Worry Over Telework Security

Yesterday, Lurita Doan, head of the General Services Administration, announced an ambitious plan to have half of the agency's eligible workforce teleworking by 2010. Yes, the ambitious part may be convincing more GSA employees to telework. (Only 10 percent of those eligible do so now.) The ambitious part also may be overcoming managers’ fear that employees will goof off and be less productive (although many studies indicate employees are more productive).

The most ambitious part of the effort may very well be the hazard involved â€" the risk of information security. Near the end of the Government Executive article on Doan’s announcement was this paragraph:

Later, Joseph Hungate, the chief financial officer and former chief information officer for the Treasury Department's inspector general for tax administration, told the audience that the top risk with telework is not "some technology" but "someone." In other words, the greatest danger is staff not following security policy.

Many news organizations last month reported on the fact that security wasn’t a big concern among federal security managers, according to a study. The Telework Exchange, an advocacy group that sponsored the telework symposium, released a study in August that concluded that “94 percent of federal chief information security officers [CISOs] do not consider official telework programs a security threat.” (The study was funded by computer manufacturer and federal supplier HP.)

Still, CIOs like Hungate and CISOs are reluctant to embrace telework because few agencies (and corporations, for that matter) invest in the technology, including information security hardware and processes, needed to make telework digitally safe. In a blog item on telework posted in July for CSO Magazine, Dan Lohrmann, citing the GSA report with the title “Telework Technology Cost Study,” writes:

One big take-away from this study is that to save money with telework, we require “real” initial investment. This may seem obvious, but I’ve lost count of the number of times that business areas have pushed for telework programs with a $0 budget.

Basically, they wanted employees to use home PCs. That was it. No laptops, no home network checks for security, nothing.

Of course I just said no â€" and tried to explain the risks and the laws we need to enforce. But again, that makes security the Party Poopers. Not good. We generally end up with the same slower approach that the feds have used, because no one wants to make big upfront investments.

All this still leaves the fear that employees inadvertently will leave sensitive information exposed while teleworking. As has been posted in Tech Insider before, creating effective security policies and then providing the necessary training on those policies is seriously lacking in agencies and, as Hungate points out, likely is holding back many government managers from embracing telework more.

For those supporting telework, the wait to see more agencies embracing it may be a long one. In its annual Global Information Security Survey, released just this week, CIO Magazine reports that 61 percent of public-sector organizations do not require employees to complete training on the organization's privacy policies and practices.

That’s more than 50 percent, as in 50 percent of eligible employees teleworking by 2010.