How to protect your company's data when employees work from home

Research from Iron Mountain suggests that close to two thirds of employees in Europe are now able to work from home either all or part of the time. This ranges from once every two to three months for three per cent of employees to the 15 per cent who work from home full-time. In each case the picture is similar. Between the hours of nine in the morning and six in the evening, these employees will be found in front of a computer or on the phone, in their home office or at the kitchen table, connected to their documents, office and colleagues. The company knows where they are and what they are doing.

Most employers are putting in place the IT infrastructure and information management safeguards necessary to enable and protect both the home-working employee and the company’s data. These measures include secure company network access, password-protected IT equipment and clear guidelines on what information can and cannot be removed from the office. There is a growing awareness that the white picket fence that represents a firm’s information security perimeter should now extend to staff homes, gardens and even cars.

Interestingly, this survey along with other studies reveal that when questioned about homeworking, office workers instinctively think of the approved, connected work they do at home during the day. While this is undoubtedly accurate, it overlooks a rapidly growing aspect of office life for many employees. This is the trend towards working at home outside of the standard, contracted office hours, and often against formally recognised and defined arrangements. These are called ‘invisible’ home workers.

The invisible home worker is someone who takes unfinished work out of the office to do in the evenings or at weekends. At the end of every day, an unknown army of employees could be hopping over your information security fence with confidential or sensitive documents in their bag; all done with the very best of intentions. And the chances are that these unofficial home workers do not have secure company intranet access, signed agreements or approved company IT equipment at home – meaning that the risks and vulnerabilities identified for regular home workers could be amplified further still.

These information risks include using a personal email account to send and receive work documents (the study found that 50 per cent of regular homeworkers admit to this), leaving work documents lying around the house (29 per cent of homeworkers), or throwing papers no longer required in the household bin (19 per cent). Quite a few (11 per cent), take work out of the house to do in a coffee shop, or use an unlocked Wi-Fi network (seven per cent) to send and receive work documents. Each of these activities leaves information vulnerable to attack or exposure and resulting data breaches could have far-reaching consequences for businesses.

So what can companies do to better understand and manage invisible home working?

Find out who your home workers are

The first and most important thing is to understand who is taking work home, what they are taking, and why. This is not just an information risk issue, but a people management one too. A ban on removing documents will never work if staff feel overwhelmed by their workloads, lack appropriate time management skills or are facing stringent deadlines. The employees who work into the night and at weekends are probably amongst your most dedicated, ambitious or struggling. Whatever the reason, they need support more than they need censure.

Draw up guidelines

Secondly, you need to ensure that you have clear company guidelines in place, regarding responsible information handling, and that these are shared with all employees - not just those who are officially permitted to work from home. Such HR measures should be complemented by a robust IT and records management infrastructure that covers both digital and paper documents. Information could be leaving your business by email, on laptops, on memory sticks or on sheets of printed A4: you need information risk safeguards for all of these.

Some records are simply too confidential, sensitive or business critical to ever be allowed outside the workplace. These should have access restrictions that cannot be circumvented.

Share responsibility

Last but not least, companies should recognise that keeping information safe while still allowing it to flow freely around a business is not just a job for the IT department, the records manager or even HR, but for everyone in the firm, starting at the very top. Senior executives should set the tone for what is acceptable and unacceptable in terms of behaviour and process – but it is the front line managers and colleagues who need to ensure that no individual employee - particularly one frantically trying to keep on top of their workload - is ever ‘invisible’, wherever they do their work.

Christian Toon is head of information risk for European operations at Iron Mountain, a storage and information management company. Read our interview with him here.

Bottom image credit: Flickr (Dr J.D.)