As if our lives haven’t gotten complicated enough, many companies are having to contend with new data security concerns associated with their employees accessing important data from home. The issue becomes even more problematic when a portion of your data is managed by an overseas workforce that is dealing with the fallout of the current pandemic.
While many outsourcing providers have considered how to deal with client data security when delivering from their secure delivery centers, most have not had to consider how to do so with a remote workforce. Workforce providers must find a way to replace, or even strengthen, the security capabilities they had in-house to keep their clients’ data safe.
Assessing your Workforce Vendor’s Security
Each company has their own unique security requirements based on the sensitivity of their data. But, in this time of change, it’s important to understand what is possible in a remote setting regardless of your required security level. CloudFactory has found numerous ways to replicate the security that our physical infrastructure previously provided through a series of technology enhancements and workforce processes.
Data Security Starts with the Individual
The foundation of data security are the people doing the work. First you hire good people, then you use policies and processes to keep them focused and accountable. Strong data security policies and processes help to ensure that client data is safe and secure in any situation. And while team leads can no longer physically monitor workers, there are still many effective ways to establish a data security-aware workforce:
- Workers have undergone background screening, training, and other evaluative measures.
- Workers have signed non-disclosure agreements (NDAs) that apply to all client work.
- Workers have signed a remote work policy which prohibits, for example, use of non-approved devices, software, or physical environments to access company or client systems. Non-compliance may result in disciplinary action which may include suspension, restriction of access, or termination.
- Worker activity is monitored remotely through the use of webcam and/or screenshot capture, like applications used, intensity of work, etc.
- Workers are overseen during all shifts by staff that are trained on data security guidelines and who digitally monitor the team to detect any fraudulent or malicious activity by leveraging a combination of different signals.
Technology Provides Effective Tools for Data Security
Technology always plays a significant role in security but now more than ever, innovative solutions can help to replace some security features that may be absent without physical security that is provided by a building. There are multiple levels of security that technology can provide, so this is really where the sensitivity of the data should help you determine which security tools and approaches should be deployed.
- Access to client data and systems is restricted by multi-factor authentication, so workers only have access to the data required for their specific tasks.
- Users have no local administrator access. Local security policies lock down certain operating system functions and applications, including password policies and screen lock timeouts.
- All devices, whether provided by the vendor or owned by the worker, are equipped with up-to-date antivirus software.
- Vendor supplied and managed workstations with anti-virus and data loss prevention software installed, AE256 bit encryption, hard-disk encryption, and endpoint protection reporting to public cloud control centers are provided to workers.
- Worker platform that captures information to verify that workers are using the expected hardware and software.
- Workers use a virtual private network (VPN) to access data and other resources required for their project to ensure a secure connection to the network, shielding traffic between their end-point and the network.
- IP whitelisting is used to limit and control access to the network and data to authorized users.
- End-point reporting data is aggregated into a security information and event management platform, with a security operations team monitoring any abnormal activity.