Remote work can work for your business - Security Considerations
This may be new for you: the idea of not seeing employees in an office with rows of cubicles.
I promise, this too shall pass.
But in the meantime, you're concerned. And you have every right to be.
Remote work can be a very - very - risky situation if it's not handled properly. I wanted to take a moment to share some suggestions and things you may not have thought of before.
When your employees are in the office, you secure their use of and access to information using (primarily) three layers. The good news is, these layers are unchanged for a remote worker; but you will want to rethink which of them you prioritize.
Physical security is a locked building; a locked office; a lockbox; anything that can be properly secured in some way, whether through digital or manual means. Unless your worker lives in parts of Oregon, they are likely locking their doors and windows. If they have a home office set up, it is vital that it have even more security than the regular door and window security, to help protect the information within. This includes not leaving company equipment visible through nearby windows, or using screens or tint to obscure the equipment.
Hierarchical security is the process where you ensure only need-to-know access to information to perform critical job functions.
In a normal work environment, managers and supervisors generally have greater access to information than regular line staff. This concept should not change in a remote work scenario; in fact, you may want to increase the layers beyond simple hierarchy to include the concept of broken-key-lock strategies.
Picture a lock where only one key can open it. Take that key and break it into three equal parts. Hand one part to different people without telling everyone who has parts and requiring confidentiality. You now have created a situation where no one person can open that lock. That, of course, comes with risk: what if one of the people were to leave without returning the key piece? That's where the risk assessment part comes into play.
If one person has the key, that person could steal what's inside if they became disgruntled, or worse, lose the key and nobody could get in. If multiple people have parts of the key, it removes the risk of theft assuming nobody breaches confidentiality to conspire to work together, but increases the risk of permanent lockout should one piece be lost or that person leaves the company.
Instead of a key, picture how this would work with security access codes or credentials. Most organizations make use of a password vault, where certain members of Information Security (for example) have access and nobody else does. Where this becomes a potential problem is if the Information Security worker(s) must be remote during a pandemic, thus opening up the risk of household guests gaining improper access to the credentials.
Security by Obscurity is the idea that what a person doesn't know or have access to can't be used improperly in the first place. This usually take the form of low level API interactions between systems that power the functions of the user, removing their ability to directly alter information outside of strict boundaries, for example. It also includes extensive data replication, audit trails and tracking to understand who's accessing what and why, unbeknownst to the user.
I don't mean to scare you, but if you had a single database administrator who left a DELETE command up and went to the restroom...and their kid came along and happened to press the Enter key? Is that likely? No. But risk isn't just about what's likely. It's about what's possible and rating it according to its probability, but also the damage should something like that happen.
Most banks don't expect to be robbed. But they implement security procedures to look for key signs and traits about robbers so they know where to key the camera footage just in case something happens. This is because they know robbery is still possible, if not frequent or highly probable. You'll want to consider the same stance. Implement tools that ensure that the user themselves cannot directly cause damage or risky activities without multiple levels of verification, or better, done by a background process with verification routines from other users.
Security is expensive. It's not easy. It takes time and skills to implement it correctly. It often goes unappreciated, because when properly implemented, it is designed to blend in naturally with users' day-to-day process. It's when it becomes tedious or a slowpoint that you'll want to revisit your security procedures and determine if they're not actually securing the right things, the right way.