Research[1] from Iron Mountain suggests that close to two thirds of employees in Europe are now able to work from home for all or part of the time. This ranges from once every two to three months for three per cent of employees to full-time home-working for 15 per cent. In each case the picture will be a similar one. Between the hours of nine in the morning and six in the evening or so, these employees will be found in front of a computer or on the phone, in their home office or at the kitchen table, connected to their documents, the office and their colleagues. The company knows where they are and what they are doing.
Most employers are putting in place the IT infrastructure and information management safeguards to enable and protect both the home-working employee and the company’s data. Measures include secure company network access, password-protected IT equipment and clear guidelines on what information can and cannot be removed from the office. There is growing awareness that the white picket fence that represents the firm’s information security perimeter should now extend to staff homes, gardens and even cars.
Interestingly, our survey and other studies reveal that when questioned about homeworking, office workers instinctively think of the approved, connected work they do at home during the day. While this is undoubtedly accurate, it overlooks a rapidly growing aspect of office life for many employees. This is the trend towards working at home outside of standard, contracted office hours, and often outside of formally recognised and defined arrangements. These are the ‘invisible’ home workers.
The invisible home worker is someone who takes unfinished work out of the office to do in the evenings or at weekends. At the end of every day, an unknown army of employees could be hopping over your information security fence with confidential or sensitive documents in their bag; all done with the very best of intentions. And the chances are that these unofficial home workers do not have secure company intranet access, signed agreements or approved company IT equipment at home – meaning that the risks and vulnerabilities identified for regular home workers could be amplified still further.
These information risks include using a personal email account to send and receive work documents (our study found that 50 per cent of regular homeworkers admit to this), leaving work documents lying around the house (29 per cent of our homeworkers), or throwing papers no longer required in the household bin (19 per cent). Quite a few (11 per cent in our study), take work out of the house to do in a coffee shop, or use an unlocked WiFi network (7 per cent) to send and receive work documents. Each of these leaves information vulnerable to attack or exposure and the resulting data breach could have far-reaching consequences for the business.
So what can a company do to better understand and manage invisible home working?
The first and most important thing is to understand who is taking work home, what they are taking, and why. This is not just an information risk issue; it is a people management issue too. A ban on removing documents will never work if staff feel overwhelmed by their workload, lack appropriate time management skills or are facing stringent deadlines. The employees who work into the night and at weekends are probably among your most dedicated, ambitious or struggling. Whatever the reason, they need support more than they need censure.
The second thing is to ensure that you have clear company guidelines in place regarding responsible information handling, and that these are shared with all employees, not just those who are officially permitted to work from home.
Such HR measures should be complemented by a robust IT and records management infrastructure that covers both digital and paper documents. Information could be leaving your business by email, on laptops, on memory sticks or on sheets of printed A4: you need information risk safeguards for all of these.
Some records are simply too confidential, sensitive or business critical to ever be allowed outside the workplace. These should have access restrictions that cannot be circumvented.
Last but not least, companies should recognise that keeping information safe while still allowing it to flow freely around a business is not just a job for the IT department, the Records Manager or even HR, but for everyone in the firm, starting at the very top. Senior executives set the tone for what is acceptable and unacceptable in terms of behaviour and process – but it is the front line managers and colleagues who need to ensure that no individual employee, particularly one frantically trying to keep on top of their workload, is ever ‘invisible’, wherever they do their work.
Christian Toon |Risk and Security at Iron Mountain | @christiantoon
Bio: Christian Toon, has a wealth of experience in the industry and ensures that governance, risk and compliance requirements are met within both new and existing contracts from across the continent. These contracts include some of the industry leaders in business today. He enjoys the challenge that comes with interpreting customer problems and solving them with a risk-based approach, with strong interests in the causes of data breaches, identity theft and bring your own device.
[1] Research by Opinion Matters for Iron Mountain. The survey was carried out between 15/04/2013 and 01/05/2013. Sample: 5021 employed adults in the UK, France, Spain Germany and the Netherlands.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.