Report: Telecommuting Presents Privacy and Security Risks to Organizations

Personal and private information related to both employees and their employers may be compromised by telecommuting staff if privacy risks are not dealt with effectively, according to a new report developed by Ernst &Young LLP and the Center for Democracy and Technology (CDT).

The report, titled Risk at Home: Privacy and Security Risks in Telecommuting, is based on the results of a survey designed to identify the current state of privacy and security considerations in work-from-home arrangements. The report also highlights specific steps organizations can take to protect personal and other sensitive company-related information as well as areas of potential weakness companies should address.

"As more organizations allow employees to work remotely or from home, there are increased privacy and security risks," said Sagi Leizerov, a senior manager with Ernst & Young's Advisory Services group. "Employers need to establish clear guidelines that will protect confidential information from such risks and employees must understand why such requirements were created as well as the critical need to comply with them."

A total of 73 corporate and government organizations (representing 10 industries in the U.S., Canada and Europe) participated in the study. Respondents acknowledged telecommuting is a persistent area of risk and recognized the topic is often not adequately addressed. In some instances, risks associated with telecommuting do not garner the attention of newer, more pressing business risks.

Findings from the survey also suggest employers do not fully recognize and address the privacy and security issues related to telecommuting employees, leaving the organization vulnerable to certain risks. For example, while many organizations allow telecommuters to handle personal information at home, only half of the survey respondents said they address this subject with formal policies and training. Survey respondents noted the multidisciplinary nature of the topic -- which could be viewed as a human resources, information technology, security or privacy issue -- made it difficult for them to determine whose responsibility it should be to address these risks.

But companies are not completely missing the mark, as the survey shows internal controls have been established to monitor and protect the transfer of information both within and outside the walls of an organization. Despite these efforts, gaps still exist between the establishment of such controls and consistent monitoring and enforcement. Consider these findings:

• Although portable media (such as laptop computers and Personal Digital Assistants (PDAs) are commonly used by telecommuters and have been in the forefront of various recent information breaches, few organizations have adopted privacy-enhancing devices (such as thin-client terminals, which are computers that are designed to not save data) to help safeguard sensitive information.
• Telecommuters regularly use their own personal computers and PDAs for work purposes. However, the hard drive and e-mail encryption tools commonly found on employer-supplied devices are of little help when employees use their home computers for work-related activities.
• Allowing telecommuters to use wireless Internet connections is a common practice, yet the use of wireless security measures is not widely required.
• To protect company information from being exposed outside the office, policies on downloading non-company approved software and using peer-to-peer file-sharing applications do exist for telecommuting employees. However, the use of certain tools (such as firewalls) to enforce such policies are only applicable when employees are connected to the internal office network.
• Organizations can also help protect sensitive information by conducting tailored, periodic background checks for all employees based their role, location and level of exposure to confidential information. Although more than 75 percent of respondents perform such activities (including background checks and drug tests) prior to employment and 15 percent continue these initiatives periodically (as appropriate), the types of activities being done do not seem to vary based on whether or not