Technology has made it easier to work from home, something people are increasingly taking advantage of. But companies have neglected to secure telecommuting’s particular risks, according to a new Ernst & Young study.
The protections that do exist were created in response to other needs, such as business travel or off-site working. Telecommuting is different, and it’s frequently filled with security holes. “Rather than a real solution, the situation is more like Swiss cheese,” says Sagi Leizerov, an Ernst & Young senior manager who coauthored the report.
Employees working at home can leave documents around, work on personal computers that are shared with family members, and expose machines to risky software programs, such as peer-to-peer file sharing.
Leizerov says there are two main reasons companies haven’t addressed the subject head-on. One is that telecommuting has been around for a long time. “Organizations tend to be better at tackling hot issues,” he says.
Another reason is that responsibility for dealing with the security implications of telecommuting cuts across multiple departments within an organization. Parts of telecommuting risk could fall under IT, compliance, or human resources.
In addressing the issue, a first step could be for a company to examine the unique risks that arise from telecommuting. Then the company should look at whether existing controls address those risks. Once companies better understand the security gaps, they should consider their risk tolerance.
Drafting a policy, if companies don’t have one, is just a start. Procedural or technical controls are also needed.
Some telecommuting-specific security measures include coupling an online written policy with training, placing biometric readers on laptops to restrict usage, and providing telecommuting employees with shredders.
Companies needn’t implement across-the-board rules, such as outlawing home computers, he says. “There’s a right way for each firm.”