Working Remotely Policy Development

Working from home and working through mobility or remote applications has become very popular. Use of home offices exploded during the COVID-19 situation. The vast number of employees working from home offices has forced companies to adjust and reconsider who, how, and which employees work from a home office.  One of the big things we learned is that working from home or remotely is a skill set that not all employees have; in some cases, there are too many distractions, kids, friends, Facebook, and household chores that can become easy distractions. Then there are the technical questions that need to be solved, such as security, the hardware used when working from home, ownership of intellectual property, and data security. There is a lot to think about when you have employees working from home, and it could be more important than you think and should be worthy of your time to develop solid policies and procedures to protect your company and the employee.

Let’s define what a work from home policy is; it is a set of guidelines that outlines the rules and processes regarding how employees can work from home.  Which could include security measures, how data is stored, what data can and cannot be accessed remotely.  There is a lot of disagreement about the effectiveness of employees working from home, which is primarily focused on the individual and do they possess the skill set to work from home?  Some jobs can be done remotely, such as jobs primarily done over the phone or via email and electronic communications.  Some can’t, such as jobs where face to face interactions with the client are essential or jobs with a physical aspect.  The research has shown that some people also can work from home, and some can’t, so monitoring productivity in a remote work environment and measuring the amount of time spent on work-related issues is key to a work from home policy.  It is important from a company perspective you outline in detail work from home policies to ensure you help employees that might struggle to be more effective in a remote work environment.

According to Tech Republic, here are some guidelines to help you start developing a work from home policy.

• Eligibility, as stated, some jobs and people can be done remotely; companies need to take a rigid, honest view of themselves and decide which positions are eligible and which ones are not. These positions need to be clearly outlined in your policy and what technical resources they are going to need, such as integrated phone solutions, network access, Internet access, along with who is responsible for the cost of setting up a home office for these job roles. Who covers the cost could be dependent on is working from home required, or is it an option?

• Availability is a crucial component of a work from home policy. What’s the company’s expectation of remote worker's availability to co-workers and customers?  Is flextime an option? If so, how are you going to monitor when an employee is working or not?  Or, is the expectation a typical eight to five workdays?  Is it all based on job role or customer expectation of availability? Again, this needs to be defined clearly within your policy, and how the company measure and hold employees accountable for time management?  Time management and monitoring are typically a big topic of conversation because companies want to know what their employees are working on and which customers.

• Responsiveness is directly related to customer and co-worker expectations. However, this needs to be clearly defined; responsiveness expectations should not change for a remote worker than in-house staffing. How employees respond should also be clearly defined, such as by phone, instant message, email, or video conferencing; what will be considered an adequate response?

• Productivity Measurements, how are you going to measure productivity? Accountability is always an ongoing battle; accounting for the time employees spend on individual tasks is critical to home policy work. What is important from a policy perspective is outlining clearly the guidelines you will use to measure productivity. There are several ways to do this, such as time spent on activities, number of issues or cases, or number of client interactions, but you need to be clear on how you will do it in your policy.

• Equipment and systems, to be effective employees, need to have access to equipment and systems. The question is what the company provides and its responsibility to cover the costs such as computers, printers, internet access, chairs, desks, or several other things. From a policy perspective, this is part of eligibility, is this job outlined as a remote job?  If the job is explicitly outlined as a remote job, this might create some added expense to the company, verse a flex job where the employee might have to cover some of their costs to meet their needs.  When it comes to technology, I never recommend letting users use their personal computers, and it is essential from a security perspective and the protection of work product. It does create a recovery process problem if the employee leaves the company, so you should outline how you are expecting to regain your technology assets and ensure that you have all of your data and intellectual property.

• Security is a huge problem right now because home networks are not nearly as secure as corporate networks, the physical access control is an issue, along with connectivity such as WIFI security in the home. We have seen through 2020 that hackers have become very effective in exploiting the home worker because complacency creeps into the home. After all, the inconveniences of higher security in the corporate world are bypassed in the home environment. The lower security, the less monitoring, less security awareness has become an open portal to the corporate world, so it is critical to outline home workers' expectations on how home networks are configured, access permitted, and controls implemented.

There are other considerations such as Client Confidentiality, Physical work environment, what happens when you terminate a remote worker, and tech support of home workers, which may be different than the support you provide to an in-house worker.  Termination seems to be the most difficult to manage; systems access and recovery of the company’s technology resources seems to be an area that often falls through the cracks when employees work from home. A clearly defined process for employee termination is critical, or you could be exposing your business to needless risks and costs.

Often companies wonder what are the advantages of a work from home policy?  There are a lot of different perceptions of a work from home policy. However, the leading opinion is that employees that have the job role and skill set to work from home benefit from a higher sense of wellbeing and tend to be more loyal to the company.  However, working from home is a skill set, and not everyone has that skill set, so working from home doesn’t mean you don’t have to manage them; sometimes, it can create other issues.  However, according to SnackNation.com, here are some of the benefits of working from home.

• It signals trust; employees will feel that the company trusts them, values them, and empowers them, contributing to the employee feeling more personally invested in the company. Research indicates that once an employee becomes emotionally invested in the company, they will go up and beyond to succeed in their job duties.

• It gives employees their time back; the average commute time for employees in the United States is about an hour per day. Employees see that time given back to them in increased family time, less wear and tear on the vehicles, less money spent on fuel, and more time for hobbies, which increases happiness and well-being, translating into more production in their jobs.

• Lowers absenteeism rates; one significant advantage to a work from home policy is that when employees feel sick, they don’t come into the office and spread it around to the other teammates. In most cases, even if the employee does feel sick, they will continue to work even though they don’t feel good when working from home.

Now that we have explored some of the pros and cons of a work from home policy, here are some easy steps to follow when writing a work from home policy. The key to a successful work from home policy is to be as straightforward as possible in your policy design, yet making it beneficial to the employee and your business.  It has to be clearly defined as to what measures success and determines failure and the consequences if the policy has not followed.

According to BIT.AI Blog, these are critical components to writing your work from home policy.

• Define the purpose of the work from home policy
• Define the scope and the expectations of your work from home policy
• Outline the request process
• Outline the approval process
• Set your working hours
• Set your acceptable work from home days
• Outline communication channels and what good and poor communication is
• Give IT support
• Set continuous improvement goals

We are all set to work from home, well, not yet. Now that we have a policy, we need to look at the technology and what you should require in your work from home policy regarding securing the home network.  One of the most common questions from an employee is who will pay for all these new security requirements and technology? Funding of security initiatives is worthy of discussion because if you allow a work from the home process, you agree to expose your corporate network to risk.  Mitigating that risk might be in your best interest to have a cooperative discussion about who and how paying for the privilege of working from home will be funded.

There is a lot to consider when you are going through implementing a work from the home process. Many companies underestimate the consequences of not correctly outlining proper system access, IT infrastructure, bandwidth, and data protection. The more access points to the network you have, the more you open up the window for hackers, viruses, and accidental exposures. Building a security culture is critical to a successful plan; employees must understand the risks of working from home.  Employees need to be proficient at identifying phishing emails, avoid the use of public WI-FI, and how to secure their home WI-FI and routers properly.  As part of your work from home, the policy should be attending a Security Awareness Training program, either one designed by your technology team or a third party.

When employees are logged into your network from home, keep in mind that they are now part of your network.  So, the same security protocols that apply to them in the office should apply to them at home.  Utilizing a VPN (Virtual Private Network) to securely move data back and forth between the user and your server farm or applications will provide you an additional layer of security. Other steps that should be considered part of your VPN deployment would be hiding the end user's IP address, ensuring that data is encrypted while in transit, and masking your user’s locations. For most VPNs, this is a typical setup when deploying a VPN; however, you need to enable these options with some VPNs.  Since more people are working from home than ever before, ensure that you have enough VPN license to access all the employees who require a VPN to access the system.

Several standard security processes that should happen but are often overlooked when employees work from home, kind of an out of sight out of mind situation. Ensuring that you have proper security protections in place should be a high priority if a particular employee working from home will become standard.  This would include anti-virus. Ensure that your anti-virus automatically updates if the employee is not or does not connect to your domain. Home offices are now part of your corporate network. Ensure that employees have a high-quality firewall. It is appropriately configured and hardened to secure that access point to the corporate network. Data encryption on laptops, tablets, and mobile devices is key to security protection and should be enabled on any device that may be housing company data in the home office.  Keep family members in mind when you write your policy; other family members may be logging into the same WI-FI network being utilized by your employee. Having family members that share the WI-FI could increase the risk of accidental data loss, sending data to outside sources, viruses, crypto, or ransomware, so encryption of local hard drive could prevent this.

Technology Auditing, there are many good reasons to do a Technology audit on your processes and network, but one of the biggest is security. As part of a comprehensive auditing process would be to test the difficulty of cracking your user’s passwords. The industry is starting to rethink the routine process of changing passwords regularly but leaning towards using phrases that tend to be longer and more challenging to crack. Most importantly, it is easier for the user to remember, which lessens the need to write it down. However, you should still require complex passwords, especially for remote workers; all passwords should be alphanumeric, no less than twelve characters in length, and contain some special characters. Don’t forget to secure the smart devices and cell phones; they must also require passwords and be running anti-virus software to protect that network access point. Having done thousands of Technology Audits, they are a great way to look deeper into the corporate networks and expose areas that might need more attention.

The implementation of two-factor authentication is quickly gaining in popularity. There are many flavors of two-factor authentication, some of which have already become a target for hackers. In some cases, hackers' efforts have been successful and resulted in compromised workstations and corporate servers. In a corporate network, you should be utilizing a two-factor system that sends the user a token and requires an application on your cell phone for an additional layer of confirmation that the phone has not been compromised or ghosted. Two-factor authentications are quickly becoming required by insurance agencies. If you have Cyber Insurance companies starting to raise their prices, you are not utilizing two-factor authentication.

Cloud applications or software as a service is another way to provide a secure and productive work environment for home workers. Cloud-based applications are independent of your corporate network, so there is air space between your network and the application, isolating each network so any security breaches to the breached system.  As full system migrations to the cloud have flattened out, hybrid cloud solutions are increasing in popularity. Hybrid cloud solutions allow for air space within your system, increased security, and lower the spread and infection rate if you are compromised.

Covid-19 has changed the way the corporate world works, and it will be interesting to see how the rubber band effect will affect work from home models in the future.  How many companies will return to the traditional office environment, how many will do away with the office environment in favor of a technology-based office? There are many things to consider in your policy, starting with the social interaction and team feeling that an office environment can help you build. There is the technical aspect, and the protection of intellectual property, data controls, and enforcement of the expected amount of work for the pay employees are receiving. However, when you discuss a work from home policy, these things need to be considered. Security is because there are new viruses, malware, and crypto viruses designed to attack the home user specifically. Hard drive encryption of laptops and mobile devices, two-factor authentication, monitoring, and using a VPN are some of the items that have a plan and a policy to mitigate those risks to your organization is critical.