Telework’s weak link

Security is one of the inconvenient topics that inevitably arises, sooner or later, when agencies start talking about telework.Telework is a popular topic. The idea of letting employees work from home a few or most days each week has garnered increasing interest among government workers and managers for a number of good reasons.Workers enjoy the reduction in commuting costs and time and appreciate the convenience and flexibility that may help them juggle family and work responsibilities. Agencies benefit from improved employee morale, the ability to relocate offices without losing part of their workforce, and reduced real estate costs. Recognizing these and other advantages, the House approved last month H.R. 4106, which would require federal agencies to set policies that allow some workers to telework. Although workers and agency executives might only see telework’s upside, security officers and experts know it also has a dark side. Whenever employees take data home or work on it outside an agency’s physical walls and network firewall, there is the potential for security leaks. The challenge is to figure out how to give home-based workers sufficient freedom to do their jobs without compromising data security and privacy.Government telework pioneers, such as the U.S. Patent and Trademark Office, have been naturally cautious. The USPTO has 14 telework programs in which employees work from home as few as one day or less a week to almost the whole week. Nearly 4,000 USPTO workers and contractors are teleworking, representing about 85 percent of the telework-eligible workforce. Significantly, about 1,400 of the office’s teleworkers are “hotelers,” having given up their permanent office space and instead reserving temporary desk space when they come in a few hours each week. All this has been great for the USPTO’s bottom line. “We’re hiring additional workers each year,” said Danette Campbell, senior adviser for telework at USPTO. “Those hotelers let us do so without having to add to our real estate significantly.” Because of the sensitivity of the proprietary data USPTO works with, Campbell has gone to great lengths to ensure that the dispersed workforce is as close to leak-proof as possible. The most significant security policy is that all teleworkers use only USPTO computers, which hold virtually no applications or data. Employees work directly on the application server at the USPTO through a secure virtual private network connection, which encrypts data during its transit across the network from the server to the user’s local machine. Second, all employees handle their work-related telecommunications through voice over IP, which allows them to use the same phone number at home as in the office. That reduces mix-ups, such as not being able to reach a home-based worker during an emergency or leaving a phone message regarding agency business on the wrong telephone number.Finally, each laptop PC uses full-disk encryption software, which prevents an unauthorized person from accessing the data even if they got physical possession of the machine. “We have gone to great lengths to secure our data even if it at times it might seem to be overkill,” Campbell said.It is usually better to overdo security than to underplay it. However, financial realities sometimes force agency executives to make cost/benefit analyses about tactics for mitigating the risks associated with teleworking. One of the most important decisions for telework program managers is whether to provide workers with an agency computer or allow them to use their own computers.Several security experts said requiring teleworkers to work only on agency-owned machines is the best policy, but it is also the most expensive one. “If your agency owns the machines, you can control them completely,” said Vaughn Volpi, chairman of PICA, a loss prevention and security consulting company. “You can decide what applications workers can use, what data they can download and what external media they can connect to the machine. And if you need to investigate a leak, it’s much easier to get the computer back for forensic purposes than it would be to subpoena someone’s personal PC.”Volpi suggests placing keystroke mapping software and even Global Positioning System tracking devices on laptops, with the employees’ knowledge. The GPS can help the agency find lost PCs and also help enforce policies that identify where employees can use their laptops. But Volpi and other security experts say not all agencies are financially or culturally ready to limit teleworkers to agency-owned computers. And some might not need that level of protection.Bill Marsh, information technology security officer at the National Science Foundation, said he would like to provide all teleworkers with NSF-owned computers, but the cost would be prohibitive.“We can’t justify it financially right now,” Marsh said. Each day about 75 to 100 of the 1,500 NSF employees access the network remotely. Some of these — Marsh didn’t have exact numbers — are in one of the foundation’s two telework programs. In one program, employees work regularly from home a specific number of days each week. In the other, people work from home occasionally, getting their supervisors’ consent ahead of time. Marsh points out that most employees do not work on sensitive data. The few who do are not allowed to telework. Still, Marsh has a limited number of NSF-owned laptops on hand, which he gives to workers who request them. He doesn’t have enough for all workers, but he hopes to increase that number gradually so that eventually all teleworkers use machines owned and managed by NSF. The primary security technologies NSF uses for its teleworkers are two different kinds of VPNs. Most employees use a Web browser-based Secure Sockets Layer VPN to access their personal desktop data and applications at the office. This remote-access method eliminates the need for downloading data onto removable media, such as a USB thumb drive, to bring it home, which would present a security risk. A more limited number of managers who have administrative duties use an IPsec VPN that provides greater security than the SSL VPN for access to NSF’s more sensitive network resources. An IPsec VPN requires special software loaded on an employee’s remote computer.In general, the level of control an agency needs to have over the teleworker’s PC or laptop should be based on the sensitivity of the data balanced with the need for workers to have the ability to customize their machines to their liking, security experts say. Jill Knesek, who is now chief security officer at BT America and had been a special agent at the FBI’s computer crimes task force, said company officials decide on a case-by-case basis whether to allow teleworkers to use their own computers rather than company-provided equipment. “We assess risks,” Knesek said. “We try to give teleworkers as much freedom as possible because the more freedom, in general, the more efficient they will be. But we have to also consider the sensitivity of the data they will be working on.”Steven Antone, vice president of federal solutions at Lumension agrees with Knesek about giving users as much freedom as possible — even on agency-owned computers — without compromising security. One way to do that is to provide for exceptions to the security policy. “Have an easy-to-use change control plan,” he said. For example, if someone needs a PowerPoint slide and policy dictates that no Micr soft Office files can be downloaded from nonagency sources, an organization can provide a convenient means for the teleworkers to apply for a one-time exemption. For example, for some teleworkers and some types of actions, the policy might allow users to download a file without prior authorization. That action would be recorded for  a later security follow-up. In other cases, prior consent might be required. “You can be as specific as you need to be in determining who needs permission and the types of permissions each person or task requires,” Antone said.Managers can use various technologies to help enforce telework policy, but training will enlist users in the effort to keep the data safe. Marsh believes that ultimately, training and education might be the most important aspects of telework security. “Our goal is to create a culture of security awareness,” he said.All the agencies with telework programs interviewed for this article require employees to take a training class before working from home. These classes usually cover cybersecurity issues, such as one agency’s policy forbidding workers from using wireless local-area network Wi-Fi connections, and physical security issues, such as rules about securing with a locked drawer or cabinet work computers and even printouts of work information. The classes also cover other issues, such as the importance of having an appropriate, comfortable place to work. Requiring the right teleworking home environment might be so important that it could create the need for new enforcement methods, said Jack Phillips, managing director and co-founder of the Institute for Applied Network Security. Some of those might even seem intrusive. “There’s a looming question which will be coming down the line and which will have to be addressed,” Phillips said. “Does an organization have a responsibility to enter an employee’s house to check to ensure that the data is at least likely to be secure?” Phillips said that if agencies require that teleworkers have locked cabinets for paper files and idle computers, it might not be unreasonable that in return for the privilege of being allowed to telework, the employee submit to a home inspection. And further, he wonders if the lack of this kind of inspection might make an agency liable in the case of a security breach resulting from a poorly protected home office. There’s no doubt that maintaining a secure telework environment presents many challenges that do not affect office-based workers. But most agencies doing it say the benefits far outweigh the perils, which can be managed.




























Your computer or mine?





































Don’t forget training













Stevens is a freelance journalist who has written about technology issues since 1982.

NEXT STORY: Commerce versus security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.