Newsletter Sign-up

By CYRIL TUOHY, managing editor

Congratulations ... you've just given birth to your third child and you've inked a new contract with your employer that will allow you to work from home.

As far as you're concerned, the latest chapter in your relationship with your employer is off to a roaring start--well, yes and no. Corporate risk managers may want to sit down with human resources and think twice before approving a work-at-home arrangement with a key employee.

From the perspective of information-technology risk, work-at-home arrangements are not quite as safe as they sound, according to a survey titled "The State of Telecommuting: Privacy and Security."

The survey, released earlier this year by Ernst & Young and the Washington, D.C.-based Center for Democracy & Technology, a nonprofit organization that pushes for more open Internet standards, polled managers from 73 companies in 10 industries from the United States, Canada and Europe.

"Work-from-home arrangements are the next frontier for many companies, and the challenges they pose to privacy and security should be approached with appropriate rigor and resources," the authors of the report write in conclusion.

Just how rigorous will depend in part on the vigilance of the corporate risk management department and the amount of money at their disposal.

Whether corporate risk managers decide to implement new policies to guide their work-at-home troops or forgo the efforts at drawing up yet another set of internal policies is a decision left to the senior managers within the individual corporation.

But in the meantime, risk managers can stew on the following findings:

--Standards and guidance: Most respondents allow employees to handle personal information at home, but only half indicated they have both developed guidelines for telecommuting and provided guidance to their employees on the topic.

--Employee credentialing: While telecommuting could increase the risk of inappropriate use of personal information, organizations do not typically develop credentialing practices that address varying levels of risk as determined by the employee job function.

--Temporary employees and contractors: These workers frequently handle personal information while telecommuting; however, organizations vary widely in how they address this situation.

--Paper records management: Most organizations allow telecommuters to use paper records containing personal information, but the protection of those records is not commonly addressed.

--Securing hardware: Security considerations for telecommuter computers used at home are common, but protective policies and mechanisms do not commonly address all prevalent threats.

--Devices used by telecommuters: Telecommuters commonly use their own personal computers and PDAs at home for work purposes. Few organizations have adopted privacy-enhancing devices such as thin-client terminals for employees who commonly telecommute.

--Encryption technology: File and e-mail encryption tools are used by survey respondents' companies but still have much lower adoption rates than firewalls and anti-virus software.

--Authentication: Biometric technology has yet to become more than sparsely adopted.

--Internet connectivity: Most telecommuters connect to the Internet using a consumer-class broadband connection.

--Software downloads and Web usage: Limitations on downloading software and using peer-to-peer, file-sharing applications are common but not prevalent.

--Using e-mail: Although personal information can easily leave the organization via e-mail, limitations on telecommuters regarding the use of e-mail and external e-mail services are not common.

What is certain, according to research, is the number of employees who work at home at least one day a week is expected to grow at a compound rate of 4 percent annually, reaching a total of more than 46 million people by 2011, according to the IT consultancy Gartner.

September 15, 2008

Copyright 2008© LRP Publications