Security is telework's weakest link
Lawmakers and federal officials focus on raising teleworkers' security awareness
Increased security training has gained new importance as lawmakers and telework advocates prepare to push legislation this fall to expand federal telework programs.
A lack of data security training tops the list of the most serious security threats caused by employees who work from home, according to a recent survey of 35 chief information security officers. The Telework Exchange, a for-profit group that promotes the expansion of federal teleworking, conducted the survey with support from Hewlett-Packard.
'Any time that sensitive data is used remotely, there is a concern that users may fail to protect it properly,' said Patrick Howard, CISO at the Housing and Urban Development Department. Howard was not among the CISOs polled.
'Part of my job is to make sure teleworkers know that the need for them to employ good security practices is heightened when they telework and access sensitive data remotely,' Howard said.
Legislation in the House and Senate to expand federal telework would require agencies to incorporate training, including security practices, into their new-employee orientation programs. The House measure, which lawmakers approved Aug. 4 as part of an energy-efficiency bill, would require all federal managers and new teleworkers to receive such training.
Unlike the Senate measure, which would include judicial and legislative branch employees, the House bill would apply only to executive branch workers.
No uniform requirement for telework training exists. The Office of Personnel Management and the General Services Administration run www.telework.gov
, where federal employees and managers can enroll in courses and receive guidance on telework. Agencies are using expanded training for employees and managers as a primary tool for overcoming barriers to telework, OPM officials say.
Sponsors of the telework legislation also say telework and related security training cannot be ignored. 'The success of telework policies, like any workplace policy, will depend heavily on the training of managers and employees,' said Rep. John Sarbanes (D-Md.), a sponsor of the House measure. 'My amendment requires that each agency develop a plan for telework training as part of its overall telework policy, which will be assessed annually by the Government Accountability Office.'
Under the House and Senate measures, agencies would offer their own training programs, but both bills would transfer much of the oversight of telework policies from OPM to GAO.
In the Telework Exchange survey, 94 percent of CISOs said they do not think official telework programs, which often require some employee and manager training, pose a data security threat. However, they did say that unsanctioned telework is risky.
Howard said official telework programs can also be risky if employees are unaware of security risks. Earlier this year, an approved teleworker at the Transportation Department inadvertently shared government files while working on a home computer on which her teenage daughter had downloaded peer-to-peer file-sharing software.
As part of a strategy to prevent future incidents, DOT is developing a telework-specific security course that will focus on the risks of using home PCs, Daniel Mintz, the department's chief information officer, said in congressional testimony in July.
Calls for expanded telework training have increased as agencies face pressure from White House officials to improve their disaster preparedness and continuity-of-operations plans. OPM officials have urged agencies to integrate telework into their COOP plans, but only 35 percent of federal agencies have done so, according to a recent OPM report to Congress.