October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives to the IT team to end users. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.
Remote work is here to stay, and if your organization allows it (or is planning to), it’s essential to create specific policies to manage remote users and devices. However, two frightening statistics show that, in 2021:
- 41% of remote workers received no security awareness training of any kind; and,
- 67% of cyber attacks on businesses targeted remote employees.
While security training is just one part of a comprehensive remote work policy, the fact that it’s lacking to this degree tells us the scope of the problem is likely much broader.
The Security Problem with Remote Workers
Remote work adds a new layer of difficulty to both user and device management, and it’s clear that this problem is not one that can be overlooked.
There are distinct differences between on-site and remote employees, which need to be addressed by developing a remote work policy. Because of these differences, not all existing policies for on-site workers translate smoothly to a remote work environment.
The goals of a policy specifically written for remote users is to 1) protect your organization and employees by outlining security and compliance policies, and 2) provide guidelines for staying productive while working from home. Without a remote work policy in place, your organization is left vulnerable to many internal and external threats that can cause significant damage to the business.
The Solution: Extend Existing Policies:
First, you’ll want to develop an extensive list that covers everything that’s relevant to remote or hybrid work. From there, start by examining the differences between remote and in-office employees that create the need for separate remote work policies.
This makes it easier to create a policy that fits your organization’s specific needs and addresses those distinct differences between employee types.
To determine which existing policies can be extended to remote workers, make a list of the main challenges that remote workers face that need to be addressed. Compared to their in-office counterparts, remote users:
- Work differently, sometimes in a less predictable manner.
- Unintentionally create new risks for the organization.
- Are more difficult to monitor.
- Use different communication strategies and tools.
To maintain morale, productivity, and security, establish policies that specifically cater to the needs that accompany these challenges.
General Work Policies
Remote work is typically more flexible than traditional in-office work due to the circumstances surrounding it. Remote workers can wake up later and still be online when they’re supposed to be, they often have the flexibility to work in a way that improves their productivity, and it’s easier for them to work non-traditional hours.
In-office employees are usually expected in the office at a certain time (such as 9 a.m.), they have an hour-long lunch break with maybe a few other 10-15 minute breaks, and then they leave at 6 p.m (or earlier).
However, remote workers can benefit from more flexible hours in some situations. They don’t have a commute, less time is spent getting ready in the morning, they may work better in bursts, or they might be more productive early in the morning.
One option for employers is to keep everything standard for remote and in-office employees by simply extending existing general working hours to remote employees. Another option that better addresses this difference is to let employees work on whatever schedule they like, as long as they’re online during certain expected hours, and productivity doesn’t suffer.
Risk Management Policies
Allowing employees to work remotely doesn’t just mean they’ll work from home; they can work from anywhere that they want. This leads to employees trying to connect to public networks, use personal devices, and use shared devices among other insecure practices to get work done. These events are what make implementing remote user and device security policies so important.
Some existing security policies can be extended to remote employees, such as password complexity rules, password change rules, least privilege access, and the use of multi-factor authentication (MFA). All employees can benefit from these basic security features, but not all of your existing security policies will bridge the differences between remote and on-site employees so easily.
For example, in-office users are easy to monitor. They connect to the office Wi-Fi and use more company-owned devices (COD) than bring your own/personal devices (BYOD), so there’s little chance for network breaches or lost or stolen devices.
To mitigate the opposite issue for remote workers, you can use an identity and access management (IAM) tool to install different security protocols on remote devices, such as a lock screen policy and conditional access policies. Conditional access policies prevent employees from accessing work related resources from unknown or public networks, hotspots, unknown devices, and more.
Further, you can create a BYOD policy to better manage personal devices used for work purposes, which might include a monitoring/security tool getting installed on each personal device utilized. Keep in mind that remote users need to be managed and secured strategically but not micromanaged, especially when it comes to their personal devices.
Consistent security refreshes are also important, whether users are on-site or remote. A remote work policy needs to include a security training schedule for remote employees that covers the risks of working in public places, on public networks or personal devices, and more.
Productivity Monitoring Policies
As mentioned earlier, on-site employees are easier to monitor than remote users. This is true in the realm of security, as well as in relation to productivity. The metrics and types of goals used to evaluate in-office employees can typically be extended to remote workers on the same team.
However, to keep remote employees efficient and on track, sometimes it’s necessary to create a remote work policy that includes clearer targets, goals, and expectations as well as what tools will be used to help with remote progress tracking.
In-office employees don’t usually need these written down in a policy, because their manager is right around the corner, available to discuss and elaborate on goals face-to-face. However, more guidelines and written resources can help remote users immensely, especially when they start to question what they need to be working on at a moment in time.
On top of that, asking remote employees to use productivity tools helps management understand where users are thriving and where they are struggling. These insights foster productivity by showing where tool and process improvements can be made. Tools like Trello or Monday are useful in any type of work environment — they help users keep track of progress and collaborate on projects.
Lastly, a remote work policy needs to cover the types of equipment and other resources that remote employees can request. Some roles require a printer, a second monitor, a docking station, video and sound equipment, or other items, and remote users need to know what they’re allowed to ask for and how to do so.
In the office, communication is pretty simple — you walk over to a coworker’s desk to chat, send a message on Slack if you can see that they’re busy, or send an email if you want them to have detailed information in writing.
But, with remote employees, communication strategies aren’t always as clear, and new tools might need to be implemented to maximize efficiency.
For example, if you don’t have a messaging tool like Slack or Microsoft Teams in place, it’s important that you introduce one to help remote workers contact others in the organization quickly and feel more connected.
A video tool is also necessary for organization-wide meetings, team meetings, and quick one-on-one chats to stand in place of physical face-to-face meetings. Further, implementing a project management tool not only helps you monitor productivity, but it also lets remote and on-site employees working on related tasks collaborate.
Tools catered to remote employees are integral for productivity and morale, but you also need to provide remote employees with new communication strategies.
In a remote work policy, you can set up regular virtual check-in expectations between managers and their team members to see what’s working and what’s not. Also be sure to include how team-building activities and all-hands meetings will play out for remote workers to ensure they are included seamlessly.
Stay Secure, Compliant, and Productive
With no remote work policy in place, you can see how work can get chaotic, especially if you have both remote and on-site employees.
Luckily, determining what to include in a remote work policy doesn’t have to be difficult. After analyzing the gaps between in-office and remote employee needs and challenges, create sections in your new policy to address them.
The items mentioned in this article are only some of the things that need to be covered in your remote work policy. Be as general or specific in your policy as you’d like to meet your employee and organizational needs.