In today’s business landscape, remote work has become an increasingly accepted practice. Whether initiated because of COVID-19 restrictions, employee-friendly policy or simple practicality, the fact remains that workers are increasingly completing their daily tasks from a location that is physically set apart from the brick-and-mortar office. In fact, statistics published by Upwork indicate that 42 percent of the U.S. workforce is composed of teleworkers, with estimates projecting that 36.2 million citizens will work in that capacity by 2025. This amount, Upwork noted, marks a two-fold increase over pre-Pandemic levels.
In light of more businesses embracing a remotely dispersed workforce, one question continually confounds many security administrators:
How can the organization promote remote work security?
Perhaps one of the more concerning remote work security issues is that remote workforce technology goes largely unmonitored, day to day. Recently, Forbes identified several key methods that can assist with keeping a company’s remote workforce, their correspondences and shared sensitive documents more secure, even when the theoretical attack surface is larger than ever.
Establishing Remote Work Security Policy That Promotes Sound Practices and Employee Awareness
In an environment in which the administrator or security professional has a limited-at-best window into remote worker activity on their private networks, it is critical for the organization to be able to completely trust its staff. This need is compounded by the fact that security breaches are often the result of poor or ill-informed worker choices, opposed to outright maliciousness.
Today’s organization should promote a cybersecurity policy that focuses on:
- Deferring to anti-malware and other security software.
- Promoting cybersecurity education, literacy and awareness.
- Encouraging smart password management.
- Mandating periodic data backups.
- Employing MFA (multi-factor authentication) and passwordless options.
- Securing personal and other “BYOD” devices.
- Documenting cybersecurity steps by both parties.
Above all, policy should include pre-defined objectives to keep these practices a focus for the remote worker.
Implementing “Zero Trust” Protective Elements
“Zero Trust” implies that only those with the approved credentials can access information. This concept helps to reduce instances of malicious data interception because it cuts down on the number of employees who have access to—and therefore whose mistakes or malicious behavior could lead to the interception of—information.
Another particular option to which some organizations turn is the practice of drafting a NDA (non-disclosure agreement), which legally binds the employee to keeping company information and data to which he or she may be privy completely unavailable to non-company employees and, in some cases, any unauthorized party.
While this concept seems helpful in preventing the spread of company-sensitive data to unwanted parties, it likely accomplishes little. After all, such a policy only really targets staffers with malicious intent; in most cases, an “inside” employee looking to hurt his or her company in an illegal manner is unlikely to be affected by either Zero Trust or NDAs.
Eliminating Password Sharing
Workers that tend to share passwords across multiple personal and work-related accounts—and more dangerously, with other workers—should be dissuaded from this practice. This habit is largely based on convenience.
Conducting Risk Assessments
Despite its limited view into remote employee behavior, the organization does have some recourse. One option is to assess the level of risk to which individual staff members expose the company, compiling a risk profile upon which action can be taken to promote better worker choices, close security holes, implement technology and provide dedicated cybersecurity training and understanding.
Other solid steps to help secure one’s remote workforce environments include:
- Employing encryption in a bi-directional manner, thus making it more difficult to intercept information before, during or after transmission.
- Making use of cloud-based elements such as a Connected Workspace. These platforms are especially vital for offering basic levels of security with minimal need for manual implementation.
- Leveraging VPN (virtual private network) technology—Forbes recommends no less than L2TP (Layer 2 tunneling protocol)—to secure connections and promote collaboration security over internet-based lines.
- Eschewing consumer tools such as Dropbox and Google Drive in favor of subscription-based storage and CRM (customer relationship management) software.
- Providing access to subscription-based security management applications.
- Establishing a CISO (Chief Information Security Officer) or other dedicated personnel to specifically oversee information security and integrity.