[ISN] Survey: Unauthorized teleworkers a security risk

From: InfoSec News (alerts@private)
Date: Wed Jun 06 2007 - 22:20:36 PDT


http://www.govexec.com/story_page.cfm?articleid=37105

By Aliya Sternstein  
National Journal's Technology Daily  
June 4, 2007

Federal teleworkers are less of a security risk than many of their 
in-office colleagues who take home government work without 
authorization, according to a report released Monday by the 
public-private partnership Telework Exchange.

An online poll of 258 federal employees including sanctioned 
teleworkers, non-teleworkers and non-teleworkers who unofficially work 
at home revealed that federal data is significantly more mobile and 
still vulnerable. Telework Exchange conducted the survey in May to 
examine changes in data mobility and security awareness one year after 
the loss of a Veterans Affairs Department laptop that contained personal 
data on 26.5 million veterans and active-duty members.

The report found that 63 percent of respondents who worked from home 
unauthorized -- more half of the non-teleworkers surveyed -- used their 
home computers in doing that work. "People were saving documents on 
their home computers that were unprotected," said Josh Wolfe of Utimaco, 
a data security company that underwrote the study.

After the VA incident, 13 percent of federal employees surveyed said 
their newly issued laptops did not have encryption. And while 65 percent 
of employees said their agencies reinforced security policies after the 
event, only 48 percent said their agencies provided additional training.

When teleworkers and nonteleworkers where asked if they had antivirus 
protection on their laptop or desktop computers, 94 percent of 
teleworkers responded yes, while only 75 percent of non-teleworkers said 
yes.

The survey, which had a 6 percent error margin, did not break down 
results by agency or job function.

"We're not sure if these people are dealing with spreadsheets with 
Social Security numbers on them or something more mundane than that," 
Wolfe said.

Still, he said, agencies should be reemphasizing security procedures for 
all authorized teleworkers and making sure all mobile equipment -- not 
just laptops -- is secure.

The report recommends that agencies audit the online behavior of 
unofficial teleworkers who work at home and give them the same home 
computer security training and equipment as official teleworkers.

Diane Merriett, a spokeswoman for the General Services Administration, 
which helps agencies maintain security controls to enable telework, said 
the behavior of unauthorized teleworkers "is outside the realm of GSA 
comment."

She directed Technology Daily to the GSA's March bulletin on telework IT 
guidelines. The bulletin states that agencies should encrypt all data on 
mobile computers and devices that carry agency data, "unless the agency 
determines that the data are nonsensitive."

Each agency is supposed to establish its own policies for "limited 
personal use" of government e-mail and Internet systems based on 1999 
recommendations by the CIO Council, according to the bulletin. That 
guidance advises agencies to review user activity logs for inappropriate 
activities.

Colleen Kelley, president of the National Treasury Employees Union, said 
the study's finding that agencies failed to encrypt data on some new 
laptops is "disappointing."

A large number of her members "routinely travel in the course of their 
daily work. These include Internal Revenue Service revenue agents and 
revenue officers, bank examiners of the Federal Deposit Insurance Corp., 
and many others," she said, adding, "This is an important shortcoming 
that must be addressed by agencies, even as they seek to expand telework 
opportunities."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 06 2007 - 22:31:25 PDT