Blog

Remote Work During the Pandemic: What We Got Wrong

Feb 01, 2021

Fried Headshot 2020 By Stephen Fried, CISSP

As COVID-19 began to spread rapidly across the globe in 2020, many organizations moved their employees off company premises and enabled large “work from home” efforts. Nobody knew how long this would last, but we assumed we could work remotely for a few months until this thing worked itself out, then return to the office and get back to “normal.” We were very wrong.

We weren’t just wrong about the length of the crisis; we were wrong about how our employees defined “home.” What we didn’t anticipate is that the pandemic would force companies to rethink the definition of “home.” Adult children needed to live with their sick parents to care for them. Travelers on vacation suddenly found their country in a state of lockdown with no possibility of quickly returning home. Younger workers chose to move back in with their parents to save on expensive rent and keep close family members in their “bubble.” Each employee had a unique challenge and a unique way of dealing with it.

While companies have been dealing with remote workers – even in foreign countries – for decades, most of those efforts revolved around known workers traveling to known locations under planned circumstances. This allowed an organization to carefully plan the process and technology needed to adequately enable, secure and account for these workers. The COVID-19 diaspora was different in that most of this happened without employers knowing about their employees’ location shift. They found that most people do not inform (or seek permission from) their employer before making personal decisions like where to live and who to associate with, even during a global pandemic. Companies assumed their employees were “working from home.” Employees created their own definition of what constitutes home.

From a technical standpoint, there is little consequence to your physical location when working remotely. The bits may take a few milliseconds more or less to get to their destination, but the average Word and Outlook user will hardly notice the difference. And with the increased use of SaaS applications, internet-based services work pretty much the same no matter where you are located. However, from a security, privacy and legal standpoint there can be a very big difference, and that’s what many companies got wrong. Emptying offices for an extended period of time may have enabled organizations to continue working productively, but it may have also introduced an extraordinary amount of unintended risk.

The first area – security risk – is possibly the most direct to deal with. Technologies exist that can help mitigate some of this risk, including Virtual Private Networks (VPNs) to protect network traffic, Virtual Desktop Infrastructure (VDI) to limit data exchange between endpoints and servers, and multi-factor authentication (MFA) to protect access and authentication, just to name a few. These technologies can be complex and costly to establish and maintain, but they are mature and effective in limiting security risk for remote workers.

The second area – privacy risk – starts to get more complex. Privacy laws can vary widely from country to country, and even between jurisdictions within the same country. If a worker handling customer data in one jurisdiction relocates to another area to be with family, the organization can suddenly find itself facing privacy violations from either jurisdiction due to vastly different requirements for the collection and protection of personal information. Even the simple the act of taking a laptop containing PII or PHI across the border to another country may violate one of those countries’ laws concerning cross-border data movement. And, once you’re located in the new country, you may now be in violation of your home country’s laws because you have collected and stored data outside of the country of origin.

The third area – legal risk – is perhaps the most confusing. Many jurisdictions restrict work by “foreign” workers or require a visa or work permit for doing business locally. Employees temporarily relocating to that jurisdiction risk violating those labor laws. Additionally, working in another jurisdiction for any period of time may expose both the company and the employee to business or employment tax liability in both jurisdictions. These issues may be beyond the scope of what a security professional typically deals with, but they are important to address as part of the company’s overall extended remote work strategy.

What can organizations do to prevent being caught in a security, privacy, or legal mess on top of COVID-19 issues? Here are few suggestions to help keep you on track:

  1. Set clear policies on what “work from home” or “remote worker” means for your employees. Those policies should clearly state the locations where work is – and is not – acceptable and set requirements for notifying the company if the employee will be relocating to someplace other than their residence of record for longer than a defined period of time.
  2. Ensure that appropriate technology is in place and is tuned or adjusted to handle a newly-mobile workforce. VPN, VDI and MFA are great places to start, but also make sure your prevention and detection engines (firewalls, CASBs, SIEMs) are tuned to account for potentially new source/destination locations. Overseas networks, often blocked to prevent malicious traffic, may become legitimate sources of data exchange for remote workers.
  3. If you provide “clean & wiped” devices for employees traveling overseas, ensure you are applying the latest data protection and secure communications technology possible. Migrate those configurations to ones that support minimal local data storage to help prevent jurisdictional data handling problems.
  4. Likewise, if you support a “BYOD” environment for company work, reexamine those policies specifically for workers travelling outside your normal jurisdictions to determine if there are any additional security or privacy requirements needed on those devices to protect your company and your customers.
  5. Ensure that your HR, Legal, Finance/Tax and Security teams are all in alignment when supporting any changes to your employee travel and remote policies. This will help to anticipate and mitigate issues in any of these areas before they become big problems.
  6. Many companies already provide business travelers with pre-travel safety briefings, so adding personal security, counterintelligence concepts, data protection, and employment considerations to that briefing (and also providing it to employees traveling for personal reasons) can benefit both the employee and the company.

Most companies in 2020 needed to find new ways to keep their enterprises moving forward. It should be no surprise that all these changes brought unintended consequences in the form of increased security, privacy, and legal risk. As we move into 2021, a little forethought, planning, and decision-making can help your organization avoid these consequences, keep your business moving forward and keep your information protected.