Remote work has become the norm in the U.S. and worldwide. According to the Pew Research Center, 59% of workers who can do their jobs from home are working remotely in 2022, up from 23% before the pandemic struck in 2020.
It’s no surprise. Remote work provides safety and flexibility for employees while cutting costs and offering access to distant job candidates for employers. However, as great as remote work can be for both workers and the organizations that employ them, it comes with significant security risks.
Workers who use their personal devices to access company data and networks run the risk of exposing a company to cyber risk, while company assets both physical and virtual can be accidentally exposed in a worker’s home. It may also be difficult to address performance issues if a manager cannot see a worker in person. Compliance may also be difficult to assess or enforce when an employee is working from their home.
While assessing remote employees may seem daunting, it is possible to do it in a thorough, non-obtrusive way. First, however, let’s take a look at what you should not be doing when you assess your remote team.
How not to assess your remote workers
Years ago, before the pandemic made remote work common, a client asked my team to develop an assessment program for their remote employees: virtual call center operators and claims agents. It turned out not to be an easy task.
As we investigated their program, it became clear our client didn’t have a well thought-out plan when they set up their remote program. Their employees were working from home for very low pay, and frequently experienced problems related to both their work (such as disgruntled customers wanting to show up and confront an agent in person) or issues stemming from the low wages earned by these positions (such as childcare falling through and other domestic issues.)
Whenever there was a performance issue or customer complaint about an employee, the company called that employee into the local office for what they called a “counseling session,” which usually ended with the employee getting fired. The employee was then escorted home so the company could collect computers, printers, and other company property — a situation that often got ugly. Company agents became upset when they found sensitive data lying in the open, confidential emails transferred to personal devices, and missing company property. The recently fired employees, already upset, felt their personal space was being invaded and searched for missing equipment. These searches could sometimes turn into violent confrontations. Once existing employees learned that “counseling session” was code for termination, things became work. The remote employees began a campaign to sell off company assets before termination, including valuable customer information, including financial, medical, and home and office contacts.
The client wanted us to assess their current employees’ security. They asked us to do unannounced assessments at remote workers’ homes, and - if we found an employee in violation - they wanted us to seize company assets and stand by while the employee was terminated over the phone. We declined. Instead we recommended a whole redesign of their remote worker policies to address the real pain points and root causes that they created.
Assessing your remote workforce the right way
As you can see from the above example, it’s tough to assess remote workers for just that reason: they’re remote. They work from home. Inspections can feel like invasions, and taking company property back can feel like theft — especially if you’re already in a heightened situation, like a termination.
For these reasons, it’s important to be thoughtful when designing work from home policies.
Monitor personal device usage: A recent report found that 66% of mobile phones used at work are employee-owned, so it’s common for employee’s personal devices to play a role in work. However, if you are going to allow workers to use personal devices, you must also have a policy requiring them to install company-required security and monitoring software, as well as the ability to connect to your home office security network when they are conducting business on behalf of the company.
Issue company equipment, and track it: BYOD, or Bring Your Own Device can be tricky when it comes to protecting data. A better practice would be to issue them company equipment that is to be used only for company business. These can be set up with the proper protection and monitored for compliance and usage as well as tracked through geofencing.
Meet regularly: It’s not possible to over communicate when workers are remote. It’s important to check in regularly with employees to discuss performance and address any issues or concerns from both parties. If these meetings can be done in person, they should be done at regular intervals and not just for termination. The employees should look at the meeting as productive and a chance to voice concerns or get mentoring.
Use self assessment to monitor workspaces: Rather than sending in third parties to evaluate home offices, employees should be subject to self-assessment with video/photo verification. Only if necessary, should you create a protocol for in-person assessments, and those should provide both safety for the assessor and privacy protection for the employee.
Remote workers have a lot of responsibility, and that comes with plenty of risk as well. It’s important to keep your company data safe by setting up an assessment program that does not intrude on workers’ privacy but also ensures they’re compliant.
Circadian Risk can help you create a template for remote self-assessment. Contact us for a demo.