Telecommuting Backlash 250
coondoggie writes to tell us that advocates of the telecommute have stood up against recent finger pointing based on recent telecommuter screw ups. One of the more notable screw up was the recent loss of many veteran's personal information by a VA employee. From the article: "Despite years of growing acceptance, telework still has such detractors. 'The No. 1 challenge is cultural inertia. It's motivating the middle managers, teaching them a new way of doing work,' O'Keeffe says. 'It's the Luddite mentality that we need to change.'"
Re:The problem isn't telecommuting (Score:2, Informative)
If the data needed to be on a laptop, why wasn't it encrypted?
There's absolutely no reason why a laptop cant be set up to
have the entire home partion set up to autoencrypt and decrypt.
Users without proper login credentials wouldn't then be able to
access the data (assuming proper encryption algorithms are used).
Again policies that clearly define what information can leave the
office and in what form need to exist in parallel with smart
use of security technologies.
Unfortunately most people (and that includes many managers and policy makers)
don't really understand technology and as a result tend to seek solutions
that they do understand, even if they are poor solutions, rather than admit
that they don't know and ask qualified people for help.
Re:The problem isn't telecommuting (Score:5, Informative)
This means that when a sheriff recently left his laptop in an unlocked police car and it was stolen, there was nothing sensitive on it.
This isn't that different from how I've been telecommuting for a long time. I use my laptop to connect up to the corporate VPN and then connect via remote desktop to a machine I have configured for myself at the home office, where I do all my actual work.
Exempt vs. Non-exempt (Score:1, Informative)
From the Department of Labor website [dol.gov]:
Overtime Pay May Not Be Waived: The overtime requirement may not be waived by agreement between the employer and employees. An agreement that only 8 hours a day or only 40 hours a week will be counted as working time also fails the test of FLSA compliance. An announcement by the employer that no overtime work will be permitted, or that overtime work will not be paid for unless authorized in advance, also will not impair the employee's right to compensation for compensable overtime hours that are worked.
Re:Deserve what they get? (Score:4, Informative)
Don't make light of this, a number of people got really badly in trouble over this. As a measure of how seriously the gov't takes the situation, it is rare for any civil servant to actually get fired. In spite of the reforms of Jimmy Carter's days, it is still difficult to fire gov't employees. You'd better have your 'i's dotted and the t's crossed, too! Upper management hates to go that far, especially if the employee has over ten years in, and I think this guy had 11 or 12. Get fired like that, and you lose your pension and everything. So if they fired this guy, it's serious.
I work for another Department, and we take security very serious. ALL agency laptops are installed with a standard image using Ghost, an image that uses Pointsec to encrypt the entire hard drive. Yes, we take a performance hit, but to safeguard data, it's worth it. Users have no choice. It is installed before they get it, and when they are issued the unit, they are given the opportunity to set the password (at least 8 digits). If they forget it, they are told, the HD is toast, and must be reformatted. (not really, there are admin PWs we can use, but that makes them MUCH more careful!) They are warned not to store data on the HD, cause if the OS develops a problem, all we'll do is reimage it. We use an elaborate VPN system, with tokens, to allow employees to remotely connect. They don't need to keep data locally, and it is discouraged. With our setup, a lost laptop is just a lost item; a thief would have to reformat the HD to use the laptop. Our data is not accessable.
Use the BUILT IN stuff in your laptop (Score:4, Informative)
What I don't understand is why people are not the built in features of laptops - ANY NEWER Laptops have a Power on password. Many newer ones even have HARD DRIVE passwords (so you can't swap out the drive to use it on another PC). Some even are coming with THUMB readers. Prevent thiefs - ALL laptops have docking stations or cable slots where it can be LOCKED down. If not locked down and not in use then put it in to a LOCKED cabinet. Also to NOT have it in the open cab of car (put it in the trunk - for the smash grab and dash thiefs) - also not good if it hits you in the back of the head in an accident..... Use a BREIFCASE or BACKPACK or CARYBAG that does not scream "I GOT A LAPTOP FOR YOU TO STEAL!" (these are all actual policies where I work).
Also you can secure your Email by always accessed it via VPN and by using IMAP based or HTTPS web based (and/or require RSA token access). Any Local "copy" in the email client is encrypted (We use PGP? or such). I don't telecommute - but I personally only use IMAP (when at work) or WEB BASED email clients (ie: Squirrelmail and such) for the last 12+ years. No chance if SOMEONE steals my PC and tries to look at my MAIL - I don't even have a PC based mail client (no spam bot using POP3 on MY email account - unless they use there own client-but then I have that port BLOCKED on my personal firewall). In 12 years I have not got infected by even ONE virus by email (I get a "hit" every couple of weeks with one - but getting fewer)...My ex-wife however insist on using a pop3 client and has gotten infected many times.
Also setup most business applications such they can be used via VPN and a local client or has a web based interface and/or Citrix/Termial Services or VMWare or such. Also provide Backup space on their servers for your "EXCEL" and "WORD" type of documents. A hot sync Software tool make this easy.
One big thing is adopting a software policy - ONLY install APPROVED software on any BUSINESS PC - no personal software or "free downloads" or demos. As well only approved "accessories" may be attached/used (ie: Thumb Drives and External drives etc). And by approved - I mean not by some "know nothing" boss or supervisor - but approved by IT and/or management who is in touch with what is acceptable and is safe to use. After all this is not your personal PC but own by your employer's. (like the "scattered" or "found" USB drives that was used at one BANK location - most was picked and pluged into the BANKS PCs by there own employees.)
Where I work they also PUSH all virus/spam/firewall and security fixes so your always up to date. They also adopted a PASSWORD policy where you have to change password often and not duplicated etc....
With a GOOD policy and ENFORCING it to protect everyone's butt and with a bit of free software and/or a bit of spending of money/time - a Stolen Laptop could means little to NOTHING in impacting a business - with the biggest being the replacement cost of the laptop and going though and wiping out and resetting any and all of the user's passwords (in case people "keep" a list of passwords on the PC or use "auto complete" or other password reminder tools....) and yes I now there is secure "password" tools out there that would be hard to defeat - at lease before they able to crack/hack it to it - you should have all you password reset.
A stolen laptop that causes problems for a business - they had set them selves up for failure to begin with - however the one of the WEEKEST parts is the employee them selves. It costs very little to make a POLICY, and to make minor changes in how people use there PC. Just remember to enforce it (MANUALLY spot checking if you have to - even "leak" out a rumor that it will happen before you do - I can just hear the hard drives going crazy when that gets around....), if you don't - a policy on paper means zilch (nothing) if people are not following it.
Re:Oh yeah, the VA loss was just an accident... (Score:5, Informative)
Insightful, eh? How about "uninformed".
From MSNBC [msn.com]: So no, this wasn't just "dumb luck". It was an accident waiting to happen.
The guy wasn't even supose to have the data (Score:2, Informative)
There is none. (Score:3, Informative)
In reality, nobody is pointing fingers at telecommuters -- in fact, in the incidents that I've heard in the news lately, there wasn't any real "telecommuting" going on. Somebody just copied an assload of data off of the server to their local machine, and then took the machine home with them. I'd call that 'working from home,' not 'telecommuting.' And the copying of the data onto the local machine was just inappropriate to begin with. That's mostly a user-training issue and not a technological one.
Sure, there are measures that could have been put in place to allow the behavior to happen without creating such a huge problem in the event the laptop was stolen: the drive could have been encrypted, etc. But ultimately, if you don't train your employees to follow the security procedures, there are always going to be problems. (Use encrypted HDs and don't tell people not to use USB sticks, you're going to get data loss. Say 'no USB sticks,' and they'll use CD-RWs. Or email. Or whatever. My point is, the problem at that point is not technology, but your users.)
I doubt that the data loss events will cause anyone who's legitimately telecommuting or even working from home to do anything differently. The only thing it should do is serve as a wake-up call to managers who are allowing employees to do things that they're not really supposed to do (like take large amounts of sensitive data home with them). In the long run, it'll probably make the new encryption features in Win Vista more popular, but that's neither here nor there.
All in all, I think the controversy was manufactured. It was obvious enough to anyone watching on CNN that the fault of the VA incident lay with the employee who took the data home on the laptop when they weren't supposed to; it wasn't a failure of some telework scheme, just user error / bad judgement.