February 8, 2019 By Mike Elgan 3 min read

The remote work trend is here to stay — and it’s a growing phenomenon.

Nearly two-thirds (63 percent) of companies have employees who work remotely, yet more than half of those companies (57 percent) do not have a remote work policy, according to a 2018 report from the freelancing website Upwork. What’s more, many of the companies that do have a remote work policy said it hasn’t been updated in the past five years or has become more lenient over that time.

Remote work security is a lot like mobile security, and the work-at-home trend is a lot like the bring-your-own-device (BYOD) trend. You likely have a policy that covers mobile security. You need one that covers remote work.

What Could Go Wrong?

The elevated exposure associated with remote work is undeniable. In fact, it’s not even a controversial point. According to Shred-it, 86 percent of C-level executives believe that the risk of a data breach is higher when employees work remotely. Additionally, CybSafe reported that one-third of U.K. businesses have suffered a data breach because of remote work in the past 12 months.

All of those numbers make sense. Simply working outside the office comes with inherent risks. Remote workers are more likely to connect via insecure WiFi, either at home or while working in public spaces such as coffee shops. A study by OneLogin even found that more than half of remote workers spend up to one day per week connected to unsecured networks.

Sensitive conversations — or talk that could help threat actors do their work — involving remote workers are more likely to take place in writing (via chat or email) than in person, which creates a record that could be accessed by cybercriminals. Work-from-home employees are also more likely to mix professional and personal equipment, software, data and online activity. That means threat actors could more easily breach personal consumer hardware and software as an entry point into company networks. In other words, hacking a remote worker may offer a higher payoff than hacking an in-office employee.

Furthermore, remote, freelance and contract workers are more likely to use their own equipment and perform their own IT tasks than in-office staff. And most remote workers are neither experts in choosing secure hardware nor skilled in the complexities of IT security. They’re also more vulnerable to hardware theft, shoulder surfing and other risks.

Don’t Forget About Compliance

Beyond the obvious security risks, remote work policies dramatically enhance regulatory compliance. The General Data Protection Regulation (GDPR) led the way, California followed, and soon, many U.S. states will have strong regulations around security and privacy. Yet many of the remote work policies currently in place were created before the GDPR even started making headlines.

A good remote work policy covers a broad range of categories, from employment rules to expense reporting to legal obligations. But the data security provisions are probably the most important. And because the security and regulatory landscapes — as well as attitudes and demands around remote work — keep changing, your company’s remote work policy should keep changing too.

Components of a Good Remote Work Policy

Clearly, it’s important to create a good remote work policy if you don’t have one — or update the one you’ve got to reflect current realities and best practices. But what exactly makes a good policy?

First, create a detailed plan for communication and training related to remote workers, and specify this plan in the policy. Clarify that the remote work policy applies to all workers, even if they do work at home one hour a month. Keep in mind the differences (legal and otherwise) between permanent, full-time employees on the one hand and contract, freelance, temporary or contingent workers on the other. Your policy is one tool for the company to help employees boost security in their homes, which is always a good idea.

Next, align the policy with remote work infrastructure and software. Be clear about rules for company-owned equipment. List all user tools (e.g., cloud document platforms, workgroup communication, video conferencing, project management, etc.) so that remote and in-office employees are all on the same page — literally — and using the same approved and security-monitored tools.

You’ll then want to draft a notification process in the event of a security event and include the steps that each employee must take in the event of a breach. Include clear actions to keep operating systems, applications, certificates, and security and networking software up to date. Include all applicable in-office rules, such as the password policy and other security-related rules. It’s also important to make remote work policies compatible with employee contracts — i.e., make sure overlapping or contradicting areas are addressed.

Lastly, make sure you plan to monitor policy adoption and adherence. Learn from security successes and failures and keep the policy flexible. Importantly, update the remote work policy frequently by setting a schedule for reviewing it on a regular basis.

Address Your Remote Security Gap

The bottom line is that the reality of remote work extends the enterprise attack surface to include employees’ homes. It’s vital to address this gaping hole with a clear, up-to-date remote work policy that is consistently monitored and enforced.

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today