Federal systems chiefs who worry about whether or not their agency’s official teleworking population represents a security hazard can take a breath. Instead, they should start losing sleep over “unofficial” teleworkers — those employees who pack up documents and notebook computers and work at home at night and on weekends.
A survey of 258 federal teleworkers and nonteleworkers released this summer by the Telework Exchange found that employees who work full time at the office but log extra hours at home are less aware than official teleworkers are of their agencies’ security policies. They also have less training in data security, are more likely to carry files home and are less likely to have encryption and antivirus protection on their computers (both desktop and portable systems).
The report notes that of nonteleworkers who take work home, 63 percent use their own PCs to do official government work and 41 percent log on to their agencies’ networks from home. These often invisible, nonofficial teleworkers represent the “Achilles heel” of data security, the report says.
The report recommends four steps agencies should take to close security gaps created by these “home warriors”:
- Audit and assess how many employees actually work at home at night and on weekends.
- Implement and update policies, training and technology to reinforce data security policies for an increasingly mobile workforce — users beyond the approved groups of teleworkers that all agencies now have.
- Provide data security training and reinforce security policies to all employees, regardless of their telework status.
- Outfit all notebook and desktop systems with encryption and antivirus protection.
These recommendations echo some of the administration’s requirements for protecting sensitive information issued last summer. But the survey results suggest that the Office of Management and Budget’s policies may not be seeping down to individual users. The OMB M-06-16 memorandum recommends that agencies take the following actions:
- Encrypt all data on mobile computers and devices that carry agency data, unless the agency determines that the data is nonsensitive.
- Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer gaining access.
- Use a “time-out” function requiring user reauthentication after 30 minutes of inactivity for remote access and mobile devices.
- Log all computer-readable data extracts from databases holding sensitive information and verify that each such extract has been erased within 90 days or that its use is still required.
Given the survey findings, Cindy Auten, general manager of Telework Exchange, says official teleworkers, by contrast, are a “model of effective security training and behavior. The rest of the agency really needs to know as much about updated agency policies and have as much training as this community does.”
Auten also notes that the need for vigilance is growing because mobile computing is on the rise. Of the 258 respondents to the survey, 41 percent use notebook computers. Of these portable users, 45 percent say they made the switch from desktop to notebook systems within the last year.