The focus of this year’s World Economic Forum in Davos, Switzerland is the increasingly global face of our world. From politics to business, every institution is rapidly learning to adapt to a hyper-connected, worldwide society. But if there’s anything that today’s industry leaders can learn from the Edward Snowden experience, it’s that a dispersed, global workforce comes along with unique security concerns.
Companies are increasingly relying on a freelance, outsourced workforce to compete. And as corporate teams become more dispersed, procedures and policies to protect sensitive information are increasingly racing to catch up. But with some focus and effort, any company can secure its information across borders and a distributed team by establishing clear policies, careful training and reporting procedures, and a system for continual review.
Categorizing Security Concerns with Remote Collaboration
Empirically, two of the most common types of personnel likely to misuse company information - both purposely and inadvertently – are the company’s controller and personal admin. Historically, that meant primarily an emphasis on training and securing your human workforce, i.e. hire people you could trust.
With remote workers, the security equation is much more complex. We’ve defined three aspects of remote security that must be addressed in any company.
1. Electronic – This consists of securing information that is stored and transferred digitally, which is in far greater supply in a workplace where some employees are offsite. Every time an email or chat message is sent is an additional place for infiltration into a company’s information system.
2. Physical – This consists of information transmitted via post-it notes or other analog methods. Remote workers can be sitting in an office, a home or even at the local Starbucks. If they are then jotting down client account numbers or IP addresses on pen and paper, it rapidly increases the potential of a security meltdown at your company.
3. Human – This is information transmitted through gossip, meetings or other conversations. Again, because companies have no control over where employees are sitting while having these conversations, the potential for security breaches is high.
Bringing Remote Workers Up to Speed on Security Policies
So you’ve recognized that hiring remote workers means setting up more robust security policies. But then what? We believe that successfully maintaining client confidentiality is a three-step process.
1. Create and transmit a clear security policy
Based on the three types of security defined above, create a policy – in writing – that is crystal clear and communicated to both clients and members of your distributed team. Carefully document the differences between different types of information, and outline how they should be handled. Make sure to include the process for remediation as well.
2. Train Your Remote Employees
Ensure that all personnel are carefully trained on these documented policies. Reinforce written materials with instructor-led case study discussions and series of quizzes. The training should also outline clear procedures on how to deal with gray areas, by escalating problems to more senior management. Specifically point out procedures to be followed in cases of a security breach.
Theft generally takes place when a culture of honesty is weak. We’ve established a strong culture for protecting information by clearly outlining policies, by establishing a strong training program, and by ensuring that management leads by example. The most senior people at Prialto, for example, will report themselves when we make the mistake of sending an email to the wrong person. This has always been an inconsequential breach, but showing the team that it is alright to report encourages transparent behavior, where issues more easily get raised instead of hidden.
All of this leads to the team taking pride in protecting customer information. The information we work with has become a kind of virtual commons that the wider team inherently wishes to protect.
3. Keep the Parameters Under Constant Review
No set of information security policies should be stagnant. First, the landscape is always changing. Social media platforms are always changing their policies and your company should also continually review its policies. By doing this, you’ll stay current, reinforce that this security is a priority for your company, and be sure to keep everyone on heightened awareness.
You can calendar the review so that management and board reviews all breaches, even if minor, every quarter. This helps keep a pulse on what is working and what is not working. A larger, more complete review can also be done each year.
Any time you change a policy, it offers an excuse to update quizzes and encourage further training, even among those who have been with the company a long time.
At Prialto, we’ve taken these steps to protect our client’s information with terrific results. Not once have we had a serious security breach in over five years of operating from Latin America and Asia. The personal pride that that has engendered in several of our employees has fueled the growth of our information security culture in ways that guarantee protection to our company and our clients.