By Allen Bernard
August 04, 2008
A new report shows that telecommuting is becoming more and more popular, but if best practices are not implemented, privacy and security are at risk.
- Meraki Masters Mini Muni
- Mobile Workforce Means Greater Security Threats
- RF Barrier Helps Deter Eavesdroppers
- Designed for Business Mobility
Telecommuting is gaining popularity. Lowering the corporate carbon footprint, the office space footprint, work/life balance issues, etc., etc. are all leading to an expected four percent increase compound annual growth rate in the number of telecommuters working at least one day from home.
According to a Gartner study quoted by Ernst & Young in their report Risk at Home: Privacy and Security Risks in Telecommuting released this week, worldwide there will 46 million telecommuters by 2011. Because of this rise, personal and private information related to both employees and their employers may be compromised by telecommuting staff if privacy risks are not dealt with effectively.
“The takeaway,” said Sagi Leizerov, a senior manager with Ernst & Young’s Advisory Services group and one of the report’s authors, “is while the organization has put in place different types of controls … it was done because of business travel, it was done because of the need to protect information even in the office environment led to adoption of technologies … all of those are good and they contribute to protecting information in telecommuting environment but they are not necessarily addressing the specific risk telecommuting brings about.”The free report is based on the results of a survey, conducted in cooperation of the Center for Democracy and Technology, designed to identify the current state of privacy and security considerations in work from home arrangements. The report also highlights specific steps organizations can take to protect personal and other sensitive company-related information as well as areas of potential weakness companies should address.
A total of 73 corporate and government organizations (representing 10 industries in the US, Canada and Europe) participated in the study. Respondents acknowledged telecommuting is a persistent area of risk and recognized the topic is often not adequately addressed. In some instances, risks associated with telecommuting do not garner the attention of newer, more pressing business risks.
This is because telecommuting is not new, said Leizerov. An evolving risk like telecommuting often gets back-burnered in light of newer threats and, therefore, the controls needed to ensure it is being properly secured are not always put in place.
“We think that part of the reason it doesn’t get the right attention is not only the governance side … it is an issue of who needs to own it,” said Leizerov. For example, security, compliance, HR, IT.
While many organizations allow telecommuters to handle personal information at home, only half of the survey respondents said they address this subject with formal policies and training. Survey respondents noted the multidisciplinary nature of the topic, which could be viewed as a human resources, information technology, security or privacy issue, made it difficult for them to determine whose responsibility it should be to address these risks.
But companies are not completely missing the mark, as the survey shows internal controls have been established to monitor and protect the transfer of information both within and outside the walls of an organization. Despite these efforts, gaps still exist between the establishment of such controls and consistent monitoring and enforcement.
Consider these findings:
—Although portable media (such as laptop computers and personal digital assistants (PDAs) are commonly used by telecommuters and have been in the forefront of various recent information breaches, few organizations have adopted privacy-enhancing devices such as thin client terminals, which are computers that are designed to not save data to help safeguard sensitive information.
—Telecommuters regularly use their own personal computers and PDAs for work purposes. However, the hard drive and email encryption tools commonly found on employer supplied devices are of little help when employees use their home computers for work related activities.
—Allowing telecommuters to use wireless Internet connections is a common practice, yet the use of wireless security measures is not widely required.
What to do
The good news is everything you need from technology fixes to employee best practices (depending on your industry vertical) already exist. You may have to do some searching beyond E&Y’s report but VPNs, encryption, thin-clients, software as a service, remote desktop management, etc. all make telecommuting a manageable affair—at least from the technology side. It’s the people side—and how they handle security in their home offices—that is harder to deal with.