Telecommuting: A data security perspective on the risks and rewards
By Brian Lapidus
Telecommuting, whether full-time or part-time, is becoming increasingly popular in the United States. According to a 2008 survey from the Society for Human Resource Management, 57 percent of HR professionals indicate that their organization offers some form of telecommuting. The potential rewards are many – from increased productivity and cost savings to happier employees and greater appeal among potential recruits.
Despite the benefits, telecommuting ranks high on the list of data security threats for organizations, particularly if there is no formal policy in place. The most common missteps include using unsecured networks, sharing company laptops or equipment with family members and friends, and failing to update software and install security patches, among others.
Fortunately, there are certain measures that every organization can take to minimize the risks:
Establish a baseline by assessing all current telecommuting activities. Even if no employees are formally authorized to work remotely, chances are it happens anyway – think sick children, inclement weather and other unexpected events. The technology afforded to most office workers allows them to do a substantial amount of work from a remote location. Many employees take advantage of this fact to “work from home” during an emergency or to “catch up at home” when work starts to pile up. Regardless of the reason, the threat of data breach is very real, and must be assessed.
Develop a comprehensive telecommuting security policy. A clear and concise security policy that establishes the roles and requirements of employees is absolutely essential to ensuring a successful telecommuting program. The policy should specifically outline security measures and procedures for handling sensitive data, including storage and disposal. While the focus will undoubtedly be on cyber-security, organizations should make sure to address the proper handling of paper files. Consider providing employees with shredders or secure storage containers to meet this requirement.
Make decisions on equipment usage. An organization’s policy on equipment usage is an important component to an organization’s telecommuting security policy. Organizations should decide up front whether telecommuting employees will use personal computers or company-issued equipment, as this will be a major factor in what cyber-security measures can and cannot be implemented. Providing equipment gives the company more control over security issues, but employees must be provided with explicit instructions for the care and usage of the devices (e.g., never leave laptops unattended in public, never download and install programs without company approval). Even if the organization allows employees to use their own PCs, certain minimum security measures must be in place, such as firewalls, anti-virus and spyware programs, and encryption software.
Provide adequate technical support and training. Before sending employees home with sensitive company information – whether via laptop or hardcopy file, they should be trained on the requirements set forth in the organization’s telecommuting security policy. In the case of laptop and network use, ensure that employees fully understand how to access data securely. Remote workers should be trained periodically in techniques to spot suspicious activity, including signs that a computer has been infected with malware. Access to technical support is also an important factor – without support, an employee might be tempted to do whatever it takes to get the system up and running when something goes wrong, including disabling security features.
Conduct periodic audits. Even if the company’s IT department has remote management capability, it’s important to verify firsthand that all equipment is in good condition and working properly. Have employees bring in equipment periodically for a checkup, and review logs to determine what information has been accessed.
Don’t assume that restricting access to applications and systems is a fix for the program. Productivity will be negatively impacted if remote workers don’t have access to the tools and information necessary to perform. Don’t let the cons outweigh the pros. Face the problem head on with a comprehensive security policy and sound cyber-security measures and organizations will be free to reap the rewards that telecommuting can provide.
Brian Lapidus is chief operating officer for Kroll’s Fraud Solutions division. For more information, go to www.krollfraudsolutions.com.