honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Monday, June 19, 2006

Laptop thefts spur new look at security

By Amy Joyce
Washington Post

WASHINGTON — As the public discovered that Social Security numbers and other personal information from 26.5 million retired and active U.S. military personnel were on a laptop stolen from the home of a Department of Veterans Affairs analyst last month, workers who were hoping to pitch their boss on a telecommuting option probably felt their hopes crash.

That breach was followed by news that personal information was lost on a stolen laptop of an Electronic Data Systems Corp. employee. And more with the loss of a laptop by an Internal Revenue Service worker. And from an Ernst & Young worker. And on and on.

In the much simplified words of teleworking experts and IT gurus, and without knowing all of the details: If workers are going to work with company data from computers at home, there need to be strict regulations in place. The agreement to take a laptop home can't be casual. And the only way people should be able to gain access to sensitive information is not through a disk or external hard drive — how 1984 — but through a Virtual Private Network line. Along with many firewalls and complicated log-ins.

This news, however, should not stop companies from allowing teleworking, said Robert Smith, director of the International Telework Association & Council.

"I think what this might most likely do is really help companies and organizations focus on whether telework should be formal or informal," he said. "When it's informal, not all the policies are set down. It's usually a verbal agreement. That could work well, but making it formal ensures that all aspects of telework are practices that need to be followed."

Obviously, these happenings are not the best news for proponents of teleworking, said Chuck Wilsker, president and chief executive of the Telework Coalition.

But on the upside, he thinks this is going to be the "big wake-up that they really can't do things they aren't supposed to do, and violate security issues." The technologies exist, he pointed out, that allow workers to access a server from anywhere in the world. When they disconnect, everything they did stays on the server. "There is no reason to physically take things away to work on remotely," he said.

Recent developments, including crippling hurricanes, terrorism and high fuel prices, have led many companies to offer a telework option. Even the president's plan for business continuity in case of bird flu calls on companies to allow (or set up) teleworking options.

Companies, and the federal government, need to allow teleworking as a recruiting tool, said Steve O'Keeffe, executive director of the Telework Exchange, a public-private partnership that encourages such arrangements in the federal government. "Clearly the government is in a situation from a recruitment end that they need more teleworking," he said, suggesting workers might choose private companies over the government because they offer more flexible work situations.

But even though the government has been steadily increasing its number of teleworkers, the recent news should make both private and public organizations think hard about policies for working remotely.

"Here, maybe for the first time, we have a screaming example of what can go wrong," said William Nolan, an employment lawyer. "With this particular situation, which is probably the worst-case scenario, it's really a question of (human resources) and tech people working together to make sure your data, your customer's data and employee data is secure."

Companies that allow teleworking should have a short telecommuter agreement, he said. It should give the employer the right to check a person's work space, for instance, to make sure the home office is as secure as a corporate office.

Since VIPDesk, an Alexandria, Va.-based company that provides call center services for customers, was founded in 1998, most of its employees have worked from their homes. And the company employs people as far away from the main office as Hawai'i, said Dan Fontaine, vice president of technology.

The company is "definitely concerned" when it hears about security breaches, he said. VIPDesk has clients in the financial industry where security is key. Every one of its 100 remote employees has to sign in to the VPN to access the system, which is encrypted. The employees then have at least two log-ins that are "very difficult to crack," he said. Once inside, each can assess data only for assigned customers. Everyone is required to have an antivirus, which must be running at all times.

Last month's news of breaches had a rapid backlash, said Ken Siegel, an organizational psychologist. "Most businesses will probably engage in implementation of some restrictive policy," he said.

Companies need to think preventively and to instill in workers an increased sense of personal responsibility for the care and protection of data, he said.

"If I were to be working from home and believe that how I act affects confidential, private information ... I would behave differently," he said. "From my point of view, it's much more interesting to change people's mentality about this as opposed to what kind of systems we can put in place" to enforce security rules.