Remote Control

Google should shoulder some responsibility for remote access to corporate information systems. Its Internet engines suggest it is possible to access anything anywhere anytime. If Google can do it, executives argue, why not rip down the walls on corporate information systems and let employees access them anytime anywhere too?

A growing gaggle of businesses are doing precisely that. Australian Bureau of Statistics (ABS) figures show that 24 percent of employees now do some work from home, and recent research from Unisys and the State Chamber of Commerce shows that two in three businesses have employees who telecommute at least occasionally - that is up 36 percent on last year, and 60 percent on 2004.

For CIOs, this rising tide of demand requires technical savvy coupled with careful attention to usage policies and procedures. It is no good letting someone work from home if the business gets slapped with an occupational health and safety suit or is hauled over the coals for privacy lapses.

Businesses that do permit remote access have to ensure secure and appropriate access to applications and data; they have to be assured that the person logging on is who they say they are, that the remote computer set-up remains in synch with the core systems and cannot crash the core, and that remote employees are not downloading data onto memory sticks or burning CD-ROMs inappropriately.

And how do you make sure that the home worker is following occupational health and safety guidelines rather than lounging on the floor and generating a workers' comp case in waiting? How do you schedule necessary maintenance if employees want round-the-clock access? How do you support and service remote computers and their users? How do you ensure long-term telecommuters remain productive, motivated and in touch if they are rarely in the office? How do you make sure that the employee going over the big deal on a computer in an Internet cafe is not being watched by an industry rival sitting at the next station?

Stephen Arnold, CIO of Ernst & Young, is an old hand at offering remote access. Some 90 percent of Ernst & Young's PC population is laptop - about 4000 machines. "We have been geared to mobility and to allow people to connect remotely for a long time," Arnold says. Early in the 1990s the laptops were stand-alone, with modems added as they became available. "Now we are more reliant on Internet-type technologies, largely because our clients have digital or VoIP telecommunications," he explains. "There is no facility for analog dial-up, so we use the Internet to connect or wireless connection." He is currently wireless-enabling the entire fleet of laptops.

Arnold says two of the most important elements of a successful remote access program are, first, to ensure that all users are fully trained, know how to connect remotely and properly use their applications, and second, that proper security measures are in place.

For Ernst & Young that means encrypting all data on the laptops and the virtual private network sessions established once a user dials into the Ernst & Young network (using an RSA token for more secure access). Although the firm looked at thumbprint access nine months ago, the biometric technology was deemed too immature and too expensive. However, Arnold says his firm will definitely look at it again. "We want to make it as easy as we can for our users."

Unlike some corporations that provide screen-scraped access to applications, Ernst & Young loads the application onto each laptop. "That's because connectivity can be problematic on occasion," Arnold says. "If you are on a plane or at a mine site, for example, you need to make the employee self-sufficient." Each day when the PC is connected to the corporate network the data on it is backed up centrally to protect against a crash or machine theft.

Usage policies are clear that the firm's laptops are only intended for employees' use, and no unauthorized software is to be loaded onto them. Arnold acknowledges though that it can be tricky to ensure that data on the laptops is always used appropriately. "It can be difficult to protect the data. You have to limit the things that people do. Every time you stick in the memory stick our policy appears on the screen. We are now working on something so that every time you burn a CD or store data onto a memory stick that will be encrypted as well."

Encrypting memory sticks, or USBs, is something that Gilbert + Tobin CIO Mike Solomon has also been asked to look into. Often used in client meetings to share documents, USBs, which can store up to a gigabyte of data, have become hugely popular - but also a headache to manage.

Page Break

Beyond Control

Organizations must also consider occupational health and safety issues for workers using computers outside the office where the working environment is not tightly controlled. "My sense is, yes, we get people to read the policy and recommendations and get people to sign something to say that they have read it, but there is no supervision of that," Arnold says.

"Hypothetically a user could be squatting on the floor of the lounge room and could have an injury or accident. It's a very grey area. I'm not sure what people could do about it - send people round to check on OH&S once a month? Before we had wireless it meant that the user had to be in one place, generally in the study or at a desk in the lounge room. But now they could be lying on the ground and not in an ergonomic position, injure their neck or back and there could be a claim - who knows?"

Hewlett-Packard - considered a champion of telecommuting until it announced earlier this year that telecommuting privileges were being withdrawn from its own IT team - still allows some employees to work remotely and takes seriously OH&S issues. Christopher Hood, a former architect and now program manager for the HP workplace based in South Carolina, says the company runs an online self-assessment program that everyone who telecommutes has to participate in regularly.

Called Workwell, the system asks people to report on issues such as where they are seated when working, describe their posture and so forth. The responses are then used to perform a risk analysis. "And those who are identified as medium or high risk are referred to our health and safety group," Hood says.

So there are techniques to tackle the OH&S concerns, but if it should become a lawyers' playground then the lawyers will be well versed in remote access issues. Lawyers have nurtured Australia's BlackBerry infestation and driven massive demand for remote access, particularly over the past three to five years, according to Garry Clarke, director of technology and information services at Clayton Utz. "There is an increasing demand for flexibility; for being able to remove the restrictions of working within an office. It is my challenge to remove the time and place restrictions."

And the lawyers are asking for more than mere e-mail access: they want access to all their documents, all the knowledge in the firm on a specific topic, and to be able to access that on any computer - the firm's, their own or a computer in an Internet cafe or friend's house. "They don't want infrastructure to inhibit their work," Clarke says.

Although the demand for telecommuting support has risen over time, there has been a distinct change in demand. "The lawyers' expectation of what they can do at work is now driven by what they can do at home," Clarke says. Younger lawyers in particular are used to using their home computers to Google anything - they want to be able to search their work system just as freely.

Page Break

Share & Not Share Alike

While companies tend to think of telecommuting and remote access as something to support domestic employees, business strategist Ross Dawson believes it will be increasingly important to offer access to employees and collaborators working overseas. He believes companies should strategically review their information holdings and identify what information they would benefit from sharing with trusted partners and clients, and then establish an information infrastructure to support that.

Dawson says a first important step for companies that want to create a collaborative environment is to perform a strategic information audit. "An organization can categorize its information three ways: information which is openly available, information which it is happy to share with trusted partners and information which it does not share. Once you have worked out which information sits where, then you put in place the supporting technology and business processes. So far very few organizations have looked at this from a business process and technology view," Dawson says.

According to Clarke, already there are demands coming from lawyers working overseas. "One of our partners went overseas and used Skype. Usually when partners go overseas their telephone bills are horrendous - it's another example of consumer technology leading the way."

Clarke is in the process of drafting a virtual office strategy that will document the infrastructure and environment to allow the firm to tear down the walls on the corporate information systems.

Currently Clayton Utz has about 1000 fee earners, 500 corporate laptops and approximately 750 RSA access tokens, and allows access to systems via a Citrix server. (An Australian technology capable of providing a similar form of remote access, called ThinPoint, is currently being trialled for a hot disaster recovery site). All partners and senior associates are provided with a BlackBerry and mobile phone - out of Clarke's budget. "I'm a very generous man," he says. "On a back-of-the-envelope calculation, if someone services a client outside the office then the payback is almost immediate. It is a cost of doing business. You'd never go through someone's drawers and say: 'Oh you've got two pens'. It's the same with computers. It won't be long before all fee earners use BlackBerrys." The firm is also trialling a VoIP soft phone, allowing calls to be routed automatically to where a lawyer is working.

Clarke knows though that while his decision to rip down the walls from the computer systems is popular within the firm, it is less so outside. "I've had other CIOs say: 'You bastard - now we've got to do it'."

Clarke says that despite the additional demands of remote access his IT budget has actually dropped in real terms over the past three years to around 4.0 to 4.5 percent of revenues, which he says is below some competitors'. Meanwhile lawyers expect remote access to be granted without argument, regardless of cost. "The hoops that people have to jump through have diminished over time. To get a laptop a couple of years ago you needed to put in a business case and have that justified," he says. "Now if a lawyer wants access from home they come in and ask for an RSA token. We are not giving them anything extra - but we are giving them more flexibility."

Page Break

That is also what is driving Gilbert + Tobin, where Solomon expects to deploy a Citrix server to support remote workers by the end of the year. Currently the firm has a small fleet of laptops, access to which is regulated. Access is via an RSA token and although the laptops are not encrypted, they are "locked down", Solomon says, with users unable to install other applications. "It works well, except for the odd occasion when a lawyer may be working outside of the office and is given a piece of software to install by the client. It's the classic trade-off of security versus convenience," he says.

Convenience was a key driver in finance and insurance broking firm OAMPS's decision to offer remote access about six months ago. The company's general manager for information services, Michelle Beveridge, says that many of its data entry operators are women who wanted to continue working but needed flexibility.

An initial flirtation with letting people use their own home computers led to some "strange things" happening to head office systems - software loaded onto the home computers caused problems for the core application. "Even a different version of Windows can clash with our application," Beveridge says. So the company bit the bullet and started installing company-owned desktops in employees' homes.

This has also allowed much tighter control on what is loaded onto the machines, downloaded from them, and who has access. The PCs, which do not have removable disks, connect to OAMPS's head office Citrix server over a broadband virtual private network (VPN) and bitmaps of the applications are transmitted. To ensure security and privacy, users gain access via an RSA token, and there is a 30-minute time-out function. "So if mum goes off to make dinner, son can't come on and have a play," Beveridge explains. Most remote users are not able to download data to a USB stick.

About 70 of the firm's 1100 users have remote access, which Beveridge expects to rise swiftly to about 300 before plateauing.

Although Beveridge has had to rethink some early decisions, she says the security risks of remote access are the same. "You have to protect the core systems. Laptops can be lost and homes broken into", but if the core system remains intact the integrity of the overall system is secure, she believes.

Support is an obvious challenge. "It's not as easy when you have people in their home environment," Beveridge says. OAMPS's IT staff can access remote PCs to investigate a problem reported by remote workers, and are often able to fix problems that way. If not the machine is either returned to base for maintenance or a support team member visits the user's home.

In order to provide this level of service Beveridge has relocated a number of her team, and rather than most people being based in the Kew, Victoria, IT department, she now has support staff in East Melbourne, Brisbane, Adelaide, Sydney and Parramatta. Not that she has a bigger budget, just a more geographically spread one. "There was no increase in the budget. Yes, the business is recognizing that IT costs are going up - but also the value to the business is increasing. "We now talk about a per user cost rather than a total cost, which gives us much better conversations with the business, especially as we have moved to offer this remote service."

In addition, Beveridge has recently tweaked user policies to ensure that remote users know that head office will do a lot more monitoring of systems usage. It will conduct random checks on what people are accessing, and also keep audit trails of data access. "If anyone flouts this then it is either instant dismissal or a warning," she says.

While comfortable with the technology, she does still worry that there are health and safety and human relations issues that need to be properly addressed. "This is more about occupational health and safety issues and people issues. We may have people now who only see one another once a week."

Page Break

Managing Expectations

Soft management issues such as this remain a challenge for companies that allow telecommuting. When HP announced earlier this year that it was going to reduce the opportunity for telecommuting among its IT workers and bring people together to work in centralized locations, it was condemned for what many people saw as a backwards step. A CIO (US) blog led by Thomas Wailgum, however, drew the following anonymous posting: "Instead of always just thinking 'me', you may want to look at telecommuting from the perspective of workforce development. How do you grow your workforce when there is no one around to do the mentoring? Unfortunately I know a number of folks who've never grown up and because of lax management just can't be depended upon to take it upon themselves to be productive," the blog stated.

HP's Hood believes it is imperative that an agreement is created between employer and telecommuter to set out exactly what is expected from each party so that there are fewer grounds for complaint on either side.

IT staff meanwhile have to be far more productive because of the additional demands of remote access: maintaining good systems hygiene as far as virus scans, backup, patches, usage policies and education programs are concerned. They are also squeezed when it comes to scheduling maintenance on a system that is used around the clock.

Similarly remote users demand support around the clock. Clayton Utz is heading towards always-on support. "We run 8.00am to 6.00pm and we have people who then take a laptop and mobile home for support. We are just trialling a 7.00am to 2.00pm shift. But I suspect it won't be long until we have to have 24x7 support," Clarke says.

"Ultimately we will see a redefinition of the workplace," Hood says. "Sitting in rows doing transactions is slipping away. Offices now are there to define who we are, the spirit of the company - the buzz. Our role is to create those things that can't take place anywhere else."

Hood's role is to orchestrate the technical solutions, environment, change management and workplace services that people require to do their jobs, wherever that may be. Both he and HP's CIO, Randy Mott, report into the company's finance group. Hood acknowledges that providing remote access to some CIOs is all about cost. "But this is part of a total infrastructure that will eventually lead to reduced costs and higher achievement."

SIDEBAR: Stellar Service at Stella

During his tenure as CIO for hospitality chain Stella Resorts, Geoff Lazberger always kept in mind the needs of his users - both employees and visitors - when he overhauled the information systems of the group. His challenge was to provide divisionalized information systems to support each resort (some of which required only a property management system, while others needed access to the corporate backbone), access for local and remote users, and a robust corporate information system that had aggregated up-to-date information detailing the performance and activities of all the resorts.

Wireless networks for guests have been installed in many resorts, which offer conference services to support conference delegates. Lazberger also made wireless access available to those employees who could prove a business case for having remote access through a VPN to the Stella systems.

To get remote access to the system would-be users had to approach their business unit manager, who then would put forward a business case to Lazberger. It was part of the risk management process because, as Lazberger says, "providing wireless access from home introduces a threat point between their home and our network".

"Security certainly is the trade-off when providing remote access. There is no point in making security so tight that you can't operate, but you don't want such low security that you are compromised. It's the CIO's job to weigh that up."

Educating system users about the need to protect information security was a particular challenge for the company because it employs a high number of transient workers in its resorts. These workers Lazberger says were inclined to have "low levels of sensitivity" to IT due process.

Page Break

SIDEBAR: Remote Possibilities

by Ann Bednarz

IT staff should put themselves in teleworkers' shoes for a bit

To prepare for the role of Travis Bickle in the 1976 movie Taxi Driver, Robert DeNiro famously drove a cab for a few weeks. It's not a bad idea for IT staff to similarly live the life of a remote worker for a while to see how technology behaves outside the corporate campus. Setting up a telecommuting lab is one way to do that, suggests analyst firm Forrester Research.

Creating a virtual or on-premise telecommuting lab can help IT better understand the daily experience and challenges of remote workers, according to Brownlee Thomas, a principal analyst at Forrester. "It will provide direct input for IT architects about the likely impact of new application deployments in a remote office environment, and it could help IT decide what applications might be put on servers that are outside the firewall without compromising security," Thomas writes in a 2004 research report.

Thomas suggests different lab scenarios for companies, depending on how many teleworkers and remote workers are involved. She recommends companies with more than 500 home-based remote workers and contractors create a permanent telecommuting lab that provides a place for training teleworkers and replicating remote access products and services. An ad hoc IT lab is probably sufficient for enterprises that don't plan to hire home-based remote workers in the near future but may want to train employees for regular part-time telecommuting.

If a company is just getting started with telecommuting, a virtual lab is an easy option to consider, according to Thomas. One way to set up a virtual telecommuting lab is to have IT staff outfit their own homes with the requisite technologies and provide IT support remotely, either on a full- or part-time basis. For example, an IT staffer could equip a home office with different types of Internet access - such as dial-up, cable, DSL, satellite and wireless access - to see how applications perform under different conditions.

Establishing a telecommuting lab is just one of the recommendations in the Forrester Research report, "A Clear Strategy Will Help IT Effectively Support Remote Workers".

In the report Thomas also recommends IT staff get together with folks from HR, finance and other departments to define a clear strategy for supporting different types of teleworkers; develop training products and services; and provide teleworkers with a hard-copy of a reference manual that includes information such as IT contacts and application tips.

On the training front, Thomas suggests scheduling time with remote workers before they begin working online from home. New remote workers should spend some time at the nearest corporate office and undergo the same boot-camp orientation program given to other new hires before they head home. Local office workers who are relocating to a home office should get an abbreviated training session that includes some time in a telecommuting lab environment, according to Thomas.

Basic PC maintenance training is also a must for remote workers. "Because a high portion of commonly experienced remote laptop problems can be attributed to the end users' failure to execute simple regular PC clean-up and maintenance tasks, some basic training will go a long way in avoiding help desk calls and lost productivity," Thomas writes.

For more tips from Forrester's companion research, "How to Write a Telecommuting Policy", see "Get It in Writing".

Page Break

SIDEBAR: Get It in Writing

Get the right people involved and revise regularly

Responsibility for managing teleworkers is not only the job of the remote workers' immediate bosses but also involves IT, human resources, finance and other corporate staff. That's why it's important to get all those people in the same room when drafting a company's formal telework strategy.

One of Forrester Research's key recommendations: Create and maintain a formal, written telecommuting policy.

To be effective, Forrester analyst Brownlee Thomas says a telecommuting policy should cover employee eligibility; lay out employer and employee responsibilities; determine who's to pay for remote office gear, including equipment and services; establish the level of support IT will provide to teleworkers; and address how enterprise data and customer information will be stored and handled.

Even if a company has just 25 permanent remote workers, a formal policy document is a must-have, Thomas says. IT, HR and business managers should get together to create and revise the policy, as well as encourage input from remote workers for improving the telework program.

Thomas addresses all these topics in a research report, "How To Write A Telecommuting Policy". Here are some of the tips:

• Determine acceptable use. Part of remote employees' responsibilities include not misusing corporate systems. A telecommuting policy should be clear about what constitutes appropriate e-mail, Internet and intranet usage. For example, what's considered harassment or offensive use? What are the company's file-downloading and forwarding practices? How is company-confidential material to be handled? Are chat rooms and bulletin boards off limits? Will the employer be monitoring employee usage?

• Address safety and insurance. Forrester recommends companies try to ensure that their remote employees are set up in a safe working environment and can protect any employer-owned equipment from theft and damage, for example. Insurance coverage is usually split between parties, according to Thomas. "Typically the employer's insurance policy would cover enterprise-owned equipment, while the employee's home insurance policy would cover civil liability for deliveries and at-home meetings with colleagues, customers or suppliers," Thomas writes.

• Keep on top of tech advances. Companies should regularly revise their telecommuting policies, especially with respect to IT gear and services. New remote access technologies will crop up, enterprise applications will be added or dropped, and security practices will mature - the policy needs to reflect these changes.

• Spell out what kind of home-office equipment IT will provide, recommend and support. IT should put together a list of approved home-office equipment, including brands and model options, specific to teleworkers' job functions. But it doesn't end there: Teleworkers will likely look for IT support for related tech add-ons. "IT should also specify other types of remote-office equipment the internal help desk will support on a best-effort basis," Thomas writes. It's reasonable for home users to expect some level of support from IT for other PC- and network-connected equipment, such as personal firewall equipment, home LAN-routers, printers and fax machines, according to Thomas.

• Cooperation? Get it in writing. A telecommuting agreement is a document that summarizes employees' telework responsibilities and can help ensure compliance with IT and other corporate policies, according to Thomas. She suggests companies require their teleworking employees sign such an agreement - sometimes annually - to confirm that they've read the company's telecommuting policies and understand who's responsible for what.