Security and Privacy Risks of Telecommuting Not Effectively Being Addressed

Contact:
Brock N Meeks, CDT
(202) 637-9800 ex. 114
(703) 989-3547 (cell)

WASHINGTON, D.C. -Telecommuting and the virtual office put sensitive corporate data, including the personal information of customers, at risk of compromise, according to a report released today by the Center for Democracy & Technology and Ernst & Young.

The report, "The State of Telecommuting: Privacy and Security," based on a survey of 73 organizations recommends that companies with a telecommuting workforce need to pay more attention to the unique privacy and security risks posed by remote access. The report offers practical advice to companies on securing data accessed by employees working from home or other remote locations.

"Most of the security and privacy risks associated with telecommuting are already known," said CDT Vice President Ari Schwartz. "In a lot of cases those risks can be addressed if companies would simply put more emphasis on the procedures and policies they already have in place."

According to a recent report more than 46 million people are expected to work at home at least one day a week by the end of 2011. That increase of telecommuting workers heightens the need for robust security and privacy policies. Respondents acknowledged the inherent risks of telecommuting, but admitted these risks aren’t made a high priority.

Serious gaps remain between the establishment of security requirements and consistent monitoring and enforcement. Consider these findings:

Computers used by telecommuting employees often do not contain security features that specifically address the unique threats that come from remote computing, such as inappropriate access by non-employees, use of technology for unauthorized purposes, etc.

•  
• Portable devices, such as laptops and personal digital assistants (PDAs), commonly involved in data breaches, are widely used by telecommuters. However, few organizations have adopted thin client terminals-lightweight devices with Internet connectivity-which have little data storage capability.
• Telecommuting employees using their own personal computers or PDAs for work purposes thwart the advantages of employer supplied encryption tools.
• Allowing telecommuters to use wireless Internet connections is a common practice, but the use of wireless security measures is not widely required. The implications of this finding are compounded by the fact that telecommuters are increasingly accessing their neighbors’ unsecured wireless connections when working from home.
• Policies on downloading software and using peer-to-peer file-sharing applications are common but the enforcement approach varies. While half of the organizations use technical controls to block peer-to-peer file sharing applications, and a third of organizations block telecommuters from using instant messaging applications, others lack technical controls, relying instead on software use policies.

Other topics covered by the survey and included in the report are: background checks of telecommuters, policies regarding temporary employees and contractors who telecommute, protecting paper records, use of privacy-enhancing technologies, use of file and email encryption tools, deployment of biometric technology, limitations on the use of email, and monitoring of telecommuters by employers.

About the survey

A diverse group of 73 corporate and government organizations representing 10 industries in the US, Canada and Europe participated in the study. About half the survey respondents hold a Fortune designation, including 20% of the Fortune 100 companies, and range in size from over 100,000 to under 100 employees. The average number of employees from all organizations in the sample was approximately 50,000. Participating organizations submitted one completed survey, but answers could come from more than one individual. The Web-based survey was conducted between December 2007 and January 2008.

About the Center for Democracy & Technology

The Center for Democracy & Technology is a non-profit public interest organization working to keep the Internet open, innovative, and free. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media.