Keys on the floor in front of the door showing the benefits and risks of corporate security policies in employees’ homes

Locking Down the House: Benefits and Risks of Corporate Security Policies in Employees Homes

Much of the workforce is now well into the pandemic-driven remote work model. We’re learning on the fly about new norms, opportunities and risks, with insights coming up unexpectedly and often.

Previously considered a privilege, wide-scale remote working became essential almost overnight. Suddenly, business leaders are realizing that quality work can and does get done this way. As a result, many are already factoring the greater potential for associated financial benefits.

For example, a March 30, 2020 report by analyst firm Gartner showed that 74% of 317 CFOs and Finance leaders surveyed will convert at least 5% of their previously on-site workforce to permanently remote. Anecdotally, a top law firm is considering paying an additional $1000 per month to each employee who opts to permanently work from home. That can make a big employee lifestyle difference, especially in expensive urban areas. But it can also save an employer exponentially greater amounts on rented square footage.

Many more innovative ideas are likely to emerge. The current situation is compelling businesses to rethink their organizational structures, governance policies, security controls, and technologies that they will rely on to facilitate remote work. There is a lot to figure out as we’re all hurriedly anointed into a new way of thinking and being. Here are a few things to consider.

Technical pitfalls of the home environment

There can be considerable risks associated with accessing company resources from home environments. Many employees are likely using a single home network that is shared by multiple people, like spouses, kids or roommates. They may not have changed the default password on their home router, making easy prey for hackers. They may also be using an array of rarely-to-never updated connected devices, like printers or IoT gadgets. BitSight researchers found home office networks were 3.5 times more likely to have a malware infection present than a corporate network.

Depending on whether they’re using personal or company-issued assets to perform work, software patches and upgrades may not be applied. Others in the household might even use the same computer for their own unique purposes.

Reinforcing security infrastructure

Since personal assets can pose so much risk, employers may opt to provide all of the needed equipment to remote workers, like high quality routers, laptops and monitors. Then there will be a need for security controls and infrastructure to complement that. Along with technical guardrails like virtual private networks, antivirus software and the like, there should be clear guidelines on what downloaded applications or cloud services may be restricted, as well as prohibitions on unauthorized access to employer-owned devices by others in the household.

As just one example, we all saw the meteoric popularity of the Zoom videoconferencing platform, until it became clear that its video calls were being routed through China. The company quickly became subject to overwhelming user pushback. In record time, the U.S. federal government declared the platform off limits to its workforce.

There are countless other apps and services people may be inclined to download. Consequently, firms may be required to audit long-term or permanent remote workers, and provide a full suite of company-owned devices the employee will use to do their work. That additional hardware will add significant burden, and risk, to IT and security teams.

A new rule book

Policies can be a good tool for drawing some boundaries on what should and should not be done when working outside the office. But policies are only as good as how they’re enforced. There’s much to think through on what constitutes acceptable versus risky behavior. As just one example, think about smart speakers, which could overhear business conversations conducted in the home. These devices are tied to personal accounts without oversight by corporations, but may violate corporate governance policies – especially if an employer has not completed a review of smart speaker producers like Amazon or Google as third-party vendors.

Evaluate your current policies and see if they are written to handle the types of unexpected scenarios that may occur in a non-controlled home-based environment. That could include everything from eavesdropping personal assistant devices or roommates to documents left on a personal printer getting mixed up with a child’s homework or more. Make sure you have a good awareness and training program so that your employees truly understand your policies’ goals and can relate them to their day-to-day activities.

Privacy complications

We are definitely moving into uncharted waters regarding privacy concerns. Where is the line regarding behaviors an employer can try to dictate within a private home, particularly one that is occupied by more than the employee? If, for example, the employee does not have a separate router for work, then the employer, under the terms of home working, could be infringing on the family’s environment. If the employee is using a personal asset to perform work, what rights do employers have to see what’s on that computer? What degree of electronic performance monitoring can employers conduct? What are the privacy implications for the rest of the household? There are many challenging issues to be addressed, and right now no clear answers.

Third-party vendors are integral to the equation

The growing number of remote workers increases many security vulnerabilities, which then requires a new technical architecture to support and secure them. That in turn requires many more products and tools that come from third party vendors. Particularly when employers are providing those tools for employees’ external use, the vendors must be vetted as thoroughly as would be done when they’re providing assets used in the workplace.

Employees working from home may still be using default password on their home router which makes them easy prey for #hackers. #security #respectdataClick to Tweet

We believe that device management, third party risk management, and access control policies will become increasingly important as working from home becomes more common. With that, a different but more flexible, sustainable and productive work environment will emerge for the long term.