Back in July 2021, I wrote a piece for Computer Weekly on what security teams like mine needed to consider with employees returning to the office. Back then, we all faced several challenges. One of these was where our employees could work from. Essentially, it broke down into three categories:
- Mandatory return to the office;
- Permanently work from home;
- Hybrid mix of the two, be that flexible or with a minimum number of days in the office.
Without reopening the debate on whether working from home is more productive than in the office or vice versa, what is clear is that there has been a shift in employees’ mindset about where they work. Companies who forced employees back into the office found that some didn’t return and left for companies that offered more flexibility. Speaking to some of my colleagues, some prefer to be in the office when collaborating with others. Some prefer to be at home to focus on items that require a degree of concentration and to avoid the somewhat interruptive nature of the office.
When it comes to security and data protection, where an employee works and what equipment they use can bring considerable risks. For example:
- Working from a public area, like a café or coworking space;
- Working whilst commuting;
- Working abroad;
- Using a personal phone to stay in contact with their team whilst away.
So, what do security professionals like us need to consider dealing with these matters?
Firstly, we need to ensure that our policies and procedures are up to date and clearly outline what is and isn’t acceptable, both in terms of where employees work and how, with clear consequences for non-compliance. It’s no good if companies saying they adhere to ISO 27001, SSAE 18 or ISACA’s COBIT framework have employees who don’t comply with them. Whilst there may not be specific requirements set out in any of these for remote working, having the following in place could help prevent any security or data protection incidents:
- Document a remote working policy. This should be separate from a working from home policy, so it could cover things like community and working while away from home or while abroad;
- Equally, document a personal device policy, stating what is and isn’t permitted;
- Make sure any policies and procedures are clearly communicated to employees so there is no confusion and have a clear process of how employees should make related requests;
- It’s strongly recommended that you have an authorisation process so that key stakeholders are involved and can approve of requests, such as line managers, security, IT and legal.
- Have the means in place to document and track employees who work abroad. This could be as simple as a spreadsheet just detailing the dates they are away from/until;
- If you don’t already, enable any security alerts to notify you if employees are seen outside of their typical working country or in high-risk countries, so that you can suspend their accounts if necessary;
- Work with your legal team or seek independent legal advice to ensure contractual compliance. If a customer contract prohibits working or viewing their data from specific jurisdictions, then any employee heading to those areas will need to have their access revoked to that specific customer until they return;
- Review your risk register and add these factors on to it if they are not already listed. By defining the residual risk you are prepared to accept, this will help with any future decisions. Risks are constantly appearing and increasing so it’s vital you review this register and the associated risks on a regular basis.
We also need to ensure that the basics are in place. I’m sure I’m not the only one who has been on a train and sat next to someone who’s been working. In one instance, I saw the person sitting next to me get up and leave their computer unlocked with their emails on display. A quick glance told me that they worked in HR and the email they were composing referred to the dismissal of an employee. Now, if I had malicious intent, I could use that information against the individuals concerned or against the company. If your employees are working whilst commuting, ensure they know not to leave their items unattended, not to connect to insecure Wi-Fi hotspots and not to reveal anything sensitive on screen or in discussions with others in earshot.
What can we expect in the future? The requirements to work from other places are going to continue, so if you have everything in place to deal with those requests, you should be okay. However, that is only half the battle. You need to ensure your employees understand why you have these procedures in place and the reasons why you may refuse such requests. I also think there will be an increase in employees who are keen on using their own devices for work because they don’t want to have two laptops or two phones. Again, being clear on what you allow and what you prohibit is key. You may allow a personal phone just for email access but with no access to the corporate network and prohibit personal laptop use. As we’ve seen so far from the UK Covid inquiry, a blurring of work and personal matters on one device can lead to serious security and legal challenges, so having a clear separation protects not just your company but the individual employees, too.
Hopefully, this has provided some areas of consideration—some you may have already thought about, some you haven’t. For where these matters are now starting to become more frequent discussion points, ensure you address them early so they do not leave you, your employees or your company exposed to security or data protection incidents. This is by no means exhaustive, so look at the frameworks mentioned to aid you on this journey.
Simon Backwell, CISM, is information security manager at Benefex and a member of ISACA’s Emerging Trends Working Group