Managing a Remote Team Securely and Effectively

Thomas Tyler
Author: Thomas L. Tyler, Jr., Cybersecurity Advisor, CapinTech
Date Published: 7 April 2021

Updated: 17 April 2023

Years after the start of the COVID-19 pandemic, organizations across the world are still adjusting to this unprecedented event. Many companies were forced into allowing employees to work remotely, which presented a variety of logistical and security challenges for information security professionals. Even after our society emerged from restrictive guidelines and returned to some sense of normalcy, remote and hybrid working styles have remained prevalent across many industries. Organizations will need to continue to embrace a hybrid working mindset while maintaining data security and enhanced management for this type of workforce.

For years, employees within most professional businesses have had the capability to work from wherever they wanted. The rise in new technologies just over the past decade alone has continued to push this trend more mainstream. However, pre-COVID-19, the vast majority of employees commuted into the office, put in their time, and commuted home, with very little variety or change to a typical work schedule.

Obviously, this all changed in 2020, when a huge percentage of the workforce was sent home indefinitely. Not only were employees trying to navigate drastic changes in their working environment, but there were numerous changes in their personal lives as well, from continuous caring for school-aged children to the lack of personal interaction with extended family and friends.

This took a toll on employees and managers alike, and methods for ensuring continuity of their efforts became more challenging. Employers should understand that when it is implemented correctly, there can be great benefits to a hybrid working environment, with research showing that it can be more productive than working in an office.

To ensure you are on track with implementation of a hybrid working environment, there are three areas your organization should consider. This will help you establish proper boundaries and guidelines for all employees.

  1. Technology – Consider what you’ve given your employees to work with. While the devices they have at their disposal are important, look at the software and applications they need to perform their duties. Duplicative services or offerings can be a huge hindrance. Outdated software that may work incorrectly across mobile mediums can lead to issues with unauthorized use of other applications or shadow IT concerns.
  2. Process – You or teams within your organization may have discovered that some processes or policies that have been in place for years are woefully outdated in a hybrid working environment. Use this opportunity to allow organic change among your teams and ensure that remote employees can complete their work effectively. This is also a good time to look for ways to enhance efficiencies. This is the perfect opportunity to assess and adjust some things that “have always been done that way.”
  3. Culture – This is also a great time to take a step back and ensure the culture you want to foster is adequately reflected across the organization. This is a strategic decision that needs to be made by executive management to ensure that outdated ideals are pushed to the wayside for new mindsets to grow. Look to provide employees with greater autonomy and less micromanagement. Implement a framework for the proper delegation of tasks, where work product is tied to productivity and not to time worked.

Giving your user base the ability to work in this manner does not negate the need for security controls, however. This new mindset will create new challenges as your access and applications become decentralized. With proper planning, the following five areas can create an environment that supports your stakeholders while maintaining data security:

  1. Access Requirements – Identify the need for and extent of access. You can’t manage what you can’t measure, so it’s important to identify who needs to have a capability, what access requirements are necessary, and how users are accessing the resources. By evaluating these areas, you can make thoughtful determinations of what controls should be implemented and how they will be managed. This can range from manual controls for a handful of users to fully centralized systems for entire organizations to help mitigate risks.
  2. Acceptable Use – Define acceptable use policies for the identified resources. Your organization may allow personal devices to access business resources; therefore, procedures related to personal devices should also be incorporated into policies. Employee responsibility and restrictions should be adequately defined. Ensure details are included for lost devices or data removal when devices must be serviced for business purposes.
  3. Security Controls – Configure controls to support your policies for securing the applications and data that can be accessed, and the systems that they are accessed on. This includes but is not limited to strong password controls, lockout settings, and multi-factor authentication where possible. Limit retention of data across all storage means to minimize the impact of a potential breach. Ensure all devices utilized for business purposes are receiving proper patches and anti-malware updates promptly.
  4. Home Technology – As home network management becomes a cause for concern, consider the evolving risks associated with technology in the home. These environments can introduce unmanaged technology, such as other family computers, printers, scanners, and Internet of Things (IoT) devices that can all provide an avenue of exploitation. If not properly secured or segmented, these devices could affect the devices employees use to access your business resources. Employees need to understand these risks and acknowledge relevant security procedures within acceptable use policies. Consider having employees properly secure their internet access with appropriate encryption, creating a guest network to segment traffic, or even running vulnerability scans against home networks.
  5. End-user Training – It’s easy to see that end users are the weakest link in information security. It’s imperative to ensure adequate training for your entire user base. Once employees are remote, the way you manage controls changes, and the layers you have at your physical office may no longer apply. Your employees need to be aware of the risks associated with the areas mentioned above. Talk to your employees about current threats, the risks of using public Wi-Fi, and the heightened threat of malware when using computers for both business and personal use.

The shift to a hybrid workforce forces change across the entirety of our businesses. As leaders within our organizations, we must ensure that management adapts accordingly. To be successful, we must embrace the technology required to secure our end users and their devices. Organizations can no longer avoid this transference and should embrace the changes needed for end users to stay secure, healthy and adaptable.

Editor’s note: For further reading about reducing security vulnerabilities in a hybrid workplace, visit Timothy Liu’s ISACA Journal online exclusive article on the subject.

About the author: Thomas has over a decade of experience in the information technology sector. As Cybersecurity Advisor, he performs information security assessments for numerous nonprofit organizations, provides guidance relating to data privacy and data security regulations and serves as an advisor on internal and external service and software strategies. Previously, Thomas has served as a state administrator and advisor for digital media and software development companies and has performed information security review engagements for financial institutions, medical entities, CPA firms, and other numerous other industries. His work included regulatory reviews covering a variety of guidelines including FFIEC, GLBA, HIPAA, and NACHA.

About CapinTech: Capin Technology, a CapinCrouse company, provides information security services, including cybersecurity assessments, consulting, and training services, to financial institutions, nonprofit organizations, medical entities, professional services firms, and other organizations. Each year the firm performs hundreds of assessment, consulting, and speaking engagements with a team of experienced professionals retaining numerous certifications, including CPA, CISSP, CISM, CISA, CITP, CGMA, and CTGA. Each engagement is tailored to fit the unique needs of the organization, and information and reports are presented in a clear, concise manner intended for an audience with varying information systems (IS) knowledge.