Improving Information Security for Teleworkers
By Tim Godlove, PhD
The ever increasing use of telecommuting and telework has amplified the challenge to organizations of finding the optimal balance between burdensome levels of security and user productivity. According to a 2016 Ponemon Cost of a Data Breach study, the average of cost of a data breach for companies has grown to $4 million, 29% increase since 2013. Incidents have increased in both volume and sophistication, with 64% more security incidents reported in 2015 and 2014.
Employers’ commitment to information security and privacy protection in the context of teleworking is critical. This commitment goes well beyond the allocation of financial resources. Organizations need clear guidelines on how to protect against risks when it pertains to their confidential information and that of their teleworkers. Only when such policies and guidance are in place, and compliance with them is continually reinforced, does the considerable investment in telework infrastructure and personal management add value to organizational performance.
While business leaders realize that teleworkers represent data security risks, their companies have not given sufficient attention to dealing with these risks.
My recent study assessed organizational data security policies and practices concerning teleworkers. A key finding reported was that while business leaders realize that teleworkers represent data security risks, their companies have not given sufficient attention to dealing with these risks. Furthermore, teleworkers in an organization often cross several departments and organizational boundaries, which involves the sharing of responsibility for maintaining data security. This can create a problem of ownership of the responsibility for maintaining data integrity and security among teleworkers, especially regarding identifying and correcting gaps in protection policies and procedures. Another significant finding reported was that over half of those who participated in the study had no policies in place or did not provide training to teleworkers regarding how to maintain data integrity and security.
It is vital for organizations to convey to teleworkers that data protection and information security are important to an organization, and employees’ actions make a difference in achieving the overall goal of protection of sensitive data. Despite increased awareness and training on security issues, many employees do not take the necessary precautions for deterring security risks. Harmonization between management and teleworker perceptions about organization data protection and information security values plays a role in teleworker’ data protection and information security behaviors. Teleworkers perceptions of the importance of data protection are relevant to their policy compliance behavior along with the role training awareness, and policy enforcement plays in shaping the information security climate. Policy compliance intentions are predicted by management’s information security importance perception, which in turn is highly associated with the employees’ perceived training and awareness as well as policy enforcement efforts by management.
Information security and privacy are two sides of the same coin when it comes to the dangers of telework. The information security side comes from companies whose responsibility is to keep their customer and corporate data away from the prying eyes of competitors and others whose interests are a threat to the organization. The privacy side comes from the employees who are trusted to handle these data and to keep them safe, yet are at risk of losing their privacy and secure information when this effort takes place outside the physical office environment. How easy would it be to lose information when employees are working from home? For instance, managers do not always adequately track the removal and return of personal information and allow employees to remove personal data stored on unencrypted CDs or thumb drives. Employees do not always follow either the rules to lock down personal data whenever traveling or working at an alternative location.
To hackers who make a living stealing information from unsecured computers and network connections, the teleworker could be an open the door to the organization’s most sensitive data. Security and privacy have become increasingly rare commodities these days thanks to the ability of hackers to stay one step ahead of just about every security measure that technicians can create. Security breaches are a significant enough threat in a standard office environment; however, when an organization has employees working from home or on the go, these risks become even greater.
It is an unfortunate fact of life that the more technology makes people’s lives convenient, the greater the likelihood that someone with malicious intent will spoil it for everyone. People often blame the users for not taking advantage of every possible security measure available. To some extent, there is blame to be placed there. However, the real blame lies with those who use modern technology to hurt others and help themselves. Making matters worse is that many of the technologies designed to protect users from invasions wind up giving the criminals greater access to private information. This is why people not only have to be wary of other users but also of the validity of the technology they purchase to protect themselves.
Many of the technologies designed to protect users from invasions wind up giving the criminals greater access to private information.
It is impossible to understand what the future holds regarding who will win the battle between developing technology to the advantage or of the detriment of users. So far it has been a relatively even race, with hackers and cyber criminals keeping up a fairly steady pace with attempts to thwart their subversive activities. Whether this neck in neck race will continue, or whether one side will pull out far ahead remains to be seen.
The Information Security Practitioners face a critical challenge in the education gap of board members, senior managers, and employees. User education is essential. All employees must understand that teleworking does entail genuine security risks and that they have a role to play in protecting the organization’s resources from attack, damage or loss. It is also to all employees’ not only teleworkers’ benefit that they understand the risks of their behavior while in a telework environment. As always, real security begins with security policy. The Information Security professional must ensure that the security policy covers telecommuting/teleworking and who may telework, services available to teleworkers, information restrictions, identification/authentication/authorization, equipment and software specifications, integrity and confidentiality, maintenance guidelines, and robust user education.
Join the Cybersecurity Elite
U of F Cybersecurity Education Path
» Download PDF or register for a