Telecommuting Poses Security, Privacy Risks

Allowing employees to work from home and telecommute poses security and privacy risks that are not being addressed adequately by business or government, according to a study released Tuesday by consulting firm Ernst & Young in partnership with the Washington-based advocacy group Center for Democracy and Technology.

The report, “Risk at Home: Privacy and Security Risks in Telecommuting,” surveyed 73 corporate and government organizations to find out whether they had formal telecommuting security policies implemented in practice, and whether employees working from home were trained in protecting data. The report concludes this was too often not the case, putting business and government data at far higher risk than if appropriate security best practices were used in the home telecommuting environment.

“We identified some disconnects about recognizing risk areas and addressing it,” said Sagi Leizerov, senior manager with Ernst & Young’s advisory services group, about the findings in the report.

Ari Schwartz, vice president and COO at CDT, said the privacy-advocacy group assisted with the study to put the focus on determining what the best practices in telecommuting might actually be.

Schwartz said this question is of growing importance as the practice of telecommuting grows. He pointed out that security breaches have occurred in the context of telecommuting in the past two years, include well-publicized ones at the Department of Veterans Affairs and the National Institutes of Health, as well as at Blue Cross Blue Shield and the state of Ohio.

Neither Ernst & Young nor CDT is opposed to telecommuting, but Schwartz and Leizerov said the report’s findings indicate the organizations surveyed often failed to adequately recognize the risks in telecommuting. They said telecommuting doesn’t inherently pose more risk than office-based work, but it poses different risks that need to be recognized.

If setting policy is a starting point, organizations are slipping even on that. Only half of the organizations participating in the survey have even developed guidelines for telecommuting or provide guidance to their employees at all.

The survey looked at whether personal computers, portable devices and wireless networks were being used in telecommuting and which security controls were in place for them.

The study also asked how the protection of paper records containing the business information used by telecommuters was being addressed and whether there were security controls, such as file and e-mail encryption.

“About 50% of respondents indicated that telecommuting employees, both full-time and occasional, sometimes use their personally owned computers and PDAs at home for work purposes,” the report states, adding that the trend is toward easing restrictions about it.

The security that corporations require for business-issued devices and laptops, however, is seldom applied to employees’ personally owned computers.

Security controls regarding the paper documents containing business data that are generated by telecommuting employees working at home also is somewhat weak, the study indicated.

“One-third of the organizations surveyed said they provide telecommuters with shredders for disposal,” the report notes. “Roughly the same percentage said they have telecommuters shred paper records, but the employees must arrange their own shredders. And 17% of the organizations indicated they have no disposal requirement for paper records,” the report continues.

Leizerov called this unacceptable for a telecommuting environment, saying, “Organizations shouldn’t expect employees to purchase their own controls.”

The survey, which encompassed organizations in the United States, Canada and Europe, sought to differentiate between employees who work full-time from home and those who occasionally telecommute.

Ten industries were identified, with financial services and healthcare representing 40% of the respondents. The remainder included business and professional services, manufacturing, retail, telecommunications, hospitality, and a “miscellaneous” category for those not fitting neatly into the defined industries.

Among some organizations that responded to the survey, “nearly all employees are occasional telecommuters” and “many respondents found it difficult to estimate the number of their full-time and occasional telecommuters — an interesting finding on its own,” according to the report.

The number of full-time telecommuters, however, is significantly smaller than the number of occasional telecommuters, the study concluded.

“While occasional telecommuters exist at each of the responding organizations, 46 of the 73 respondents employ full-time telecommuters,” the report states.

As far as securing hardware, the report states that 85% of organizations indicated they implement at least one of five methods for protecting hardware assets: failed-logon lockout settings on computers, privacy screens, security cables for locking down computers, periodic audits of telecommuters’ physical working environments and a “clean-desk policy for telecommuters.”

About 20% of the organizations said they conduct periodic inspections of telecommuter remote-work environments, with the frequency rate higher among organizations with greater numbers of telecommuters.

The study noted that stronger security controls, such as biometric authentication and thin-client terminals, have yet to take hold in the telecommuting environment.

“On a more positive note, the use of encryption, while not yet prevalent, is common on hard drives, in securing network connections and even in protecting e-mail messages,” the report states.

When it comes to portable devices, wireless networks and Internet downloads, however, the survey found security practices were “often lacking and could lead to the compromise of the personal information that employees handle at home.”

More than 70% of the organizations participating in the survey responded that they do some monitoring of telecommuters, most commonly by network monitoring or telecommuter e-mail and Internet use, the report states.

“Based on the results of this survey, many organizations today are not effectively managing the risks to personal information presented by the telecommuting workforce,” the report concludes, adding, “Work-from-home arrangements are the next frontier for many companies, and the challenges they pose to privacy and security should be approached with appropriate rigor and resources.”