If you’re relying on unspoken or informal standards to communicate security expectations to your remote workforce, then you can expect to have some confusion and gaps in the way your company is managing cybersecurity. Documented security policies are what you need to inform employees about acceptable behavior, and to help them to understand their role in maintaining cybersecurity.
Security policies answer questions that employees have about how they should act or respond in certain situations. In order to be effective, they need to be backed up with training and enforcement.
Even if your company already had policies in place before you sent employees home to work because of COVID-19, it’s a good time to update them to make sure that they reflect current experience. Here’s why:
1. Remote Workers Are in a Different Location
If you had not set up your employees to work remotely prior to COVID-19, connecting to your network from their homes was a new experience. You need to think through all of the connections that take the employee from your server to their laptop or PC.
Make sure you have documented policies that detail:
- What devices employees can use and if they can use a personal laptop or PC.
- Minimum requirements for the device including security and up-to-date software.
- Security requirements for their home network.
- How they can connect to your servers.
ACTION ITEM: Find out if your company has a remote access policy that details how people can access your network. Update it to include any additional requirements that have become apparent since your people started working from home.
2. Remote Workers Are in a Different Environment
When you sent your people home to work, they were suddenly working in a different physical environment. Some may have a dedicated office at home, and some may be making do with the kitchen table or corner of the living room.
Unless your employee lives alone, there could be other people in the home who can see what your employee is doing on their computer. Other people may even have access to the computer that the employee is using. Some practices that employees had when in the office – like locking their computer when they step away – should still be applicable when they’re working from home.
Your remote worker policies should include guidelines for:
- Physical security for devices when they have to step away or when no one is at home.
- How to handle family requests to use their company computer.
- Care and responsibility for company equipment when it’s at home.
- How to maintain confidentiality in the home environment.
ACTION ITEM: Find out if your policies sufficiently cover physical security at home and situations when non-employees may have visibility or access to the employee’s computer. Update policies to fill any gaps.
3. Remote Workers Are Working Differently
The best-case scenario for remote workers is that when they log on and begin their day, they can operate exactly as they do when they’re in the office. From a technical standpoint, this is a function of how remote access is setup, but there are obvious differences in how employees interact and collaborate when everyone is working from their individual locations.
Because of demands on parents to care for children who have been home instead of at school or day care, you may have had to become more flexible – and understanding – about what time remote employees get their work done.
Make sure your remote workers know:
- Where to store data so that it remains visible to IT.
- How they can securely share files with coworkers, customers, and vendors.
- Which collaboration and meeting software platforms are acceptable.
- How you want them to maintain a presence with tools like email, messaging and video conferencing.
ACTION ITEM: Find out if your remote workers had to create any workarounds so that they could get to the resources they needed. Ask some open-ended questions to find out what employees’ experience has been like to see if there are other questions that should be answered in your remote worker policies.
Enable Your Remote Workers with Technology
If you provide employees with the technology they need to do their work from home – like a company owned and managed computer, a secure VPN tunnel to the resources they need, and communication tools for collaboration – you’ll find that it’s a lot easier for them to play their part in managing cyber risk.
Get in touch if you’re not sure if you have the right technology setup or sufficient security policies to train and enforce secure behavior of your remote workforce. We’re happy to give you an objective assessment.