The dark side of telecommuting

A recently released Ernst & Young report, titled Risk at Home:
Privacy and Security Risks in Telecommuting, details the telecommuting
practices of 73 responding companies from Canada, the U.S. and Europe,
from those with less than 20 employees to those on the Fortune 100. The
report identifies potential risk areas for organizations using
telecommuters, like problematic guidelines and standards, unprotected
records, communication channels, and devices and lack of security or
policy training.

The first failures in telecommuting security start with policy. While
two thirds of respondents to the survey indicated they have general
computer and mobile policies, many do not have telecommuting-specific
guidelines.

“Different levels of solutions benefit telecommuting, but we haven’t
seen anyone look specifically at telecommuting and say, What are the
risks?” says Sagi Leizerov, a senior manager with Ernst & Young’s
Advisory Services Group, based in the U.S.

A cookie-cutter approach can create more problems than it solves. In
order to have effective standards and guidance, policies should address
organization-specific risks. Equally importantly, once those policies
are in place, the employees affected by them should be given guidance
and monitored in an ongoing process.

“There needs to be ongoing marketing within a company, where you send
out messages — ”˜Hey, did you do this today?’ — reinforcing the security
policies of the organization,” says David Senf, director of security
research at IDC Canada, based in Toronto. “It’s an ongoing campaign
that needs to happen.”

Dubious devices

“Talking about someone who is always working from home with very little
monitoring, there’s going to be greater risk,” says Ari Schwartz,
deputy director, Center for Democracy and Technology, based in
Washington, D.C. “It’s hard to say telecommuting is inherently less
secure or has inherently more problems than working in the office. It
really depends on a risk calculation, and the question is, do you have
a policy in place to be able to do that risk calculation, and do you
have steps that come into effect as people start to hit the higher risk
levels?”

The main difference between working in-office and telecommuting is
exposure to the home environment. The risk is different than for
business traveling or occasionally taking work with you, since there’s
a greater chance employees will leave information lying around. Even
something as simple as a password on a sticky note can create
opportunity for a breach, says Leizerov, who explains that similar
actions give access to company information to anyone with access to the
house. Additionally, only 50 per cent of surveyed organizations use
spoken identification to gain access to their networks, and zero use
biometrics. It also increases the chances of employees using home
devices, which in many cases may be unprotected or unencrypted.

“It does make sense to allow telecommuters to use their PCs for some
purposes, but we also specifically explain that the organizations
should be requiring that those devices have certain security mechanisms
installed on them,” says Leizerov.

---

Even with controls in place, information can still be at risk. The
report recommends that organizations provide security mechanisms for
their employees, rather than expecting them to purchase them
themselves. It also recommends the use of thin-client devices, which
depend on a (secured) central server for processing and storage.

Downloading software and peer-to-peer file sharing are also risks.
Close to half the survey respondents specifically address peer-to-peer
networks in their policies and have introduced technological controls
to block it. However, downloading software is something that not many
organizations bother to, or can, control.

“Half of the respondents indicated they do not allow downloads or
software that was not issued by the organization, but a very small
group of respondents indicated that they have no way to control that,”
says Leizerov.

Expedient encryption

File and e-mail encryption may prevent mishaps due to unsecured home
networks, which is important. Consider this: most telecommuters connect
to the Internet using a basic home connection. According to a 2007
study by Cisco (Security Perceptions & Online Behavior of Remote
Workers), 12 per cent steal their neighbour’s.

“An employee at home is more likely to use an unsecured network. File
encryption is useful if we know the telecommuter is using a home device
to access personal information from work,” says Leizerov.

Although many organizations may encrypt company computers and laptops,
those encryptions don’t exist on employees’ home devices. Around 50 per
cent of companies surveyed use file and e-mail encryption, but those
measures weren’t designed specifically for telecommuters, and so may be
less effective.

“We want to encourage telecommuting, the ability to work from home, and
the ability to use networks to work from home,” says Schwartz. “We have
an opportunity right now before it grows where we can start to build
best practices.”