The convenience, efficiency, and productivity of cloud-based strategies, remote work, virtual data centers, and distributed teams have numerous benefits. But taking these critical functions outside of a network’s secure perimeter can open your organization up to a new set of security concerns.
Establishing a few remote work security protocols and best practices today can help set you up for success once the dust settles and you transition to a “new normal”—whether that’s with an expanded remote work policy or distributed teams. This way, when work shifts back to projects and initiatives that are less urgent but more sensitive and strategic, you’ll have a secure foundation to help protect your company’s data and assets.
Here’s a framework to get you started on being secure for the long haul.
1.Be proactive with a “defense in depth” strategy that doubles down on cloud and network security
Security should never be an afterthought. It’s critical to secure systems and practices from the ground up, rather than add patches when vulnerabilities arise—a costly game of whack-a-mole many businesses know all too well. Proactive, layered cybersecurity should be central to every business’s best practices—particularly in regard to how sensitive data and communications are handled.
Think of defense in depth as a security insurance policy; if someone penetrates one layer to steal sensitive data (freelancer or otherwise), a second layer should help thwart their attempt. Measures should be in place to prevent, detect, and respond to attacks, and cover areas like your own network, employees’ devices, and any systems using the cloud.Use virtual private networks (VPNs) to help prevent digital eavesdropping or data theft.
2.Categorize projects by security level
Remote work plans should be as granular as possible, on a by-project basis to ensure nothing slips through the cracks. Taking a top-down approach will let you create a comprehensive security plan, then peel away those layers for your less sensitive projects.
The best way to approach tailored solutions is to categorize projects by security risk. For projects with remote talent in particular, having a tailored plan in place from the outset will ensure no one is accessing information they shouldn’t from day one.
Starting with the highest risk level, assign each project with the data and processes talent will need to access. These designations could include sensitive, confidential, private, proprietary, and public, each with their own security measures. This provides your entire organization with a framework for engaging independent talent and a standard for putting controls in place for each project. Also, consider a “separation of duties” concept for more sensitive projects, or break high-risk projects into smaller projects for a “checks and balances” of clearance and responsibility.
3. Make access “need to know” only and use confidentiality agreements.
Protocols for working with remote talent can resemble those used internally or with existing vendors. Depending on your security needs or compliance requirements, these may include onboarding and offboarding processes or access permissions.
Clearance should be role- or project-based and “need to know”—essentially, only giving individuals access to the systems and information they require for their projects—and can be reevaluated or revoked as needed. If there’s no way around avoiding sensitive information, have workers sign a non-disclosure agreement (NDA) or confidentiality agreement. Engage legal and cybersecurity experts to help you craft these agreements and remote access protocols to align with any contractual and regulatory requirements in your industry or area.
4. Create teams to house permissions and access
A helpful way to approach organizing the tactics that will be applied to freelance projects is to create team structures. Essentially, this delegates certain tactics based on the kind of work and systems remote talent require access to, taking one more step out of the process. If someone’s access needs to be reevaluated, it can be done as needed.
5. Educate everyone—from marketing and engineering to HR and the C-suite
Despite our best defenses, often we are our own worst enemies. Users are frequently the weakest link in the security chain. Traditional network security tactics are no match for social engineering and phishing scams, so as teams get more distributed, your approach to security should be, too.
Endpoint security like VPNs is a big step to preventing digital eavesdropping, data theft, and malware that can infect machines and networks. However, companies also need to educate users about best practices for handling data safely and protecting themselves from phishing scams, suspicious links, and malicious attachments. Some organizations implement simulated phishing attacks to locate vulnerabilities and train users on what to look for and how to report anything suspicious.
The key to keeping users of your systems wise to phishing scams is to do your best to change their habits—a one-off training here and there won’t be as helpful for ongoing email security.
With the right agreements and protocols in place, even high-security, high-risk industries can leverage freelancers. Businesses don’t have to miss out on the flexible efficiency of a contingent workforce because of security concerns. Want more tips for implementing better organizational security? Download Upwork’s free data protection white paper for tips to work securely with freelancers.
Get This Article as a PDF
For easy printing, reading, and sharing.