How To Stay In Compliance When Employees Work From Home — or From Anywhere

Your employees need to stay in compliance regardless of where they’re working. When employees Work From Home (WFH) or Work From Anywhere (WFA), the risk to your systems increases — breaches, malware, ransomware, device and network access, social engineering, the temptation to use workarounds, and other threats are more likely when people work away from the office. 

It’s also harder to supervise staff remotely. 

The best way for your team to comply with your policies and keep your company secure is for them to do everything right all of the time. Here’s the best way to ensure that happens. 

What your employees need to do: Adhere to the policies

Your employees need to understand your policies inside-out so they can follow them. Your staff is your most important firewall and when everyone knows what’s required, they can comply. Hands-on training and continuous testing translate theory into real-life action — this applies to employees at all levels, including leadership. 

Security awareness training from companies like KnowBe4, PhishLabs, Cofence, and Proofpoint test employees after they complete the training modules. The training programs also require employees to officially acknowledge they’ve completed the training and understand what’s expected. Follow up with additional random testing and internal phishing tests to see which, if any, of your employees are still vulnerable. 

Finally, make sure every employee signs off on your policies regularly and whenever you make a policy change.

To make this process effective, leadership and IT may have some work to do.

What you need to do: Set up your employees (and company) for success

Your goal is to protect your company while making it easy for employees to comply. These six steps can guide you:

  1. Update your Compliance Policy for WFH and WFA
  • Make sure your policy is clearly written (and not bone-dry), board-reviewed, and available on your intranet for easy access and quick reference
  • Include your approved systems, apps, and any external media (like flash drives and hard drives)
  • Define the types of information that must always stay on the company network and the process for sending approved sensitive information 
  • Write specific requirements for MFA, password, and encryption, including your processes for communications, data storage, wireless routers, and router traffic
  • Incorporate a Media Sanitization Policy that covers the disposal of sensitive information, including hard copies, if needed
  • Other policies you may want to integrate or update include:
    • Security Awareness Training Agreement
    • Confidentiality Agreement 
    • Bring Your Own Device (BYOD) Agreement
    • Sanction Policy
  1. Task your IT department with updating or upgrading your IT environment for WFA (see details in the next section)
  1. Engage a reputable training company if you haven’t already
  • Choose a company that makes learning interesting and engaging — subpar or boring training modules don’t encourage learning or compliance 
  • Determine your required time frames for completion and make completion mandatory
  • Ask for feedback about the training and change training companies if your employees are dissatisfied 
  1. Shore up your oversight team
  • Enable your compliance officer to be supported by a compliance committee
  • Require monitoring and auditing (including spot-checking) of all staff and regular internal reporting
  • Review and update your investigation plan and require follow-through on corrective actions and discipline
  • Establish a hotline for confidential and anonymous reporting of compliance issues
  1. Conduct employee orientations
  • Inform all staff about the policy updates you’re making and why
  • Emphasize that your employees are your company’s first line of defense, that you rely on them to keep your business operating successfully, and that it’s important for everyone to work as a team
  • Be clear about your training requirements and what you expect on a continual basis
  • Lead by example by talking about compliance improvements you’ve made to your own workflow  
  1. Continue to talk about compliance a lot
  • Send a strong signal at every reasonable opportunity that compliance is a priority 
  • Include compliance messaging in your internal communications
  • Remind your entire team to be vigilant in looking out for scams and sharing anything suspicious with IT
  • Congratulate your team on its successes — recognition from the top has a positive impact

What your IT department needs to do: Configure your IT environment for WFA

The key to having a compliance-ready environment is not to differentiate between “remote work” and “work” — they are now one and the same. Your IT department should address these three areas:

Operations

  • Configure all devices with the latest software and security controls with automatic patches
  • Review access logs more often and check every IP address to check for anomalies
  • Monitor and test VPN limits to stay ahead of any increases in the number of users

Solutions

  • Shore up remote access security practices including implementing MFA across the board (and ideally a remote access single sign-on solution) and reviewing wireless encryption protocol, vulnerability management, digital asset protection, backups
  • Leverage zero-trust or conditional-access rules
  • Use tools and platforms built for a distributed workforce when moving resources to the cloud
  • Look at VDI (virtual desktop infrastructure) or virtual desktops or endpoint protection software for your employees’ personal computers

Policies

  • Update your runbooks to reflect any changes you’ve made to secure remote access and document any gaps you find
  • Publish your company’s audit policy that defines what IT will be looking at to balance security and privacy

Compliance from anywhere is a business benefit

Staying in compliance no matter where your employees do their work is a team effort that starts at the top. By training employees on well-defined policies, having a properly configured IT environment, and continually demonstrating that compliance is a cornerstone of your corporate culture, the added risk of remote working is manageable. 

There is no reason your distributed workforce needs to jeopardize your business. The many advantages can propel you forward.