Allowing employees to work from home and telecommute poses security and privacy risks that are not being addressed adequately by business or government, according to a study released Tuesday by consulting firm Ernst & Young in partnership with the Washington-based advocacy group Center for Democracy and Technology (CDT).
The report, "Risk at Home: Privacy and Security Risks in Telecommuting," surveyed 73 corporate and government organisations to find out whether they had formal telecommuting security policies implemented in practice, and whether employees working from home were trained in protecting data. The report concludes this was too often not the case, putting business and government data at far higher risk than if appropriate security best practices were used in the home telecommuting environment.
"We identified some disconnects about recognising risk areas and addressing it," said Sagi Leizerov, senior manager with Ernst & Young's advisory services group, about the findings in the report.
Ari Schwartz, vice president and COO at CDT, said the privacy-advocacy group assisted with the study to put the focus on determining what the best practices in telecommuting might actually be.
Schwartz said this question is of growing importance as the practice of telecommuting grows. He pointed out that security breaches have occurred in the context of telecommuting in the past two years, include well-publicized ones at the Department of Veterans Affairs and the National Institutes of Health, as well as at Blue Cross Blue Shield and the state of Ohio.
Neither Ernst & Young nor CDT is opposed to telecommuting, but Schwartz and Leizerov said the report's findings indicate the organisations surveyed often failed to adequately recognise the risks in telecommuting. They said telecommuting doesn't inherently pose more risk than office-based work, but it poses different risks that need to be recognised.
If setting policy is a starting point, organisations are slipping even on that. Only half of the organisations participating in the survey have even developed guidelines for telecommuting or provide guidance to their employees at all.
The survey looked at whether personal computers, portable devices and wireless networks were being used in telecommuting and which security controls were in place for them.
The study also asked how the protection of paper records containing the business information used by telecommuters was being addressed and whether there were security controls, such as file and e-mail encryption.
"About 50 per cent of respondents indicated that telecommuting employees, both full-time and occasional, sometimes use their personally owned computers and PDAs at home for work purposes," the report states, adding that the trend is toward easing restrictions about it.
The security that corporations require for business-issued devices and laptops, however, is seldom applied to employees' personally owned computers.
Security controls regarding the paper documents containing business data that are generated by telecommuting employees working at home also is somewhat weak, the study indicated.
"One-third of the organisations surveyed said they provide telecommuters with shredders for disposal," the report notes. "Roughly the same percentage said they have telecommuters shred paper records, but the employees must arrange their own shredders. And 17 per cent of the organisations indicated they have no disposal requirement for paper records," the report continues.
Leizerov called this unacceptable for a telecommuting environment, saying, "Organisations shouldn't expect employees to purchase their own controls."
The survey, which encompassed organisations in the United States, Canada and Europe, sought to differentiate between employees who work full-time from home and those who occasionally telecommute.
Ten industries were identified, with financial services and healthcare representing 40 per cent of the respondents. The remainder included business and professional services, manufacturing, retail, telecommunications, hospitality, and a "miscellaneous" category for those not fitting neatly into the defined industries.
Among some organisations that responded to the survey, "nearly all employees are occasional telecommuters" and "many respondents found it difficult to estimate the number of their full-time and occasional telecommuters -- an interesting finding on its own," according to the report.