Many organizations have had to scramble to implement technologies that enable work-from-home staff to access applications and data. Now that the initial transition is over, organizations should take the time to ensure they have well-defined policies and procedures governing remote work.
Of particular importance is a cybersecurity policy. It’s hard enough to secure your organization’s data when everyone is working inside the protected network. It becomes much more difficult when employees connect to the network from home using a wide range of devices. Management, HR, legal and other stakeholders should sit down (virtually) to consider the risks and how best to mitigate them.
The cybersecurity issues that need to be addressed may vary depending upon your industry, specific business requirements and a particular employee’s role. However, these six elements represent foundational considerations that should be included in any security policy.
- Do you require employees to use a virtual private network (VPN) or other secure remote access technology? Should their home network have minimum security controls? Are they allowed to connect to business resources from other locations? Downtime should also be addressed. In a recent Waveform survey, 15.5 percent of remote workers said they have daily issues with Internet connectivity, and 12.5 percent said they had poor cell reception at home.
- Do you allow remote workers to use their personal devices, or are company-owned devices required? Can employees share devices with family members or friends?If personal devices are used, how are they managed and kept up-to-date with the latest patches and security updates? Will you provide remote support? Your security policy should include a provision for accessing and auditing employee-owned devices used for work.
- Are employees required to use specific software? What about communication, collaboration, conferencing and file-sharing tools? “Shadow IT” is a big problem even when employees are working onsite and can easily spin out of control in a remote-work environment. You may want to limit or even ban consumer-grade applications that don’t provide adequate security.
- Are employees allowed to download sensitive company information to their personal devices? Can it be stored in the cloud? How is that data backed up and protected? Is encryption required? Should employees’ personal data be kept separate? You should have the tools in place to remotely wipe lost or stolen a device containing sensitive data, and a clear understanding of what happens to the employee’s personal data in that instance.
- Security incidents. What is the process for reporting a data breach or cybersecurity incident? You should designate primary and secondary contacts and document official procedures. Remember: time is of the essence.
- What happens when the employment relationship ends? How are company-owned devices returned? If employee-owned devices are used, how do you ensure that any company-related data removed?
Putting your security policy down on paper is only the first step — you’ll need a process for getting your remote workers to sign and acknowledge the policy. You will also need to put procedures and technologies in place for monitoring and ensuring compliance. You should also review your policy annually or anytime there’s a significant change in your organization’s operations.
The Verteks team is here to discuss the security threats related to remote work, and to help you evaluate and implement tools for monitoring devices, managing and protecting data, and more. Let us help you refine your work-from-home strategy with a security policy designed to keep your sensitive information safe.