By Aliya Sternstein
National Journal's Technology Daily
June 4, 2007
Federal teleworkers are less of a security risk than many of their
in-office colleagues who take home government work without
authorization, according to a report released Monday by the
public-private partnership Telework Exchange.
An online poll of 258 federal employees including sanctioned
teleworkers, non-teleworkers and non-teleworkers who unofficially work
at home revealed that federal data is significantly more mobile and
still vulnerable. Telework Exchange conducted the survey in May to
examine changes in data mobility and security awareness one year after
the loss of a Veterans Affairs Department laptop that contained personal
data on 26.5 million veterans and active-duty members.
The report found that 63 percent of respondents who worked from home
unauthorized -- more half of the non-teleworkers surveyed -- used their
home computers in doing that work. "People were saving documents on
their home computers that were unprotected," said Josh Wolfe of Utimaco,
a data security company that underwrote the study.
After the VA incident, 13 percent of federal employees surveyed said
their newly issued laptops did not have encryption. And while 65 percent
of employees said their agencies reinforced security policies after the
event, only 48 percent said their agencies provided additional training.
When teleworkers and nonteleworkers where asked if they had antivirus
protection on their laptop or desktop computers, 94 percent of
teleworkers responded yes, while only 75 percent of non-teleworkers said
The survey, which had a 6 percent error margin, did not break down
results by agency or job function.
"We're not sure if these people are dealing with spreadsheets with
Social Security numbers on them or something more mundane than that,"
Still, he said, agencies should be reemphasizing security procedures for
all authorized teleworkers and making sure all mobile equipment -- not
just laptops -- is secure.
The report recommends that agencies audit the online behavior of
unofficial teleworkers who work at home and give them the same home
computer security training and equipment as official teleworkers.
Diane Merriett, a spokeswoman for the General Services Administration,
which helps agencies maintain security controls to enable telework, said
the behavior of unauthorized teleworkers "is outside the realm of GSA
She directed Technology Daily to the GSA's March bulletin on telework IT
guidelines. The bulletin states that agencies should encrypt all data on
mobile computers and devices that carry agency data, "unless the agency
determines that the data are nonsensitive."
Each agency is supposed to establish its own policies for "limited
personal use" of government e-mail and Internet systems based on 1999
recommendations by the CIO Council, according to the bulletin. That
guidance advises agencies to review user activity logs for inappropriate
Colleen Kelley, president of the National Treasury Employees Union, said
the study's finding that agencies failed to encrypt data on some new
laptops is "disappointing."
A large number of her members "routinely travel in the course of their
daily work. These include Internal Revenue Service revenue agents and
revenue officers, bank examiners of the Federal Deposit Insurance Corp.,
and many others," she said, adding, "This is an important shortcoming
that must be addressed by agencies, even as they seek to expand telework
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com