A Remote Worker’s Guide: Risks, threats and corporate policy

Next story
Editor

Part 1 of 4

Introduction

With the advance of modern information and communication technologies, employees have never before had the ability to so easily connect to work in a remote fashion as they do now. Wherever you might be, and with a reliable internet connection in hand, it is fairly easy to get set up for remote work.
The advantages of remote work are easy to see. Employees save time and money by not needing to travel, handle longer work hours and can manage their work even better. For businesses, that means a significant increase in productivity and a decrease in on-premises infrastructure costs. 
However, the reality of remote work brings with it a number of security challenges for businesses to ensure that all data remains confidential as well as safe from hackers. The usual security measures that are in place on a corporate network do not protect data that is accessed from outside. This makes controlling the access and use of business data increasingly complex, placing more and more responsibility on the shoulders of employees.
In the following series of blog posts, we will share key points of advice on how employees can exercise greater responsibility when accessing business data, especially when working remotely. Here, we consider risks and threats, as well as corporate policy for remote work.

Risks and Threats

Remote work has obvious benefits, but there are certain risks that should be considered. While these risks can be fairly well mitigated on company networks, they can fall beyond employers’ immediate control once they allow data assets to be accessed remotely.


Such risks can materialize due to both intentional and accidental circumstances. We can categorize the risks in terms of how they lead to a compromise of information in one of three ways:


1. Risks that compromise the confidentiality of information are those that can enable attackers to access private information without authorization. For example:


- Connecting to unknown or unsecure Wi-Fi networks can allow third parties, connected to the same network, to intercept information received or sent from devices on that network.


- If devices are stolen, the information on them is stolen too, and could end up in the hands of criminals.


2. Risks that compromise the availability of information are those that can allow attackers to disrupt information. For example: 


- Malware on employees’ devices can compromise not only the data stored on those devices, but also any data those devices access. 


- Using an unsecure internet connection opens a path for attackers to modify digital signatures and certificates, and forge digital identities.


3. Risks that compromise the integrity of information are those that can allow systems to become unavailable or unusable when needed. For example: 


- The information stored on a device, or even the device itself, can be encrypted by ransomware, rendering it useless. 


- Remote access to information or services served by a company’s servers can be interrupted if the connection is unstable.


On company premises, these risks are mitigated and controlled by IT staff by applying a range of security measures. However, outside of this protected environment, it becomes an even greater mandate on workers to actively mitigate or reduce the risks.

Corporate Policy

Before considering technical aspects, work tools and setup for remote work, it is essential to understand the elements that make up a good policy framework.


- A company must give its employees a clear remote working policy that deals with issues such as:


- Who will have access to the option of remote work and under what circumstances.


- The remote connection procedure. - What computers and tools will be used to perform tasks.


- How information should be handled when off-site. 


- What is the procedure, or who to contact, when technical assistance is needed. 


- The remote worker’s responsibilities and obligations in terms of information security.


It is crucial for employers and employees alike that the rules are clear. Before starting to work remotely, connecting to the company’s network from outside, or using different devices to access business data, it is important for employees to know and understand the policy for remote work and access to data.


Employees need to have a clear sense of what their responsibilities are with regard to security, whether or not they are allowed to use their own devices, and – if so – what precautions they need to take, what they are allowed to use the company’s communication services for, and, above all, what security measures have been established and what tools are available so they can comply with these measures.


Whether we are discussing directly employed staff or freelancers, in all cases it is vital that they understand your policies on remote working and remote access, so that they always follow your business’ security guidelines.


In part two of this series, we will discuss how to secure the remote-working tools that employees use.