Organisations are able to enforce and police an effective information security policy when staff are working in a controlled environment, however this is not possible if a strategy of remote working is introduced. While it is technically possible for staff to work from home (or Starbucks or the local library) it is not necessarily appropriate from security and compliance aspects.
There is legislation in place which must be observed by all organisations such as the UK’s Data Protection Act 1998 (DPA) to prevent confidential information potentially being accessible by non-authorised people. All staff with access to customers’ financial details must work within the guidelines of the Financial Conduct Authority (FCA) and any company taking payment using credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). Companies who hold the international information security standard ISO 27001 must be able to demonstrate compliance at all times.
It is all very well having a policy in place that, when working from home, staff must ensure no unauthorised people can see their screen information, or use their computer to access the Internet or play a game of Candy Crush. But how can you be sure these rules are being correctly observed (or even not deliberately abused)? How often have you been able to see information which must surely be as a minimum company confidential on the notebook of the person sat next to you on a train?
It can be challenging enough to run your business effectively and compliantly when your staff are all working in an office environment, let alone scattered to the four winds where there is no opportunity for supervision or monitoring.
Mitigating security risks requires a range of combined measures to be used to provide end-to-end security. Moving to the Cloud does not solve security problems, it just adds another element that must be addressed.
Policies for security of information should also be included as an important factor when planning business continuity and disaster recovery strategies to ensure this is not overlooked in an emergency situation when the organisation is in a vulnerable status.
While there are many benefits of remote working such as flexibility and reduction of office overheads it is important to consider security and management issues to minimise the risk of data leakage or theft which could lead to heavy fines and severe reputational damage.