For many working professionals, the shift to often or always working remotely has meant saving time, money, and the stress of commuting daily. And while there’s no one-size-fits-all for businesses, after more than two years of flexible work-from-home scenarios due to COVID-19 and the resulting pandemic, an increasing number of companies are calling employees back to the office. The transition prompts employees to make uncomfortable personal changes, from returning to the commuter lifestyle and finding childcare again to leaving the slippers and loungewear at home.
For managers and security professionals, the shift to a more fluid style of working together brings unprecedented challenges on the professional front as well. How you manage people and information during this transition will make or break the health of your corporate environment and culture. Your remote work security policy is a vital piece of this evolving puzzle and crucial for sustaining a healthy security culture.
The policy that helped your team learn to safely work from home over two years ago no longer meets your evolving needs. It’s time for an update. Here are three changes to your remote work security policy and process and ways to implement them to keep your team and information safe during the transition.
Update your remote work security policy
A 300-horsepower engine can propel a boat swiftly and efficiently through the water. It’s perfectly designed for its intended purpose. However, the same machine would be useless under a truck’s hood. Though silly, this same principle applies to your security policy.
A policy focused solely on remote work security may have been all you needed while your team worked from home during the early stages of the pandemic. Now, that same remote-centric policy may no longer adequately protect your people and information in a flexible work environment. Updating the scope of your remote work security policy ensures that it meets both your needs and the needs of your flexible employees as effectively as possible. But who should be responsible for this task, and what’s the best way to get it done?
Typically, a chief information security officer (CISO), chief technology officer, or chief information officer (CIO) is responsible for exploring and implementing security policy updates. However, including other relevant stakeholders in the review and maintenance process offers visibility into the policy’s total reach and where it’s currently not working. At a minimum, you should include the following:
- Your HR, executive, and legal teams that write, review, and approve any potential policy changes
- The owners of any affected operations systems who will be implementing the approved changes
- Any educators or managers who will be responsible for training employees on new policy changes
- The team in charge of maintaining and enforcing your security policy, likely IT or corporate security
Your team’s roles in creating and implementing policy changes will depend on the changes rolling out. Likely, the scale of your policy changes can vary, too. A small change, like sentence-level language, is straightforward. Others are technically complex, like updating your VPN according to new ISO regulations. But no matter the changes made, effectiveness starts on the process level. That’s why updating your policy change management process is vital before addressing the documentation.
Implement zero trust
No one wants an unwanted guest to gain access to their secure network due to a WFH team member’s vulnerable device. Zero trust is an integrated security approach that protects your architecture using allow list permissions. Devices and users under zero trust only gain access to resources through your VPN and explicit security policy. Adding zero trust to your security policy will refresh awareness of security expectations and encourage returning or flexible employees to comply. This is a far more secure approach than an open security policy that lets any device or user access available resources.
Most companies did not bring back their entire team all at once to avoid the challenges of a fully adjusting workforce. Instead, you’ll likely have team members return according to their function or department over time — if you haven’t already. Use this rollout time to implement your updated remote work security policy in stages, so you don’t overwhelm your systems or IT team.
First, create and prioritize training for returning employees on adding zero trust to your revised security policy. Then add dedicated zero trust architecture to the devices of trained employees. Finally, make sure you have a solution for simple and effective collection and tracking of incidents and threats. Following these steps lets you protect your information and devices wherever they are used. They also empower employees to demonstrate IT compliance and follow your updated security policy since they now understand why security is important and how these changes are beneficial.
Make updated policy requirements more achievable with tech
The Morphisec threat index revealed that 56% of interviewed employees still use personal devices for work purposes. And 23% of those same employees confessed to not knowing what security protocols those devices have. Since many flexible employees use home devices in the office, it’s challenging to know just how clean the tech is. And not just physical germs! Malware, bugs, and outdated software can unknowingly influence employees’ abilities to follow your updated security policy. The endpoint continues to be a significant vulnerability for many companies.
Encouraging better security compliance doesn’t mean you email copies of the revised remote work security policy to every employee and leave them to fend for themselves and their devices. Instead, empower employees by providing tools and technology to support your security goals. Here are four technical processes to make your flexible teams’ devices safer and help them successfully manage their remote work security.
1. Multi-factor authentication (MFA)
Multi-factor authentication (MFA), also known as two-factor authentication (2FA), requires a user to pass remote access verification using multiple login methods, like a verified email plus a phone number. Unlike single-factor authentication, this two-step (or multi-step) process is far more effective at stopping hackers or unauthenticated users who may have access to part of an authorized login. Fortified Health Security says that MFA makes it far “more challenging for hackers to access applications and networks,” keeping that user and their device safe even if they get past the first factor.
2. Endpoint-based data loss prevention (DLP) software
Phones, tablets, and laptops are data storage goldmines for flexible employees, making them likely targets for data and device theft. In some cases, intelligent hackers can steal data off an unprotected endpoint as quickly as standing next to an unknowing employee in a crowded subway car with a hidden scanner. DLP software works with installed device controls to prevent accidental exposure of confidential data. This significantly reduces the chance of data theft.
3. Collaboration security awareness
Nearly every flexible employee uses platforms like Google Workspace, Zoom, and Slack to collaborate with your team both in and out of the office. Unfortunately, these applications don’t automatically secure your sensitive data (though many vendors are taking steps to increase application security). If you aren’t comfortable with the security your collaboration software offers, it’s up to you to teach your team the boundaries of your tools. Teaching them about the above tools and how they increase the security of personal devices is a great way to do this.
4. Encourage incident reporting through simple tech solutions
While we love to call IT for just about everything, some employees might try to hide a device breach incident for fear of punitive action. Anonymous reporting and employee hotlines can help when paired with a “be on guard, but mistakes happen” security culture. Having reporting mechanisms unified across channels, with an easy submission process that filters into a central system, makes it easier for IT and corporate security teams to analyze data to uncover common problems, issues, or mistakes.
Protect your work-from-anywhere team with Resolver
While the above tips and tricks will help to ease your flexible team’s evolving transition, keeping data, devices, and proprietary information safe is easier with the right tools and processes in place. When updating and implementing improved security policies, processes, and technologies, it’s essential to have a partner who can thoroughly adapt to your security risks and desired outcomes. Resolver’s IT Risk Management and IT compliance software empower you to protect what matters, so teams can work effectively from anywhere that suits. Resolver’s risk, corporate security and IT security software solutions help provide better visibility and insights, so you can confidently and quickly make a move.
From a simple-to-use, out-of-the-box, platform to a more flexible combination of risk, security, and threat solutions that fit your organization’s precise security needs, contact us or to learn more about our IT risk and corporate security software solutions.