Risk Management in a Work From Home Environment

The emergence of a global pandemic has forced many organizations to send their workers home. This presents a number of potential issues, including in compliance and risk management. Many financial institutions have a clean desk policy, but how do you enforce it when your desks are scattered across the world? That’s a simple example, but the solutions may not be so simple. In this article, we’ll address some of these issues, including:

  • What are the risks of working from home?
  • How do I keep my data safe with employees working from home?
  • Should I change my compliance management program to accommodate working from home?
  • How can I ensure my data is secure with remote workers?

What are the Risks of Working from Home?

Data security is a challenge in any environment, a challenge that is magnified if your organization was not prepared for telework. First and foremost, management needs to come up with a plan, and once that plan is solidified, it should be put in writing in the form of a risk management policy. This policy should be communicated to every employee and remain easily accessible at all times. This helps clarify expectations and serves as a baseline for measuring compliance. Collaborating with outside specialists like human resources, lawyers and information security professionals will only strengthen the approach. The policy should already cover fundamental issues such as data classification and data handling, so adapting a security policy for telework should be an extension of an existing framework, rather than trying to start from scratch.

In terms of real security practices, any sophisticated corporate network should be sealed off from the outside world. This is done both through technical solutions such as firewalls, but also human resource practices and particularly onboarding and offboarding employees. Access should be terminated for any departing workers as soon as possible, which requires close coordination between HR and systems administration – communicate early and often. The company should keep accurate records of what non-company systems each employee can access, if single sign on is not deployed, for example customer relationship management platforms. The internal audit department can assist too, for example by focusing on access reviews

How Do I Keep My Data Safe with Employees Working from Home?

One of the best ways to protect data is to limit its access to a strict need-to-know basis. Additionally, implementing a data classification scheme that separates less important data (such as company marketing materials) from highly sensitive data (such as pricing or proprietary assets) can help reduce risk by categorically limiting data access to a smaller group or team. Much like anything in data security, once a scheme is in place, it is critical to review how the plan is being used in practice – the best policies in the world are meaningless if they are not used.

One very key aspect is to separate personal devices from work devices. Employees should be technically prohibited from using their personal devices to access company resources while working from home. This includes both external storage devices such as flash drives, but also communication channels that are meant to be open, such as email. Use web filtering to prevent non-company approved cloud storage. Consider adding automated data leakage protection tools to your company email or adding additional email controls that prevent sending messages to widely-used email services.

Organizations should also consider how much data each employee working from home can create. To prevent data loss, employees should only be able to store information in a centralized location. Optionally, it may make sense to prohibit printing to a home printer.

Should I Change my Risk Management Program to Accommodate Working from Home?

Employees working from home may be a trend that continues well after the pandemic is over. Accordingly, it makes sense for a company to adopt a new risk management program that embraces both in-office and remote work. Some aspects may make sense in one context but not the other, for example a clean desk policy. The telework policy can include a process for temporarily suspending a particular activity or granting a temporary exception for an activity. Suspensions and exceptions should be closely monitored, however, to ensure that they are reinstated when in-office work resumes.

Other tools might be useful as well, such as advanced threat detection that can identify when a user is doing unusual things, for example accessing a large number of files. Monitoring Internet browsing can identify if employees are trying to reach risky services like non-company approved cloud storage.

How Do I Ensure My Data is Secure with Remote Workers?

Security professionals must be diligent and attentive in maintaining a safe remote working environment. Establishing risk management controls is one key aspect, but it is just as critical to monitor the controls, and make adjustments where necessary. No information system is 100% secure, so any identified issues should be remediated as quickly as possible, and the security regime should be committed to continuous improvement and avoiding the same mistakes. Additionally, internal and external audits should continue at the same frequency, if not more frequently. One of the strongest tools in the remote workplace toolbox is continuous examination and assessment. Through inspection and observation, management can see how company data is being used, which assists in identifying risks, risk exposure and closing gaps.

Finally, be open to continuous improvement in a routine cycle: assess, implement, measure and re-evaluate. Subscribe to news sources such as US-Cert to keep up to date on emerging threats. Because a data loss event can be catastrophic for a business, it is critical to set aside dedicated resources (both people and budget) just for security. Leadership should commit to data security as well, and lead by example by prioritizing security projects and budget expenditures.