Telecommuting Poses Security, Privacy Risks

Allowing employees to work from home and telecommute poses security and privacy risks that are not being addressed adequately by business or government, according to a study released Tuesday by consulting firm Ernst & Young in partnership with the Washington-based advocacy group Center for Democracy and Technology.

The report, "Risk at Home: Privacy and Security Risks in Telecommuting," surveyed 73 corporate and government organizations to find out whether they had formal telecommuting security policies implemented in practice, and whether employees working from home were trained in protecting data. The report concludes this was too often not the case, putting business and government data at far higher risk than if appropriate security best practices were used in the home telecommuting environment.

"We identified some disconnects about recognizing risk areas and addressing it," said Sagi Leizerov, senior manager with Ernst & Young's advisory services group, about the findings in the report.

Ari Schwartz, vice president and COO at CDT, said the privacy-advocacy group assisted with the study to put the focus on determining what the best practices in telecommuting might actually be.

Schwartz said this question is of growing importance as the practice of telecommuting grows. He pointed out that security breaches have occurred in the context of telecommuting in the past two years, include well-publicized ones at the Department of Veterans Affairs and the National Institutes of Health, as well as at Blue Cross Blue Shield and the state of Ohio.

Neither Ernst & Young nor CDT is opposed to telecommuting, but Schwartz and Leizerov said the report's findings indicate the organizations surveyed often failed to adequately recognize the risks in telecommuting. They said telecommuting doesn't inherently pose more risk than office-based work, but it poses different risks that need to be recognized.

If setting policy is a starting point, organizations are slipping even on that. Only half of the organizations participating in the survey have even developed guidelines for telecommuting or provide guidance to their employees at all.

The survey looked at whether personal computers, portable devices and wireless networks were being used in telecommuting and which security controls were in place for them.

The study also asked how the protection of paper records containing the business information used by telecommuters was being addressed and whether there were security controls, such as file and e-mail encryption.

"About 50% of respondents indicated that telecommuting employees, both full-time and occasional, sometimes use their personally owned computers and PDAs at home for work purposes," the report states, adding that the trend is toward easing restrictions about it.

The security that corporations require for business-issued devices and laptops, however, is seldom applied to employees' personally owned computers.

Security controls regarding the paper documents containing business data that are generated by telecommuting employees working at home also is somewhat weak, the study indicated.

 "One-third of the organizations surveyed said they provide telecommuters with shredders for disposal," the report notes. "Roughly the same percentage said they have telecommuters shred paper records, but the employees must arrange their own shredders. And 17% of the organizations indicated they have no disposal requirement for paper records," the report continues.

Leizerov called this unacceptable for a telecommuting environment, saying, "Organizations shouldn't expect employees to purchase their own controls."

Subscribe to the Security Watch Newsletter

Comments