How to maintain security when employees work remotely

This blog is tagged to the following categories:

It’s safe to say that we’re living in unprecedented times. Organizations all around the world suddenly have to work out how to maintain security when employees work remotely. And that’s not all — they also need to balance this with providing a truly first-rate employee experience. We spoke (remotely, of course!) with TOPdesk’s IT and security experts, Mark Herrewijnen and Bart van Manen, to find out how to balance security and employee experience while working from home.

What can organizations do?

First things first: it’s important that every employee is armed with at least a basic knowledge of IT security. Not every employee is a digital native, so it’s crucial that you cater to each and every one of your colleagues. To help with this, Mark suggests producing a one-page summary document outlining key security dos and don’ts (e.g. do remember to back up all documents but don’t log onto public networks).

Not only will this make sure that your employees don’t make basic security mistakes, but your employees will also appreciate having all this key information to hand — you can’t simply expect everyone to intuitively know what to do and what not to do.

There’s also another major danger. Amidst such widespread upheaval, organizations might be tempted to tear up the existing rulebook and introduce sweeping changes in an effort to ensure ongoing security.

Bart warns against this strategy. “Introducing too much change all at once might leave your employees confused and discouraged— they already have enough on their plate as it is. Try to follow established procedures as much as possible, and if you do want to switch things up, use change templates or incident workflows with documented approval steps.”

The message is clear: balancing security and employee experience is difficult enough as it is, so there’s no need to make it even harder.

Lastly, it’s important to ensure ongoing communication between your IT staff and your employees. As much as you might want to rely solely on established procedures, your security strategy will probably be affected in more ways than one. Mark recommends having verified forms of centralized communication — for example an intranet where employees can chat about any issues they’re having.

Try to foster a real sense of community. Let your team know that you’re always there for support if they need it: offering up your expertise and advice at all times. This is crucial if you want to successfully blend organization-wide security with providing a fantastic employee experience.

What should – and shouldn’t – your employees do?

“Well, there are the obvious things that should be avoided: don’t view confidential information in public places, don’t discuss confidential material in virtual meetings using unknown apps, and don’t log on to public networks,” Bart says.

Mark agrees: “You should also remind people not to assume that if everyone else is doing something, that automatically means that it’s safe. Even USB flash drives, which have long been a staple of IT practices, carry their own risks: they have a significant risk of being infected with malware.”

This also goes for VPNs. While some organizations might be rushing to provide employees with their own VPN in an attempt to increase organization-wide security, the opposite is actually true — if you use a VPN, you have a bigger attack surface, which leaves you more vulnerable to security breaches.

That being said, if you’re going to provide the best employee experience possible, it’s just as important to focus on what employees should do — rather than simply what they shouldn’t do. Mark emphasizes that employees should work together to develop contingency plans: triaging teams, sharing management responsibilities, as well as assigning and duplicating all essential codes and failsafe roles.

On the whole, employees should always raise any queries — no matter how large or how small — with their IT team. For Bart, “the key is to create a culture where employees have an ongoing, open dialogue with their IT team. You should make an extra effort to ensure that your less tech-savvy colleagues feel especially comfortable.”

Employee experience doesn’t mean that you have to run around making everyone happy all the time; instead, it means that you’re there for people whenever they need you, and that everyone knows this. Given how integral IT is to the vast majority of modern organizations, IT support is as much a cultural issue as it is a technical one.

If something unfortunate does happen, this is how you manage panic at the service desk

The key is to create a culture where employees have an ongoing, open dialogue with their IT team.

Do you have any other specific technical tips and tricks?

Right, let’s get stuck into the nitty-gritty details of how to maintain security when employees work remotely (I could tell that this is what Mark and Bart were really looking forward to discussing!). Our top nine tips are:

  1. Remind employees to be cautious with any company-provided hard- & software — it might be pretty difficult to send out physical help or to provide replacements.
  2. Don’t allow kids to install apps on devices you use for confidential work. Maybe consider borrowing a device from school or dust off an old laptop.
  3. Make sure that all work devices have up-to-date security protection.
  4. Don’t suddenly roll out mass software updates — if you haven’t updated for a long time, updating now might actually be worse. Communicating changes is also more difficult with everyone at home, so only install small updates and critical security patches where possible.
  5. Don’t use a VPN to disclose the whole office network — one compromised device can affect all your services, so disclose individual apps to remote workers instead. A VPN, by its very nature, might admit potentially undesirable or unsafe devices into your company’s internal network.
  6. Don’t ask everyone to change their password: changing passwords right now might be very problematic. If a password was secure enough when an employee was working in your office, it’ll more than likely be secure enough when they work from home.
  7. Don’t click on links in emails that are strange or suddenly urgent. If you’re not sure, verify with the sender (preferably not via the reply button).
  8. Verify impacting change requests, like additional access or money transfers, with colleagues. Preferably try to use a different channel than the original request (e.g. verify emails using Skype/Teams).
  9. Ask employees to reset default Wi-Fi router passwords (just in case).

Communication is key

It’s always been difficult trying to balance security with employee experience — but it’s just become even more complex. The current situation has brought about a number of hurried changes, which means more vulnerabilities: both technical and personal.

But don’t panic; it’s more important than ever for IT staff to remain calm and communicate clearly. Let your employees know precisely what to do and what not to do. Answer any questions they might have, and foster a sense of community — after all, we’re all in this together.

Want to find out more tips and tricks on how to successfully put your employees first? Download our customer centricity e-book.