For any company that has information to protect — whether it’s customer or company financial information, or confidential and proprietary trade secrets — allowing work-related data to travel home with or to be remotely accessed by employees increases the risk that nonpublic data will find its way into the wrong hands. If that happens, it may result in significant liability or competitive harm to the company and may trigger a duty to report the data incident to consumers, regulators and/or business counterparts.
Remote work security policies should be tailored to each company’s specific risk profile and communicated clearly to all employees. Although each company’s information security defenses are unique, some of the most common risks to be addressed regarding remote work include the following.
Working on Unsecure Personal Devices
Employees should be advised to only conduct work on their employer-issued computers, phones and other electronic devices. This avoids commingling company proprietary information with employees’ personal information and having company and customer information vulnerable to security breaches from personal devices that may lack malware protection, critical security updates, insecure password protection or unencrypted hardrives. Where this is not possible, employees’ home computers should, to the greatest degree possible, be secured to the same extent as their business laptops and desktops, and software that segregates work information from personal data should be installed. A qualified IT professional can help with set up of remote work devices.
Connecting to Unsecure Personal and Public Wi-Fi Networks
Employees’ home networks — and connected devices — many be vulnerable to malware or ransomware attacks through their wireless router. Hackers could monitor network traffic or access files on connected devices, including connected tv’s, gaming devices and other devices connected to the same network. Public networks in airports or cafes are even less secure.
Employers should provide secure Virtual Private Networks (VPNs) for their remote employees to access the internet for work purposes and prohibit employees from using their home network or other public networks while traveling or working in public places. VPNs can be set up by a qualified IT professional.
Transferring Corporate Data Using Personal Email Accounts
As with regular employees—remote employees should be discouraged from sending company information through their personal email accounts. Personal email accounts may be less secure and sensitive information may be susceptible to interception and misuse. There is ordinarily no reason to send company information through personal accounts. Any deviations should be supported by special circumstances which have been pre-approved by an authorized company representative. Subject to applicable law and corporate policies consented to by the employee, company email accounts can be monitored to identify when employees have sent emails to their personal accounts and appropriate action taken.
Syncing with Personal Cloud Storage Accounts
Similarly, employees may be tempted to use a personal cloud service account to transfer documents or data to and from office that may be less secure. Files may even be syncing from the employee’s personal computer to the cloud without their knowledge. This issue can largely be avoided by including provisions in the Remote Work Agreement for employees not to use personal systems for work activity and by providing employer-provided devices that are configured to connect only to company-approved systems. As with personal email, IT can monitor network activity for improper activity and appropriate action taken for violations.
Unsecure Connections to Employer Systems
In the absence of a secure virtual private network (VPN), employees may attempt to connect to a company’s systems in an insecure manner, such as using remote desktop software to connect to their work computers. To the extent you foresee a need to access information on a company’s network—look into providing a VPN for certain employees or for data that is critical for conducting business.
Remember also to require employees who have web access to any systems that access or transmit corporate information, to enable two-factor authentication or other enhanced security, where possible.
Unsecure Conference Call/Video Services
Employees may be tempted to use free or online-based conferencing call or video services to connect with customers, other employees or for other work-related purposes. Some services may not be secure or may even record your employees’ conversations by default. As stated above, employers should identify secure communications services for remote worker communications and require use of those services in the Remote Work Agreement.
Physical Document Management and Destruction
The same rules apply to remote workers as for employees traveling for business or otherwise working temporarily outside the office. For remote workers, the lines may seem more blurred as to what documents may be taken and accessed off-site and there is more opportunity and temptation to get sloppy or lazy about document handling. The Remote Work Agreement should remind employees that company documents should not be taken offsite without direct work need, or accessed, printed or saved insecurely. As stated above, special care should be taken when accessing, printing or saving through an internet connection or in public places. Public printers and copiers can often save copies of documents without the knowledge of the user and remote work employees should be counseled never to print corporate documents on personal devices, or in public places such as hotel business centers, unless absolutely necessary, and then to take particular care to log out, clear display screens, browser history, etc., to assure no trace of the documents is left electronically for subsequent users.
It is strongly advised that remote employees be provided with cross-cut shredders for home use and counseled to avoid disposing of documents at home or in a public place without proper cross-cut shredding, or that employees without such shredders be advised to return all printed materials to the office for proper destruction.
Phishing Schemes and Other Fraud
Cybercriminals are always searching for security vulnerabilities to exploit, and many employ attacks tailored to a specific company and its employees. A company’s vulnerability to such attacs only increases with remote workers. Sophisticated hackers may send email impersonating company personnel from accounts with similar email addresses, or even hack into the company email system or company servers to send emails with links that can give access to company systems or divert legitimate emails for criminal purposes.
Company provided computers can be configured to minimize the risk of phishing attacks and to isolate and remove malware before it attacks the company’s computer systems. Limiting email use to company email accounts can further limit the risk and remote employees should be advised to be especially vigilant looking for and reporting any suspicious communications.
Although there is always the risk of cyberattacks with onsite and remote employees, some careful planning, well-defined policies and clear communication between employees and management, companies can maintain the security of their data while allowing remote work that benefits the company and employees.
