Telecommuting's Rise Causing Privacy and Security Headaches
Telecommuting is gaining popularity. Lowering the corporate carbon footprint, the office space footprint, work/life balance issues, etc., etc. are all leading to an expected four percent increase compound annual growth rate in the number of telecommuters working at least one day from home.
According to a Gartner study quoted by Ernst & Young in their report Risk at Home: Privacy and Security Risks in Telecommuting released this week, worldwide there will 46 million telecommuters by 2011. Because of this rise, personal and private information related to both employees and their employers may be compromised by telecommuting staff if privacy risks are not dealt with effectively.
“The takeaway,” said Sagi Leizerov, a senior manager with Ernst & Young's Advisory Services group and one of the report’s authors, “is while the organization has put in place different types of controls … it was done because of business travel, it was done because of the need to protect information even in the office environment led to adoption of technologies … all of those are good and they contribute to protecting information in telecommuting environment but they are not necessarily addressing the specific risk telecommuting brings about.”
The free report is based on the results of a survey, conducted in cooperation of the Center for Democracy and Technology, designed to identify the current state of privacy and security considerations in work from home arrangements. The report also highlights specific steps organizations can take to protect personal and other sensitive company-related information as well as areas of potential weakness companies should address.
A total of 73 corporate and government organizations (representing 10 industries in the
This is because telecommuting is not new, said Leizerov. An evolving risk like telecommuting often gets back-burnered in light of newer threats and, therefore, the controls needed to ensure it is being properly secured are not always put in place.
“We think that part of the reason it doesn’t get the right attention is not only the governance side … it is an issue of who needs to own it,” said Leizerov. For example, security, compliance, HR, IT.
While many organizations allow telecommuters to handle personal information at home, only half of the survey respondents said they address this subject with formal policies and training. Survey respondents noted the multidisciplinary nature of the topic, which could be viewed as a human resources, information technology, security or privacy issue, made it difficult for them to determine whose responsibility it should be to address these risks.
But companies are not completely missing the mark, as the survey shows internal controls have been established to monitor and protect the transfer of information both within and outside the walls of an organization. Despite these efforts, gaps still exist between the establishment of such controls and consistent monitoring and enforcement.
Consider these findings:
—Although portable media (such as laptop computers and personal digital assistants (PDAs) are commonly used by telecommuters and have been in the forefront of various recent information breaches, few organizations have adopted privacy-enhancing devices such as thin client terminals, which are computers that are designed to not save data to help safeguard sensitive information.
—Telecommuters regularly use their own personal computers and PDAs for work purposes. However, the hard drive and email encryption tools commonly found on employer supplied devices are of little help when employees use their home computers for work related activities.
—Allowing telecommuters to use wireless Internet connections is a common practice, yet the use of wireless security measures is not widely required.
What To Do
The good news is everything you need from technology fixes to employee best practices (depending on your industry vertical) already exist. You may have to do some searching beyond E&Y’s report but VPNs, encryption, thin-clients, software as a service, remote desktop management, etc. all make telecommuting a manageable affair—at least from the technology side. It’s the people side—and how they handle security in their home offices—that is harder to deal with.
To protect company information from being exposed outside the office, policies on downloading non-company approved software and using peer-to-peer file sharing applications do exist for telecommuting employees. However, the use of certain tools such as firewalls to enforce such policies are only applicable when employees are connected to the internal office network.
Organizations can also help protect sensitive information by conducting tailored, periodic background checks for all employees based their role, location and level of exposure to confidential information. Although more than 75% of respondents perform such activities (including background checks and drug tests) prior to employment and 15% continue these initiatives periodically (as appropriate), the types of activities being done do not seem to vary based on whether or not the employee is a telecommuter or resides in the main office.
The report also addresses the protection of hard-copy files, the use of privacy enhancing technologies, the adoption of biometric technology and limitations on the use of email, in addition to monitoring of telecommuter activity by employers.
About The Survey
A diverse group of 73 corporate and government organizations representing 10 industries in the
The average number of employees from all organizations in the sample was approximately 50,000. Participating organizations submitted one completed survey, but answers could come from more than one individual. The Web-based survey was conducted between December 2007 and January 2008.