As the pandemic continues, it’s becoming obvious that remote work is here to stay. Gartner projected last year that 32% of the workforce would be remote by the end of 2021, while other research found that employees who work remotely are more likely to remain with their employer.
Despite the benefits of a remote workforce, remote workers provide a set of unique challenges for security professionals. Previously your organization may have had one site with 30 employees. Now your organization may have 30 locations with one employee each. Larger organizations may have hundreds or thousands of sites? How can you assess the risks associated with each site? Should you be sending assessors to each home office? Should you perform risk assessments of homes at all?
Should you assess the risk of home offices?
The short answer is yes; if your workforce is working from home, you should be assessing the risks associated with home offices.
If you’re wondering why that might be necessary, consider the case of a German remote worker who slipped on the stairs between his bedroom and home office, breaking a vertebra. The 2nd Senate of the Federal Social Court in Germany determined that he was injured while commuting, and that his employer’s liability insurance should cover his medical costs.
It’s important to understand whether an employee’s home is safe and secure so that you can address risks. How each company handles those assessments, however, may vary considerably.
Need help with remote risk assessments? Contact us now for a demo.
How to design a remote risk assessment
While some organizations are sending teams to assess home offices, that’s only one way of assessing the security and risk of a remote employee’s workspace. Before you can decide how to assess home offices, a business has to decide what their requirements for a home office should be.
1. Know what standards you have to comply with
Compliance will set the tone for your risk assessment. What do the regulatory standards that govern your business require and can those standards be achieved in a home office? If they can, your remote assessments will follow many of the guidelines site assessments will follow
2. Understand what reasonable expectations of security look like
Once you’ve reviewed your standards, decide what your specific organization's appetite for risk is. What is the minimum standard of security a home office should meet? Is it important for your workers to secure data in a particular way? If someone is working with data protected by the Payment Card Industry's Data Security Standard (PCI DSS) or with proprietary data, how should they secure their computer, paper files, or network? Is a computer screen or workspace visible from the door of the home office or from a window? If the employee is working with company assets, how are those items covered — by homeowner’s insurance or by company insurance? You may also want to evaluate the safety of the home, requiring fire extinguishers, cameras at the doors, and you may even want to be aware of possible domestic violence situations.
3. Self assessment or team assessment?
While some companies are sending assessors to home offices, I’m a big advocate of self-assessment in these cases. A self assessment allows an employee to evaluate the security of their own space. It also gives them a chance to understand the security regulations and expectations of their organization. After the self-assessments, you can conduct a few in-person assessments, either choosing high-priority remote workers, or assigning assessors randomly.This can help to verify specific self-assessment claims, or simply encourage honesty in self-assessments.
4. Know who needs to be assessed.
Not every remote worker may need to be assessed, and not every worker may have a home office. If your workers aren’t involved in your core business or if they’re administrative workers or interns with no access to important data, you may not need to assess their space. Decide who needs a risk assessment when you design the assessments themselves. Also, for remote workers without the resources to create a home office, consider a home office stipend that will help them create a secure and effective remote workspace.
Ready to assess your remote workforce? Talk to us now about assessing your security.