Last year, the U.S. Department of Veterans Affairs announced the theft of a laptop containing information on 26.5 million veterans and active-duty military members. Monday, Telework Exchange, a public-private partnership that promotes the value of telecommuting among federal employees, announced results of a study examining data security progress.
The study was based on a survey of 258 federal employees (48% of whom are official telecommuters.) Forty-one percent of respondents said they use a laptop for work. Of the laptop users, 45% said they switched to laptops in the past year. Only 48% said their agency provided training after the V.A. laptop scandal. Forty-seven percent of agencies updated encryption and security features on computers, according to the study. Sixteen percent of respondents said their agencies did not react to the breach.
"Security of federal data is not about bits and bytes -- it's about the brand of the U.S. government and Americans' confidence in their government," Stephen W.T. O'Keeffe, executive director of Telework Exchange said in a prepared statement. "One year after the V.A. laptop crisis, America's information is still AWOL. It's time to get serious about security."
Utimaco Safeware Inc., a data security company, underwrote the study. It found that official federal telecommuters (those who are trained, approved and following federal agencies' telecommuting policies) are more secure than most of their in-office colleagues.
Ninety-four percent of telecommuters said they received security training, compared to 87% of those who work in their offices full-time. Ninety-four percent of telecommuters reported anti-virus programs on their computers, compared to 75% of those working in offices.
Unofficial telecommuters are a major risk, according to the study (registration required). Employees who work in an office but do some after-hours work on privately-owned PCs outside the office are an "Achilles' heel," according to Telework Exchange and Utimaco.
"There are folks working outside, on their own PCs, at Internet cafes, and they download data onto their home computers," Joshua Wolfe, director of federal sales for Utimaco, said during an interview Monday. "They have no training. They have not been issued the standard equipment."
The survey found that 58% of "non teleworkers" log hours at home on nights or weekends and 63% who do so use their own PCs, most of which lack government security software and encryption. Fifty-four percent of non teleworkers carry files home and 41% log onto their agency's network from home, meaning agencies' data is moving in an uncontrolled environment, according to the study.
"It looks as if the agencies have to treat everyone the same," Wolfe said. "They should have one set of rules for everyone to follow and then makes sure that 100 percent of these devices are encrypted as they leave the agency walls."
Still, they aren't the only threat to federal data security, according to the study. Thirteen percent of laptops issued since the theft of the Veterans Affairs laptop have not been encrypted, Utimaco found.
Although many official telecommuters are getting the training, equipment, and software they need to secure data, agencies report a lack of funds for 100% compliance with federal data security requirements, Wolfe said.
"They are basically falling under an unfunded mandate," he said.
Wolfe believes that change must come from the top.
"It's human nature to let things slide if you can," he said. At the same time, leadership cannot mandate and not fund."
Wolfe said that federal leaders report that war spending and natural disasters have eaten up most of their discretionary funds. It's up to the private sector to educate government leaders about the cost and benefits of improving security, he said.
"I think we need to continue to work with our federal government counterparts and help them get the money they need," he said.
Technology leaders should be pointing out that security software costs around $50, while the loss of 26.5 million people's data is much more costly, he said. "And, that's just one incident."
The study recommends agency audits of "unofficial teleworkers," mandatory data security training for all employees who work outside the office, and reinforcement of policies. It also recommends encryption and security software on all computers used for federal agency work.