How Yahoo Telework Policy Aids SecuritySocial Media Company's Action Should Limit IT Risk
Improving collaboration among employees is the goal of Yahoo Chief Executive Officer Marissa Mayer's decision to ban most telecommuting beginning in June, but her edict means better information security as well.
Although Mayer is intent on most Yahoo employees working at company locations to increase face-to-face collaboration and innovation, the unintended consequence of this action is decreasing vulnerabilities that remote work can introduce.
The unintended consequence of this action is decreasing vulnerabilities that remote work can introduce.
One benefit of eliminating remote work is the ability to better control access to critical applications and network resources to authorized devices from specific locations. Organizations can, with greater confidence, scan for malware and make sure proper monitoring tools and policies are implemented, lowering the attack surface within their firewalls.
The IT security department effectively can monitor behavior of employees and log their activities throughout normal working hours by compelling workers into a more controlled environment. By monitoring activity, policies can be more effectively implemented and security technologies optimized for risk management.
By limiting telework, enterprise IT security managers would have better control of software aimed at business efficiencies - such as collaboration and peer-to-peer tools - that could pose significant risk to the organization beyond the firewall. Bringing employees back to the office ultimately helps the organization to truly understand the risk status of the network and balance security and operations for business enablement.
Another impact of disabling most of the remote work is the possible exposure of the malicious insider threat. Limiting remote work means the security department can step up the identification of these bad actors and gain business intelligence to find would-be thieves. Having a finite set of locations and devices to monitor keeps the IT security team focused on those critical corporate assets.
Identity and access management is an area that, if not properly implemented in a remote-access platform, could increase the risk of lost or stolen credentials and give would-be hackers access through unsecured mobile platforms or devices. As a result of the bring-your-own-device trend, which means consumer technology is being used to access enterprise applications, finding the right mobile security technology or service that works with an organization's existing identity and access management solution is not a simple task. Finding one that doesn't violate the enterprise's existing corporate policies, such as encryption or multifactor authentication, is equally difficult. In Yahoo's case, by eliminating remote work, the IT department can lower the risk of lost or stolen credentials, gain better visibility into who is accessing critical applications and have time to properly plan for the future of mobility with an integrated approach to identity management.
Yahoo is well positioned to become a leader in implementing radical changes that will protect its intellectual property while allowing prosperity from centralized communication and collaboration. Don't get me wrong, there will still be those individuals who will use unsecured means to communicate. But Yahoo can help cultivate a new breed of employee if it leverages the unintended consequence of its recent decision.
Patricia Titus is the former chief information security officer of IT security provider Symantec and IT integrator Unisys' federal systems unit. She also served for six years as the CISO at the U.S. Department of Homeland Security's Transportation Security Administration.