Corporate home PC plans spark security concerns

Ford and Delta Airlines' plans to offer employees super-cheap PCs in a bid to create a 'wired workplace' has been met with concern from both security experts and IT managers.

While Ford said it would offer Web connected PCs to its 350,000 employees worldwide, Delta struck a similar deal for its 72,000 staff with the added 'bonus' of access to the company's corporate network.

This has created fear that widespread use of home PCs to access the Internet and the corporate Intranet will create a security minefield, as they will not be subjected to the same rigorous security policy as in-house IT equipment.

Breaching national security
Only this week there were reports from the US that a former CIA director stored sensitive national security secrets on his home computer which was also connected to the Internet. He should have known better. But if multinationals are going to encourage hundreds of thousands of non-IT savvy staff to get wired, the possibilities for those with malicious intent getting stuck into sensitive information is endless.

Richard Stagg, senior security architect at Information Risk Management, said that while this poses no direct risk to Ford or Delta's network, such a scheme must be carefully implemented otherwise it has the potential to open a "big security hole".

"Any organisation [doing this] is opening up any network-based weaknesses. Implementing strong authentication is probably very costly for 350,000 employees," he said.

"I have seen a multinational corporate's Intranet that leaves corporate data in cookies on the PC complete with all the user's passwords," Stagg revealed.

"The bottom line is it's a policy issue," he added, explaining that the management must put procedures in place to ensure the PCs have nothing on them they shouldn't and that nothing can 'leak out' from the corporate Intranet. Only then will the concept of a wired workforce be useful.

The hardware involved in the deal
In the deal with PeoplePC, the Ford employees get Hewlett-Packard PCs and printers with Internet access from MCI WorldCom's Uunet for $5 a month. The HP machines are based on 500MHz Celeron chips and come with 64Mb of Ram, a 4.3Gb hard disk, CD-Rom drive, 15 inch monitor, speakers and a modem.

Delta's 72,000 employees get a consumer PC with free Web access provided by AT&T for up to $12 per month over a three year period. The PCs will be based on 500MHz Intel chips and come with 64Mb of Ram, a monitor, keyboard, mouse and software. Delta has yet to decide among Compaq, Hewlett-Packard, IBM or Toshiba as the manufacturer.

One support engineer at an IT solutions company wasn't even convinced it was beneficial for companies to get their workforce IT-savvy.

"You get someone who knows something about computers playing around at home, which can create more problems as they'll be thinking they can do the same things at work. It's a case of a little knowledge can be a bad thing," he said, adding that it could put extra pressure on the support department as it would likely generate a lot of calls at inconvenient times to the helpdesk.

Andy Brown, research analyst at IDC, said despite potential problems companies must look to the "bigger picture". In Sweden, for instance, in 1998 one third of desktops were bought through employee purchase schemes.

"These were successful in increasing PC penetration in the home and increasing IT literacy very quickly," he said.

Security issues
You also get the age-old problem of how to protect both the physical hardware in the home, and protecting the information that is being sent either through dial-up to the Internet/Intranet or via disks.

A security expert at a high street bank said the company must look at what applications are needed to encrypt the data held on the home PC so that if any equipment is stolen, the thief will not have access to the data held.

"The biggest concern is the security of data. If it is business sensitive, then the data is worth more to the bad guys than the PC," he said.

"There is no easy way of avoiding some security issues if moving data around," added Brown.

Stagg suggests all the PCs should be shipped out fully preconfigured so that the average person won't be able to make any changes to the hard disk. He also said that a client-end firewall should be installed to protect the individual computer from Trojan Horse viruses.

Company information at risk
He warned that without this, anyone with the motivation could set up a website for the sole purpose of luring a home user to it just to gain access to the hard disk, and therefore any company information stored there in the cache or in cookies.

"It all depends on the level of motivation. Never underestimate the motivation of commercial espionage," he warned.

One solution given by Stagg is to set the whole system up somewhere else away from the corporate network and get another company to host it. By creating an extranet that mirrors the corporate network, the users can access the same information (or whichever information the company wants to grant access to) but from a safer distance.

"It takes the risk away from [the corporate intranet] receiving denial of service attacks and brute force password attacks," he explained.