|
|
While offering remote work opportunities is a great way to attract and retain the best talent, allowing remote working, especially in other jurisdictions, also comes with risks for businesses. We have spoken about the tax and employment law compliance risks, but what about data protection?
Inadequate data security can be a major risk when it comes to remote workers, whether they are working from home or a resort on the other side of the world. Data compliance laws can become particularly problematic, especially if workers are transferring data outside of the company’s home country. Let’s take a deeper look at the data risks companies face with remote workers, and steps that can be taken to mitigate risks.
Cybersecurity and Data Protection Risks
Cybersecurity and data protection risks increase with remote workers because they are further removed from the IT services that ensure the company’s online security. Data protection can be particularly challenging when employees move themselves, and data, across borders.
Weak Home Networks
Hackers are always looking for new weaknesses to exploit, and the advent of remote work is one of those as they can exploit weak home networks to compromise corporate systems. Home networks that connect with company resources punch micro holes in security walls that hackers can expand and exploit. Unpatched firmware and weak Wi-Fi configurations tend to be the main issues.
As an extension of this, device security can also be a major risk. Home devices may not have the same security lockouts and it is possible that they could be accessed by other people who gain access to the device.
Lack of IT Oversight
Onboarding remote workers is much more challenging than onboarding workers in person, as it is harder to evaluate whether they have understood and are complying with company requirements around issues such as cybersecurity. These employees are more likely to fall for scams and mishandle sensitive data. IT teams also does not have the same device visibility to detect and deal with problems early.
Personal Devices
Sometimes remote workers are required to use their own devices, and this increases risk as IT cannot maintain the same security configurations. The use of personal devices can also create privacy issues if sensitive business information is mixed with the employee’s personal information. Theft of devices can also be a problem, especially if workers regularly travel with the device.
Shadow IT
Shadow IT is when employees use unauthorized applications or services to solve work-related problems without IT approval. These tools can bypass security protocols which can introduce security threats and sometimes breach rules around data protection and data sharing.
Data Privacy Compliance
All workers, in-person and remote, need to comply with data privacy regulations such as GPR, PCI-DSS, and CCPA. When this doesn’t happen, companies can face legal consequences for regulatory violations. All team members need to be given the training and resources to comply with data regulations. However, this can become more problematic if workers cross into other countries with different data laws. Just accessing the data can be problematic if data is not supposed to be transferred outside of the country. They may also have to comply with stricter data privacy laws, for example, the stricter laws in the EU than the US.
How to Mitigate Risks for Remote Workers
Highlighting these risks is not to say that businesses should not allow their talent to work remotely, but rather that they should be aware of the risks and take proactive steps to mitigate them. Below are some effective steps that companies can take.
Multifactor Authentication Requirements
Multifactor authentication limits access to sensitive data and systems by requiring both a password and a one-time code that should only be obtainable by the appropriate individual. This means that someone should not be able to gain access even if they have the login credentials or access to someone’s device with saved passwords.
Company VPNs
All remote employees should be encouraged to use company-provided or approved VPNs when transferring data. These encrypt data traffic between the remote worker and the company network making it extremely challenging for others to intercept and access data.
Data Encryption Policy
All companies should have encryption policies in place to ensure data is protected both during transfer and storage. All stored data should be encrypted, and it can be beneficial to implement full disk encryption to secure data in the case that the device is lost or stolen.
Software Updates
Outdated and unpatched software are a common vulnerability exploited by cyber attackers. Automated software updates should be enforced for all remote work devices, ensuring that remote devices are in line with devices used onsite. It can also be useful to implement endpoint detection and response (EDR), which is continuous monitoring of remote devices for suspicious behavior for fast response. This can be challenging to implement on personal devices.
Training
It is most often human error that opens the doors to a cyberattack, whether that be using weak Wi-Fi or clicking on a suspect link. Proper training can help prevent issues before they happen. Training should include elements such a:
- Zero trust rules for any unsolicited links or download
- Creation and high-strength passwords
- Identifying secure Wi-Fi networks
- Data management and encryption
- Management and control of access to devices
- How to respond when something does happen
Training should be updated on a regular basis not only to provide new information but to reinforce the importance of following directives.
Managing a Remote Workforce
One of the biggest challenges that companies that allow and support remote work face is trying to adapt rules designed for onsite teams for distributed teams. This is like trying to fit a square fitted sheet on a round bed! You might eventually get it on, but there will always be issues. Policies and approaches need to be designed with remote teams in mind, using the lessons learned from working with onsite teams but not being shackled by old rules and redundant policies.
