More companies than ever are offering the option of remote work — or even requiring it, in an effort to keep their workforce healthy in the face of the spreading novel coronavirus.
Now more than ever, managers and leaders in all sorts of companies are seeing the benefits of allowing remote work or testing it out for their company. However, they are also thinking about the challenges and risks that come with allowing their employees to work from home.
You or your company may be in this situation right now and wondering, what are the risks of working from home, or another remote location? What kind of security or privacy issues could this introduce for our company? How do we mitigate these concerns?
We will break down the risks of remote working here. And also what you can do to ensure you and your employees are doing your due diligence.
Allowing your employees to work remotely has a number of benefits: a larger pool of talent for roles when hiring, reduced commuting time for employees, more autonomy for workers, and even increased productivity. (Or reducing their risk of being exposed in a possible pandemic.) A recent study of companies in the United States shows that approximately three percent of the entire workforce is currently remote workers. This is growing every year.
However, this growing trend of remote workers is also leading to a growing trend in risks and breaches due to people working on unsecured networks. That can be a big concern for tech vendors with customers who ask about security.
What are the risks of remote work?
To understand the possible solutions, we will need to first take a look at the risks of allowing remote workers. The most common risks for companies when it comes to remote workers are the following:
- Inability to ensure the physical security of a home office, coffee shop, or public workspace.
- Unable to control or ensure the security of the network that employees are using. Other users (family, friends, guests, or strangers) will often have access to both a public or home network.
- Lack of training or understanding of best practices when it comes to information security. This can be an issue for both workers at the office and at home.
- Remote workers not understanding their role and responsibilities when it comes to working remotely securely.
A company could reduce all these risks by simply not allowing their employees to work from home but they will miss the benefits as well and could fall behind to their competition that allows employees to work remotely. In order to get the “best of both worlds” by allowing employees to work remotely but also to reduce the mentioned risks, let us look at what we can do to mitigate these risks.
Steps to Mitigate The Risks of Remote Workers
1. Have a Work From Home Policy
Having a defined “Remote,” “Work From Home” or “Teleworking” policy is a must if your company plans on permitting staff to work from other locations that are not your office. This can help reduce the inherent risks of working remotely by establishing a set of procedures that your employees must follow in order to work from home. You should use this policy with additional information security policies to outline all your employees’ responsibilities when it comes to your InfoSec program.
Some examples of procedures that need to be included in your remote working policy include:
- Process for approving remote workers.
- Defined responsibilities for employees.
- Outline what each user must do to secure their remote workspace.
- Outline workstation or device hardening steps (this can be a separate policy or reference another policy).
- Ensure encryption is used for all data that is stored and in transit.
- Mandate the use of a VPN for remote workers.
- If there is an incident, outline the procedure for reporting it.
While having a policy will help reduce the risks, the policy also needs to remain up-to-date and when it is being created or updated should have the input from your Information Technology team or an information security expert. Any policy involving information technology or data privacy should also involve someone who understands the subject matter and not only a member of the HR team. You must also remember that information security policies are NOT static documents, as threats change and new technologies emerge, your policies need to stay current as well.
2. Make Sure You Have the Right Tools
Having a policy in place will let your employees know what they need to do and how to do it, but providing them with the right tools will also reduce the risks of working remotely. Depending on your company and the role of your employees these tools may vary. The following are examples of some tools that we have seen referenced in Remote Working policies:
- A NordVPN will ensure that network traffic is encrypted, even on a public network like a coffee shop. This is also recommended in a home office if the home network is shared with others (family, friends, guests).
- Built-in Encryption, both Apple (FileVault) and Microsoft (Bitlocker) offer native tools in their OS’s to support encryption of hard drives on their devices. This tool ensures that if your hard drive was lost, or your device was stolen that is much more difficult for the data to be pulled off the device.
- Password Manager, these tools will help the user store their passwords and generate secure ones. They help reduce the risk of employees using the same password for all services
- Built-in Firewalls, both Apple and Microsoft have a firewall that can be enabled on any of their devices. This is great to prevent inbound or outbound requests that could be malicious.
3. Take Care of Your Team’s Health and Well-Being
If you or your employees are feeling stressed, anxious, or run down (to name just a few of the many emotions we’re all going through in 2020), that can open up opportunities for cyber attackers. With our feeds inundating us with information on stimulus checks, coronavirus tests, emergency guidance from health agencies, it would be easy for a fraudulent email amount COVID-19 to be open accidentally by an employee.
Here are some things you can do to reduce the burnout experienced by many people today.
- Take days off when you’re feeling run down.
- Set aside extra time to talk and check on each other – it’s okay to spend time at the beginning of the day or a meeting asking “How was your weekend?” or “How are you all doing today?” These are little interactions that we would be getting if we were in the office and missing out on these interactions can leave people feeling more lonely or disconnected.
- Physical activity and diet are some of the strongest factors in your mood and physical well-being. These can be much easier to neglect when you no longer have to leave your house to commute to work.
- Simulate your work routine prior to COVID-19. Having a routine can help keep your mind engaged as you tick off the steps you would usually take to prepare for work normally. Designate a part of your home to be your workplace and treat it as such.
4. Don’t Forget About Training and Best Practices
Having a policy and supporting it with tools can get your employees so far, but educating and training them on best practices will help to explain and outline why they need to follow the policy and use the tools. You want your employees to care about cybersecurity.
Many companies offer some form of Security Awareness Training. However, this training is usually done only once a year and can quickly become outdated. Consider having monthly or quarterly training sessions helps to keep your employees informed, educated on threats, and their responsibilities when it comes to your company’s information security program and working remotely.
Remote working can be a great thing for your company and employees but there are risks. In order to ensure the security of your company, its data, and your employees you need to have a foundation laid. This foundation should include a remote working policy (supplemented by additional information security policies), tools to protect your employees and training to ensure they understand their responsibilities.
Review the Status Quo or New Practice of Remote Work
Companies should take a moment and review remote working within their company. It looks like this may be the new normal moving forward as companies have shifted to remote working and employees seem to be enjoying it. However, if this is the new norm, and the policies and procedures that were implemented still enough, were they only meant to be temporary?
If your company is shifting to more permanent working from home or remotely structure the security team of that company should sit down and review the following:
- Talk with their staff about what is working and what is not with remote work.
- Are they still following the policy that was outlined?
- Does the policy itself need updating?
- If remote working is the new normal for the majority of employees does this require other policies to be updated, and have any new threats emerged?
Answering these questions will help keep remote work secure and help engage the employees as well, making them an active participant in their security.
Does your company have a security policy for working remotely?