Study: U.S. government still lacking data protection

More than half of U.S. government employees unofficially work at home on nights or weekends, raising concerns about the security of the data they're working on, according to a study released Monday.

Fifty-eight percent of government employees work from home without permission, according a survey by the Telework Exchange, a group that advocates for more telecommuting opportunities. One year after the U.S. Department of Veterans Affairs announced that a laptop and hard drive were stolen from an employee's home, many U.S. agencies still lack plans for dealing with teleworking employees, the survey suggests.

Fifty-four percent of these unofficial teleworkers carry files home, according to the survey.

The VA hardware, later recovered, contained the personal information of 26.5 million military veterans and family members. Even after the breach, 13 percent of U.S. agencies do not put encryption on new laptops issued, compared to 11 percent that did not include encryption before the VA breach, according to the survey.

Less than half of agencies updated their encryption and protection technologies, and less than half provided security training to employees after the VA breach, the survey said. Sixteen percent of agencies did not react at all, the survey said.

"It's kind of alarming ... that people still are not doing everything they can do to protect their mobile devices," said Joshua Wolfe, director of federal sales for Utimaco Safeware, a cybersecurity vendor that underwrote the survey. "You've got a lot of unofficial teleworkers out there who are taking information out of the agency and working from home on unsecured computers."

Teleworking itself isn't the problem, Wolfe said. U.S. government workers who have permission to telework generally have more security training and more security tools on their work computers than those unofficial teleworkers.

For example, 94 percent of survey respondents who are official teleworkers said they have anti-virus software on their work computers. Only 75 percent of respondents who don't officially telework said they had anti-virus software on their work computers. Sixty-seven percent of teleworkers said they had encryption on their work computers, while only 60 percent of nonteleworkers said they did.

The major problem is that U.S. agencies don't seem to be keeping up with the trend toward mobile computing, Wolfe said.

"Over the past year, more and more people have been given mobile devices," he said. "At the same time, [they] have not been given the tools from a policy perspective."

Utimaco and the Telework Exchange recommended that U.S. agencies determine how many of their employees are unofficially teleworking. All employees, not just teleworkers, should receive cybersecurity training, and agencies should use encryption and other data security protections on all desktops and laptops, they recommended.

The Telework Exchange conducted the survey of 258 U.S. agency employees in May. The survey has a margin of error of 6.1 percent.