The increasing use of telecommuting has elevated the responsibilities of organizations to protect data and information used by teleworkers from nonoffice-based locations. Many of the world’s most successful companies have embraced the virtual workplace because of the role telework plays as a motivator, morale booster, and environmentally friendly alternative. The telework arrangements can, however, have significant implications for an organization’s data security and information technology operational strategies. Organizations are now beginning to understand hackers are first attacking information technology equipment used by teleworkers. The growth in the use of teleworking, while providing workers with increased convenience and efficiency, raises numerous information security concerns ranging from maintaining confidentiality, preventing unauthorized access to information, data leakage, and information technology equipment theft. The use of teleworkers creates challenges for businesses and managers who work to maintain the security of the information and data to which teleworkers have access.
Telework involves providing workers with a flexible arrangement under which work duties are performed at an approved location other than from the organization’s office location from which the employee regularly would work. The typical teleworker is a regular employee who works from home no more than two days a week, lives in the same metro area where the organization is located, and works remotely for the reason of convenience and often retains a normal desk in the office building or another work area of the organization. The teleworker may work for a small or a large business, has a college degree, and is more than 30 years old. Other teleworkers are virtual office workers who work from a remote location with a portable office provided by the organization. These workers may report to a branch office or maintain contact with the organization through various communication channels other than face-to-face interaction. Finally, some are short-term or long-term contracted teleworkers who are employed by an organization for a specific task or project and then leave the organization once this defined work or period of work has been completed.
The greater reliance on telework provides opportunities for breaches of data security through the unauthorized viewing of data, data theft, and data leakage. These security concerns also apply to non-teleworkers who work in an office setting. However, there are fewer opportunities for information security personnel and supervisors to interact with teleworkers and monitor compliance with informational security policies than those available in an office setting. Data breaches can result in significant costs to the business related to:
- Notifying customers/clients that data security has been compromised
- Provision of assistances for victims affected by the data breach
- Loss of reputation and/or current and future customers
- Potential litigation
- Cost to hire experts to handle the data breach incident and/or develop and implement a data security plan.
Teleworkers present unique challenges for an organization in implementation-related issues due to the information technology needed to provide teleworkers with a secure working environment while implementing information technology security controls. For example, managing and maintaining appropriate levels of computer virus protection, firewalls, and use access is more difficult when teleworkers use remote computer systems. Office based computers and other data retrieval and storage systems often are housed in buildings with security features, such as patrol of the premises by security personnel, motion detectors, camera surveillance, and monitored access to offices and computers. While some teleworkers have homes with security systems, it is impossible to monitor the effectiveness of these systems and the extent that teleworkers use them. Another challenge to data security with teleworkers is that in an office environment, access to data and information can be controlled using a local area network. Storage integrity and confidentiality are harder to monitor for teleworkers in remote locations than in an office environment. Teleworkers often have to access data and information from the outside, increasing the risk of security breaches during periods of information retrieval and transmittal.
The ability to maintain information security by providing a secure environment to prevent destruction or theft of computers or data storage devices can be more challenging in a teleworker environment than when work is completed in the office. Also, teleworkers in an organization often cross several departments and organizational boundaries that involve the sharing of responsibility for maintaining data security. This can create a problem of ownership of the responsibility for maintaining data integrity and security among teleworkers, especially regarding identifying and correcting gaps in protection policies and procedures. Another risk is a lack of training for teleworkers regarding how to maintain data integrity and security. As a result, the attitudes, sense of control, and willingness of teleworkers to follow data security procedures are important factors to consider when creating and maintaining an information security plan.
Teleworkers’ motivation may be reflective of the seriousness with which an organization regards security measures. Hardware, software, devices, networks, and connections are just some of the variables that can increase or decrease security, along with the competence, diligence, and attitudes of the teleworkers themselves. Implementing telework agreements and having employees sign Rules of Behavior cannot account for every possible risk and do not ensure employees will use their best judgment regarding the principles outlined in the standards of ethical conduct. However, non-compliance with these agreements may cause disciplinary actions.
The importance of telecommuting and the need for flexible work arrangements will continue to be significant factors in workforce management. Information security concerns regarding telecommuting are important because of the sheer number of teleworkers and the rapidly changing information technology. It is important for the Information Security Practitioner to lead the organization through risk-based decisions on maintaining the security posture of data and equipment in a telework environment. Information Security professionals must be ready to lead organization executives and advise all stakeholders on the importance of information security impacts of telework.
By: Tim Godlove, PhD (University of Fairfax alum)