telecommuting, and laptop computers. More and more, sensitive data is portable, and more people are taking advantage of that to move sensitive data from "secure" environments to "convenient" environments.

Having some asshat steal a computer full of data doesn't really happen that often to people who keep their computers locked in an office at their employer's campus.

Re:The problem isn't telecommuting

[drinkypoo]

The problem here isn't telecommuting, it is bad security practices and these problems probably would have happened one way or another, whether it's over a SSH tunnel, VPN, or local on the lan.

I both agree and disagree. On one hand, the problem IS bad security practice. It's possible to telecommute safely. On the other hand, the simple truth is that telecommuting opens up new attack vectors. Your data can now be attacked on your system at home, before the VPN is up. It can also be stolen more easily; security on your average office building is better than on your average house.

On the other hand, THIS particular problem could have been avoided by simply using some encryption. Clearly, those who take home confidential data without encrypting it are morons. Some of you are now parting company with me over my allegedly elitist attitude but let's face it, people have been encrypting messages for hundreds (thousands?) of years. This is not a new concept. A user taking home confidential data should be asking themselves how they can protect that data. Anyone who doesn't ask that (in our litigious society, especially) deserves what they get, because they're stupid.

I don't expect everyone to know how to keep data secure. I DO expect them to care enough about it to seek the advice of someone who DOES know.

Re:The problem isn't telecommuting

[Loconut1389]

Regarding the having the data on the work computer- this is exactly the problem.

Of course the potential also exists for viruses or trojans to affect the data over the VPN.

One could even argue that since these same problems could potentially exist on the local lan at the office (installing bad stuff on the machines (again, bad security)) that having it over a vpn is safer since it's not an always-on link.

Bottom line- good security and not allowing people to take things home/offload data (part of good security) are crucial.

Re:The problem isn't telecommuting

[networkBoy]

Take your secure environment with you!
My employer mandates that the encryption feature of our notebooks be used. But it's a PITA, especially if your drive gets corrupted. To counter that we have an on-line backup system that takes a daily image (file by file, not binary image of the disk, for obvious space savings possibilities) of your drive and stores it whenever you are in the plant. While you are off-plant you are still secure because of the encryption. If we lost a notebook we could lose billions of dollars (assuming it's the right notebook). Shit, the data on mine is worth ~$75-100M.

The headlines should read: MegaCorp loses notebook with customer data on it. Company issues this statement: "This is a non-issue, the notebook was encrypted with a system that meets XYZ standard, it will take no less than 200 years for the system to be cracked."
And the statement should be true.
-nB

Re:The problem isn't telecommuting

[Shadow+Wrought]

As much as I am an advocate of telecommuting, having your laptop stolen does no one any good. Middle managers may be luddites by definition, but opening themselves to this type of scandal so you can stay home simply doesn't balance on their risk/benefit sheet.

Re:The problem isn't telecommuting

[AK+Marc]

Having some asshat steal a computer full of data doesn't really happen that often to people who keep their computers locked in an office at their employer's campus.

No, the companies give away the working computers with all the data on them when they are obsolete.

More and more, sensitive data is portable, and more people are taking advantage of that to move sensitive data from "secure" environments to "convenient" environments.

A VPN into a corporate network then a terminal session would fix most of the complaints. Have them work directly from the server and there are no problems. Have the VPN client check that the firewall and virus software is installed, running, and up to date and there are fewer holes. If you are really worried about it, toss more money at it and make a non-split-tunneled hardware VPN from the homes of those that will be going in, then use locked down terminal services. They won't be able to get anything from the Internet without the protections that everyone else in the office has, and no data will be ever put on the local computer.

I can think of lots of ways to make these just about as secure as those at the office. The problem isn't figuring out how to make them secure. The problem is getting executive buy-in and end-user compliance.

Re:The problem isn't telecommuting

[networkBoy]

:):)
Have fun with:
2 proxies
3 NAT layers
1 terminal server (which I suppose is another proxy).

My real point was that there is not a reason for theft of a notebook to be an IP asset issue. If I can "safely" take my data with me, then why not customer data in the same method?
the answer is simple: most companies think their IP is worth more than customer records. If they would simply make the statement:
{IP += CustomerRecords};
then there would be no issue, as you would see the data locked up tight.
-nB

Re:The problem isn't telecommuting

[fm6]

Correct. But this is just one aspect of a wider problem: many companies have plunged into telecomuting without proper planning. Scoping out good security procedures is important, but only part of what you need to do.

One aspect I've really seen neglected is providing a decent communication infrastructure. Software people use shared whiteboards a lot, yet it doesn't occur to companies that their telecommuters need whiteboard software. And then there's teleconferencing: the last big meeting I went to was missed by a lot of employees because they didn't allocate enough slots with AT&T. Then again, with so many people involved, it would have made more sense to provide a audio stream and take questions over IM. But that didn't occur to anybody.

And let's be realistic about folks who telecommute from the other side of the planet. Fine, Indians and Russians work a lot cheaper, and are (sometimes) just as good as their North American counterparts. But you can't arbitrarily fill slots from the other side of the planet: people who work together have to be awake at the same time!

Re:The problem isn't telecommuting

[pilgrim23]

Yep. that computer...the one with a USB port, the USB port that fits so snuggly on my jump drive. that computer is nice and secure right there in the campus...

I still recall a dumpster loaded full of blue bar computer printouts covered in student grades outside the main campus registrar's office. and that was thirty some years ago...

    It has NOTHING to do with telecommute, NOTHING to do with security, it has EVERYTHING to do with butinsky bureaucracy and government gimme. When, as a culture, we finally start saying "None of Your Business" as the most common reply when someone asks you for personal information we will ALL benefit.

Re:The problem isn't telecommuting

A big problem is you have a pc with 75$ million of company data on it. Even if it's encrypted. We should all be using thin clients and big chunks of company data should never be replicated out to personal systems (even on corporate campuses, much less remotely). A large portion of the blame lies with microsoft, the microsoft culture of IT, and its numberous advocates, especially non-technical upper management, but it will never be placed there in any meaningful way.

Re:The problem isn't telecommuting

[Sinus0idal]

What benefit do you gain from 3 layers of NAT and 2 proxies other than a ton of lag? A single well configured version of each should surely be sufficient.

Re:The problem isn't telecommuting

[OnlineAlias]

Having some asshat steal a computer full of data doesn't really happen that often to people who keep their computers locked in an office at their employer's campus.

Tell that to AIG. Reported 2 days ago...Fun News Link Outside of the VA lately the breaches have been from smash and grabs like this one. As an I.T. security guy, the first thing I look for when doing an assement is the physical security of home and especially branch offices. I'm not really disagreeing with you, just pointing out that one can't let their gaurd down, ever.

Re:The problem isn't telecommuting

[Fudge.Org]

Having some asshat steal a computer full of data doesn't really happen that often to people who keep their computers locked in an office at their employer's campus.

Consider yourself lucky to have never experienced two floors (dozens of employees) of locked PC's and laptops removed overnight... more than once. In my experience it isn't someone but some group and they know what they are after and they have tools. Yes, most criminals are stupid, but many are organized and professional.

What's the bigger payoff?

a) single telecommuter setup in home where there is someone that is around most of the time

b) office space with dozens of systems guarded by the lowest price bid security firm/system

Re:The problem isn't telecommuting

[colmore]

The headlines should read: MegaCorp loses notebook with customer data on it. Company issues this statement: "This is a non-issue, the notebook was encrypted with a system that meets XYZ standard, it will take no less than 200 years for the system to be cracked."

Oops, the laptop that was stolen had the PGP password written on a post-it-note. Or it was the guys' daughters' college fund account number. Or they were logged in while working at a coffee shop, got up to use the bathroom, and came back to an empty table. Or a corporate spy stole it once, put on a keylogger, and then steals it again. Ask the police how private your fingerprints are. Does your boss put retina scanners on all company laptops? Can you be sure that nobody with data access would be dumb enough to keep any of that info on their USB drive or a CDR? Are you using strong crypt on your swap space? What do your bosses do to make 100% sure that nobody is printing out information on their home deskjet and leaving the printouts in the recycle bin on thursday morning? Are you so sure that there aren't moles in your office that you'll let a billion dollars juts walk out the front door? If your data is really as valuable as you say it is, then you need to have the working assumption that someone out there is going to pull some James Bond style shit to get at it, they're not going to stop at "aw shucks, they *encrypted* it!" A password is relatively easy to bribe someone out of. If they never have to show up on site to access the data, then that's all they'll ever need.

When your data is valuable enough that people would REALLY want to steal it, people, not protocols and passwords, are the big problem. When you let people just walk out of your office with company secrets, you're not just increasing the size of the problem, you're adding entire DIMENSIONS to it. People get lazy about things that they have to do every day. Lab Chemists and Biologists have horrible cancer incidence rates because they eventually get lax with safety procedures, even though they know better than anyone on the planet how dangerous what they're doing is. The human brain is set up in such a way that something it encounters every day without visible harm stops registering as "threat" pretty fast. No matter how rigorously you try to follow standard XYZ at the office, people will get lazy when they're looking over some work in front of the TV.

Re:The problem isn't telecommuting

[supersnail]

The main point to be made here is that you do not store sensitive data in a location which is not physicaly secure. Not a home office , not a desktop machine anywhere and certainly not a laptop. But in a locked and secure server room. Also if you want a secure environment -- disable your companies desktop USB ports:- http://www.schneier.com/crypto-gram-0606.html#6

The "telecommuter" made me do it.

"coondoggie writes to tell us that advocates of the telecommute have stood up against recent finger pointing based on recent telecommuter screw ups."

That wasn't a "telecommuting" problem. That was "taking work home". Something a lot of people do.

Backlash for security?

[DarthParadox]

Telecommuting isn't the problem. Ineffective security policies are.

It's possible to set up secure connections between a telecommuter's computer and a secure server. Encrypted tunnels for VPN or something like that. Encrypt data on the laptop hard drive - if you even permit sensitive data to be stored there at all.

But until government and corporations are seriously committed to taking the measures necessary to keep private data secure, incidents like this will keep happening, whether it's due to a stolen telecommuting laptop or a server that gets broken into.

the article says it all!

[dan+dan+the+dna+man]

"The analyst whose laptop was stolen from his house was not a teleworker, just someone who took work home with him."

On what grounds are you going to detract from telecommuting in that statement? Every worker I know a)has a latop and b)moves it around. I don't think any of us would call ourselves telecommuters in any sense of the word. The fact we take work home, on 'theivable' media isn't an argument against telecommuting, it's an argument for us not taking work home!

I know there are telecommuters on /., but everyone I know, even in the IT industry has to go and show some flesh at a physical location to get paid. I'd love to telecommute but to be honest, it's mostly impractical for most people who have to engage with humans to get their job done effectively.

The next question for me is, who is this backlash against?

Re:the article says it all!

[rthille]

The 'best' job I ever had was when I worked for a military contractor. I got paid overtime, I _never_ had to (couldn't) take work home.

Of course the pay wasn't great and the work wasn't interesting, but my evenings and weekends were my own...

Telecommuting

[Badgerman]

Interesting article. It pretty much notes what's being said here - good telework requires good policies, good enforcement, and good planning.

In my last job I telecommuted for a good 3-5 months until I left. The company had excellent policies and security. There wasn't a single reported incident of data theft from our division in the two-and-a-half years I was there. I was definitely more productive, and I was also better able to plan around illness, holidays, and emegencies.

It's all about good policy. A company without telecommuters is still insecure if it has a crap IT Risk policy.

VPN in / Tunnel in.. use Treminal Servers!!!

[Wingfat]

Why cant these compaines use Term Server? it would then be a bit more on the secure side, at least that way you dont have dumb people taking their lap top home with personal data on it. I actually work as IT for a sub division of Bank of the West, we do not allow our users to have ANY borrower/customer data saved on their local machine. if they do they can be let go quicker then you can say "i didnt mean to save it on my desk top" some of the managers here can "telecommute" in. if they would let the loan processors here do that too, then we could close half of the office and save the company on rental costs energy costs and much much more. Plus not to mention the gas saved for the peopele that could work from home. I think with the gas the way it is, more companies should encourage their employees to stay at home.

It can happen in an office building to

[joshv]

I had a laptop stolen in a secured office building. Each floor required a badge, as did the lobby. A laptop at home is no more or less safe than a laptop at work. In fact, my house is probably harder to break in to than most office buildings.

hogwash! That is a security issue, not slave issue

[v3xt0r]

This is not the fault of telecommuting, although tyranical bosses who hate telecommutors will blame telecommuting (so they can chain you to your cubicle and bark orders and breath down your neck), when the reality is... accountability in the IT/Network Security dept.

I telecommute from around the world and work directly off machines via SSH, so even if my laptop is stolen, nothing confidential or work-related can be compromised.

Of coarse, if you're IT/Network security policies allow telecommuters to actually work ON their own hd's, then that is your fault for having a flawed IT/Network security policy.

Either way, this is FUD for anti-telecommutism.

security issues aside...

[papasui]

One thing I personally feel is you don't develop a bond with your co-workers if you don't see them face to face. I'm a network engineer for a large fortune 500, I have a company laptop with VPN software that I can use to work from home if I want. Occasionally I do, especially if I need to watch a sick child but still want to get some work done. Otherwise I try to go into my office and be present for face to face meetings whenever possible. My direct boss lives and works 300 miles from my office and I rarely see him, maybe 6 times a year. We talk over the phone and email frequently but we don't have the kind of boss/employee relationship that I've had in the past. Very hard to feel comfortable working/trusting other people when they seem almost like strangers to you.

Re:security issues aside...

[inKubus]

Well, bonds are good. But so is working without distractions. For a coder or programmer, being at home is probably the best environment. No one cares about the lack of shower that leads to grease level 6 where the real work gets done. Maybe the nut cheese vapors have some sort of nootropic effect.

Anyway, I think the best thing is a good mix of tele and in the office work. For me, I like to tele in the morning from home where I have my dual monitors, my espresso maker, my clean air, etc. It allows me to work solid in the morning right after getting up until I start to lose focus. I'm usually at my highest focus right after waking up. If I waste that time showering and driving, I'll just sit around at work.

So I work in the morning from home and when the focus starts to fade I save all and sync up, and then go shower and commute. I spend about the same amount of hours working but FEWER hours in the car, etc. becuase the traffic is lighter at 10:30 than at 7:30. Plus there's fuel savings, etc. And I don't have to go in every day--sometimes you get on a roll and don't need to go to the office to stay motivated to work.

There are some jobs that need you to be there: anything physical obviously (factory worker, garbageman, etc.). In my opinion, most meetings are bullshit though. Sending an email is usually enough to get it across. But I think some people need meetings to make them feel like they are part of a family. I'm like a hitman, a contractor, BOFH style, so I just do what I do.

What really bugs me is when I get PICNIC calls from the office (usually the same couple of people) who demand I come in and make their computer run faster or reconnect the cable they kicked out of the wall. Oh well, I bill extra for those.

Re:security issues aside...

Ideally I want my entire team - manager, developers, testers, users, infrastructure people, support - all sat at the same desk. Physically that gets a little cramped so I accept a compromise of being in the same room.

And while the manager, some of the other developers, testers and users are chit-chatting, and the support people are answering phones, the code gets written at a third of the speed, with three times as many bugs, because peple can't concentrate.

We have that problem where I work. Even though only the developers are in the same room, most of the time at least one group is talking. Oh, did I mention that I'm at work, posting at slashdot? You see, the guy three meters from me is talking...

Questioning a basic assumptions

[putigger]

I don't see anyone asking the question: "what effect does telecommuting have on productivity?" I work in the R&D arm of a major multinational corporation and the projects I work on are highly collaborative. I can often accomplish more in 15-30 minutes of face-to-face conversation with a colleague than in an hour or more over the phone or video conference, even with fancy collaboration tools like Lotus Sametime and Microsoft NetMeeting.

Re:Questioning a basic assumptions

[gvc]

Depends on what you're doing, your corporate culture, and how independent the workers are.

Face-to-face can be a big waste of time. Meetings, water cooler chat, and so on tend to be more exercises in shoulder rubbing than productivity. They may increase or decrease employees' effectiveness.

I totally agree that high-tech tools are a waste of time. Email is great when the rubber hits the road, phone calls are fine for brainstorming, and conference calls with a shared spreadsheet or ppt presentation or whatever are just fine for meetings.

The real issue with telecommuting is the tendency -- perceived or real -- to goof off. So I guess if you're running a sweatshop, it is bad; if you're running an operation with employees who are mature and motivated to see the operation succeed, telecommuting can be good.

Oh yeah, the VA loss was just an accident...

[MikeRT]

What are the odds that the weekend he'd take a dump of the records of 26M veterans home would be the weekend he got robbed? Someone better get the FBI on this guy's ass because he's probably got a fat Swiss bank account waiting for him after he loses his job and does a little time in the pokey. What a great coincidence that the time he takes the motherload of personal information home is the time he is the victim of a little "smash and grab..."

Not an excuse to take private customer info home

[Eric+Smith]

There's no good reason why a laptop taken home needs to have private information about customers/patients/clients/etc. on it. The customer data can be kept on an enterprise database server that is less susceptible to theft or to being accessed from insecure networks. The telecommuting employees can access the data remotely via an encrypted VPN, or use Windows Terminal Services, VNC, SSH, or the like over the VPN.

Telecommuting is not a slam dunk

[pedleyj]

The backlash against telecommuting is not just security related - it's cultural. How can an organization stay fresh and bring on new people who can learn from mentors and rapidly come up the learning curve if all the senior engineers are tucked up at home coding in their PJs? How will that organization build a culture, build commitment, build team spirit? There have to be some limits or a company will stagnate. security issues can easily be handled with better technology over time but I don't think the cultural ones are so easily dealt with.

If you can telecommute...

Think twice before pushing telecommuting to your boss, people. If you can telecommute from the other side of town and do your job effectively, someone from India or China can do it frm the other side of the planet, and for a lot less money. If there's an easier way to mark your position with a flashing neon "OUTSOURCE ME!" sign, I haven't heard of it...

"Telework" is entirely implicated in the VA case

[csoto]

"Telecommuting" means working away from the normal office environment. This guy was a "teleworker." Sure, he isn't NORMALLY a teleworker (e.g. he usually works out of the office). But he took work home. He was telecommuting. There would have been little chance of this data being stolen had he not "telecommuted."

Telecommuting has drawbacks. The number one issue is that the home is not usually a good environment for work. This includes issues of safety and data security. Operations are at risk if you do not take sufficient precautions.

One interesting solution to this is thin client computing. I've experimented with Sun Ray thin clients that connect over a broadband connection back to a server. No data is stored on the thin client. All it really transmits is pixels and keyboard and mouse clicks (encrypted, too). That's the right way to approach this. Never store data away from the people paid to protect it (then make sure those people do a good job).

We'll show those telecommuters...OFFSHORE!!!

[kimanaw]

So those uppity geeks think they can sit at home on their tender pimpled asses and draw a paycheck ? Taking our sensitive data home ? Workin in pajamas ? We'll show 'em! We'll send our data and IP to the other side of the planet to folks we've never met, where our laws don't mean squat...and we'll save massive bucks to boot! Yep, that'll larn 'em...

</irony>

This is not about telecommuting

[HangingChad]

It's about walking around, in any circumstance, with megs of sensitive information on a portable device that isn't encrypted. Whether it's a desktop, laptop, USB device, external hard drive, PDA, cell phone or iPod. It's really about non-existent data security policies, data security audits of vendors handling sensitive customer and employee data and, above all, it's about no accountability in government or private industry for mishandling sensitive information.

When companies are liable for millions in damages for lost privacy act data, you'll see change bordering on a religious revival. Until then, it's just the masses whining.

Re:hogwash! That is a security issue, not slave is

[lotrtrotk]

ORRR.... The problem is having a flawed Corporate Management who will not supply the IT/Network group with the proper resources (budget/training/personnel) to IMPLEMENT proper IT/Network Security policies.

Outsourcing services

[Aceticon]

Actually outsourcing of services is just the natural extension of telecommuting: stuff that can be done remotelly for $X hour by somebody a couple of miles away can just as easilly be done for $Y hour (were Y < X) by somebody thousands of miles away.

In other words, anything that can be done remotelly is just as suitable for telecommuting as it is for outsourcing, since in it's simplest form outsourcing is just having your workers telecommute from a far place.

The point here is that anything that does not require the worker to be physically onsite always or often will end up being outsourced and that the great telecommuting revolution that some still seem to expecting has already been overtaken by the even greater outsourcing revolution - forget about working from a paradisian island for western wages, at this point the best one can aim for is telecommuting a couple of days a week.

The problem is often bad telecommuters.

[AugstWest]

I've been told by many managers that they've tried it, and people just flat-out blow off work when they're home, and productivity drops.

I've had several jobs now where telecommuting wasn't allowed at all, by company policy.

Every once in a while I would have an "emergency," like a repair on the house, or a delivery of furniture, or whatever, and I would tell my boss that I would have to be at home, but that I would still be working. One time it was a Unix admin position, so it could be done from anywhere, especially since many of the servers were colocated or managed. Another time it was doing technical support for java deveopment teams for a major Swiss bank.

So you tell your boss that you can't be in the office anyway, so you'll do some work from home. Then, while you're home, kick ass. Get tons of stuff done. Most people in an office kick back and do the minimum amount of required work, so it isn't hard to show how productive you can be when working from home. Do it off and on, maybe when you're sick, maybe when you have a child emergency, whatever, but if you can come up with a legitimate excuse to be home, take it, and work your ass off.

A lot of times your manager will see that you're a very productive worker, and through some simple tactics you can work out a situation where you can increasingly avoid having to commute. I had an hour and a half train commute each way to the swiss bank gig, so it was worth doing some extra work to be able to sleep an extra hour and a half on occasion, and even if I worked an extra half hour at night, I was still done with work and home an hour earlier.