July 29, 2008, 4:59 PM — Companies that allow employees to telecommute need to pay better attention to the cybersecurity challenges associated with it, according to a new study.
Telecommuting presents complex cybersecurity challenges, and many organizations ignore the risks, said the study, released Tuesday by the Center for Democracy and Technology (CDT), an advocacy group focused on privacy and security, and Ernst & Young.
Officials with CDT and Ernst & Young declined to call telecommuting more risky than working in an office, but said telecommuting presented different risks. In many cases, telecommuters use their own computers, subjecting company information to data breaches, and many companies don't have comprehensive telecommuting polices or restrict telecommuters from accessing data they don't need for their jobs, the study said.
"There's a lot of factors that go into making up the potential risk," said Ari Schwartz, vice president at CDT. "In some instances -- if you're talking about very sensitive information, if you're taking about someone who's always working from home with very little monitoring -- there's going to be a greater risk than someone who brings home information every once in a while and is monitored a lot."
Companies offering telecommuting as an option need to weigh the risks and take more steps to minimize the possibility of lost data, Schwartz said. With telecommuting likely to grow significantly in coming years, it's time to look at ways to make telecommuting less susceptible to data loss, he said.
"We have an opportunity right now, before it grows to be very large, to define best practices," Schwartz said.
The two groups surveyed 73 companies in the U.S., Canada and Europe and found that less than 50 percent provided teleworkers with e-mail encryption software. Only about 50 percent of the organizations offered hard-token authentication for work devices and there was hardly any use of biometric authentication.
Only about 20 percent of respondents said their organizations periodically inspect off-site work locations, and less than 50 percent use security cables to lock down computers at home offices.
The study lists several recommendations for companies to both implement and avoid when allowing telecommuters. Among the recommendations:
-- Develop telecommuting policies and training for everyone who telecommutes, not just full-time teleworkers.
-- Limit employee access to information based on their need to do their jobs and the organization's ability to monitor employee activities.
-- Provide telecommuters with clear guidance on the use and disposal of paper records.
-- Conduct house visits to ensure telecommuters who handle personal information are meeting security requirements.
The recommendations of what to do and what not to do came from survey respondents, and some companies are taking telecommuting security seriously, said Sagi Leizerov, senior manager of Ernst & Young's Advisory Services group.
"The picture is not bleak," he said. "There certainly are good examples out there in the marketplace, but if we look at the situation right now, it looks more like Swiss cheese. There are plenty of holes."