The remote work trend is here to stay — and it’s a growing phenomenon.
Nearly two-thirds (63 percent) of companies have employees who work remotely, yet more than half of those companies (57 percent) do not have a remote work policy, according to a 2018 report from the freelancing website Upwork. What’s more, many of the companies that do have a remote work policy said it hasn’t been updated in the past five years or has become more lenient over that time.
Remote work security is a lot like mobile security, and the work-at-home trend is a lot like the bring-your-own-device (BYOD) trend. You likely have a policy that covers mobile security. You need one that covers remote work.
What Could Go Wrong?
The elevated exposure associated with remote work is undeniable. In fact, it’s not even a controversial point. According to Shred-it, 86 percent of C-level executives believe that the risk of a data breach is higher when employees work remotely. Additionally, CybSafe reported that one-third of U.K. businesses have suffered a data breach because of remote work in the past 12 months.
All of those numbers make sense. Simply working outside the office comes with inherent risks. Remote workers are more likely to connect via insecure WiFi, either at home or while working in public spaces such as coffee shops. A study by OneLogin even found that more than half of remote workers spend up to one day per week connected to unsecured networks.
Sensitive conversations — or talk that could help threat actors do their work — involving remote workers are more likely to take place in writing (via chat or email) than in person, which creates a record that could be accessed by cybercriminals. Work-from-home employees are also more likely to mix professional and personal equipment, software, data and online activity. That means threat actors could more easily breach personal consumer hardware and software as an entry point into company networks. In other words, hacking a remote worker may offer a higher payoff than hacking an in-office employee.
Furthermore, remote, freelance and contract workers are more likely to use their own equipment and perform their own IT tasks than in-office staff. And most remote workers are neither experts in choosing secure hardware nor skilled in the complexities of IT security. They’re also more vulnerable to hardware theft, shoulder surfing and other risks.
Don’t Forget About Compliance
Beyond the obvious security risks, remote work policies dramatically enhance regulatory compliance. The General Data Protection Regulation (GDPR) led the way, California followed, and soon, many U.S. states will have strong regulations around security and privacy. Yet many of the remote work policies currently in place were created before the GDPR even started making headlines.
A good remote work policy covers a broad range of categories, from employment rules to expense reporting to legal obligations. But the data security provisions are probably the most important. And because the security and regulatory landscapes — as well as attitudes and demands around remote work — keep changing, your company’s remote work policy should keep changing too.
Components of a Good Remote Work Policy
Clearly, it’s important to create a good remote work policy if you don’t have one — or update the one you’ve got to reflect current realities and best practices. But what exactly makes a good policy?
First, create a detailed plan for communication and training related to remote workers, and specify this plan in the policy. Clarify that the remote work policy applies to all workers, even if they do work at home one hour a month. Keep in mind the differences (legal and otherwise) between permanent, full-time employees on the one hand and contract, freelance, temporary or contingent workers on the other. Your policy is one tool for the company to help employees boost security in their homes, which is always a good idea.
Next, align the policy with remote work infrastructure and software. Be clear about rules for company-owned equipment. List all user tools (e.g., cloud document platforms, workgroup communication, video conferencing, project management, etc.) so that remote and in-office employees are all on the same page — literally — and using the same approved and security-monitored tools.
You’ll then want to draft a notification process in the event of a security event and include the steps that each employee must take in the event of a breach. Include clear actions to keep operating systems, applications, certificates, and security and networking software up to date. Include all applicable in-office rules, such as the password policy and other security-related rules. It’s also important to make remote work policies compatible with employee contracts — i.e., make sure overlapping or contradicting areas are addressed.
Lastly, make sure you plan to monitor policy adoption and adherence. Learn from security successes and failures and keep the policy flexible. Importantly, update the remote work policy frequently by setting a schedule for reviewing it on a regular basis.
Address Your Remote Security Gap
The bottom line is that the reality of remote work extends the enterprise attack surface to include employees’ homes. It’s vital to address this gaping hole with a clear, up-to-date remote work policy that is consistently monitored and enforced.