A recently released Ernst & Young report, titled Risk at Home: Privacy and Security Risks in Telecommuting, details the telecommuting practices of 73 responding companies from Canada, the U.S. and Europe, from those with less than 20 employees to those on the Fortune 100. The report identifies potential risk areas for organizations using telecommuters, like problematic guidelines and standards, unprotected records, communication channels, and devices and lack of security or policy training.

The first failures in telecommuting security start with policy. While two thirds of respondents to the survey indicated they have general computer and mobile policies, many do not have telecommuting-specific guidelines.

“Different levels of solutions benefit telecommuting, but we haven’t seen anyone look specifically at telecommuting and say, What are the risks?” says Sagi Leizerov, a senior manager with Ernst & Young’s Advisory Services Group, based in the U.S.

A cookie-cutter approach can create more problems than it solves. In order to have effective standards and guidance, policies should address organization-specific risks. Equally importantly, once those policies are in place, the employees affected by them should be given guidance and monitored in an ongoing process.

“There needs to be ongoing marketing within a company, where you send out messages — ”˜Hey, did you do this today?’ — reinforcing the security policies of the organization,” says David Senf, director of security research at IDC Canada, based in Toronto. “It’s an ongoing campaign that needs to happen.”

Dubious devices

“Talking about someone who is always working from home with very little monitoring, there’s going to be greater risk,” says Ari Schwartz, deputy director, Center for Democracy and Technology, based in Washington, D.C. “It’s hard to say telecommuting is inherently less secure or has inherently more problems than working in the office. It really depends on a risk calculation, and the question is, do you have a policy in place to be able to do that risk calculation, and do you have steps that come into effect as people start to hit the higher risk levels?”

The main difference between working in-office and telecommuting is exposure to the home environment. The risk is different than for business traveling or occasionally taking work with you, since there’s a greater chance employees will leave information lying around. Even something as simple as a password on a sticky note can create opportunity for a breach, says Leizerov, who explains that similar actions give access to company information to anyone with access to the house. Additionally, only 50 per cent of surveyed organizations use spoken identification to gain access to their networks, and zero use biometrics. It also increases the chances of employees using home devices, which in many cases may be unprotected or unencrypted.

“It does make sense to allow telecommuters to use their PCs for some purposes, but we also specifically explain that the organizations should be requiring that those devices have certain security mechanisms installed on them,” says Leizerov.