Why? Well, unlike desktops inside the company, there is no control over an employee's home PC. There is probably -- or should be -- protection for desktops and workstations in the office: antivirus software, host-based firewalls, antispyware protection and more, depending on the organization's risk profile. A home PC might not have the same controls that meet the company's internal IT security standards.
To make matters worse, if the employees are using VPN software on their home PCs to access the network, ironically, they're creating a secure connection for malware to access the network. The malware is just as protected from malicious access as is the legitimate data being sent over the wire.
The protection of the network from insecure home PCs is a whole field in itself called network access control (NAC) and endpoint security, which is beyond the scope of this brief discussion. Suffice it to say that NAC involves software controls on endpoints, monitoring systems on networks and blocking insecure devices from networks, like home PCs. NAC involves both software and hardware controls and is more of a process than a single product that does it all.
Ideally, a NAC system should not only scan and check for any devices trying to connect to the network, but it should also check them to make sure they have the adequate security controls to meet IT security standards. For example, if the device doesn't have updated antivirus software or the latest operating system patches, an endpoint security solution would either block the device from the network or download the patches and updates before allowing access.
Home PCs are only one endpoint security headache for security administrators. Many employees nowadays work remotely with laptops, BlackBerrys and other PDAs, all of which need to be secured and given proper access controls before being allowed to connect to the network. Just add home PCs to the list of devices that would need to be secured in an endpoint security program.
The best idea, if practical for your company, is only to allow access to the network with company-provided equipment. Such equipment should have a standard build, uniform throughout the enterprise, and should have company-mandated controls meeting specific IT security standards. Again, if practical and within budget, it's better to avoid use of home computers for business use and instead issue remote employees laptops. Anything less may mean gambling with the security of the entire organization.
- Learn more about the dangers of Web-based remote access systems.
- Read about the security options in Microsoft's Network Access Protection policy.
This was first published in September 2008