Remote Work as a Business Strategy
Strategic management or business strategy is the development and implementation of the key objectives set by the organization’s top management. Organizations may formulate various objectives depending on what they aim and plan to achieve in a certain period of time. Some of the essential actions that are required to implement a business strategy involve specifying the organization’s objectives, allocating available resources, and taking into consideration the location and industry in order to comply with applicable laws and regulations.
The current pandemic has shown that business strategies cannot be fixed strategies, therefore, organizations should plan and prepare for any unexpected events in order to prevent and manage any natural or man-made disasters. One effective business strategy during this period is the one involving the practice of remote work, especially for organizations that provide services.
Remote work is a working practice that allows employees to work outside the organization’s premises and facilities. Organizations may deploy remote work as a permanent or temporary practice depending on their needs and external/internal factors.
While remote work is a legitimate procedure to keep up business progression amid an emergency, abruptly permitting remote work with no strategy won’t have the same positive results. Remote work is an effective strategy that it ensures business continuity during unexpected events. Based on ISO 22301, a requirement standard on business continuity, business continuity refers to “the capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption”.
Business continuity is the ongoing preparation of top management and relevant stakeholders to take the necessary measures to identify the impact of potential losses and prepare strategies and plans. In order to manage an organization during a disruption, top management should create, document and maintain a business continuity plan.
According to ISO 22301, business continuity plan is “a documented information that guides organization to respond to disruption and resume, recover, and restore the delivery of products and services consistent with its business continuity objectives”. The business continuity plan, requires organizations to determine the needs and expectations of stakeholders and determine opportunities in order to achieve continual improvement. As remote work allows organizations to continue their operations in the midst of a crisis, organizations may see remote work as an opportunity for continual improvement.
Organizations deploying remote work as a practice, must prepare all resources, manage the remote work, and implement appropriate security measures. Remote work requires restructuring at an operational level. The recent pandemic has demonstrated that organizations may have to suspend daily operations and require all employees to work from home for an undefined period.
Some of the challenges for organizations to manage the shift of operations from office to home include but are not limited to asset management, security infrastructure, and legal implications. Therefore, in order to establish and implement a remote work strategy, organizations and remote workers should consider the security and technical implications of the new work environment. There are three main pillars of an effective strategy, which includes processes and policies, tools and technologies, and cloud services.
A starting point in developing an overall business continuity plan is the implementation of policies. According to ISO/IEC 27000:2018, the term policy reveals “intentions and direction of an organization, as formally expressed by its top management”. Hence, policies outline an organization’s intentions on a specified subject area conveyed by top management. In addition to policies, procedures reveal the specific way of carrying out a process. Thus, procedures represent series of actions conducted toward achieving organization’s goal.
Some of the biggest security liabilities are caused by the employees, even if they don’t act deliberately. Policies for remote work security will help organizations confine the benefits of employee productivity, reduced costs, and avoidance of security risks. A secure and safe remote work environment is enabled through the establishment and implementation of information security policies and procedures. Information security policies cover all security areas of an organization, such as: physical security, operations security, network security and other specific areas. As principles of CIA, confidentiality, integrity, and availability, are the main objectives of information security, policies and procedures should be established to encompass these objectives.
Information security policies are created and implemented to meet an organization’s needs, and legislative, regulatory or standards’ requirements. For remote work, usually, it is crucial to include some key elements in the policy such as the scope and purpose of remote work, the authorization for working remotely, the provision to use specific devices and services, and the information that can be accessed. Additionally, organizations should inform remote workers on the controls that should be applied, the way devices should be used, and the rules of protecting the information while working remotely.
Additional elements such as absence, or sick leave, health, safety, legislation, compensation, and benefits can be part of the policies for remote work as well. Effective remote working policies and procedures ensure the organization and its management, that its information (e.g. confidential, personal data, intellectual property, and so on) and information systems are protected from virus infections, unintentional or otherwise compromises, copyright infringements and other potential threats.
In order to prevent risks related to the organizational use of devices, a policy for operations of business continuity, named Bring Your Own Device (BYOD), can be created. BYOD policy is a set of rules that allows remote workers to use personal devices to access organizational IT assets.
With the aim of implementing a proper BYOD policy, the organization should conduct series of actions. Some of them include:
- Evaluate risks and benefits of BYOD through risk management process
- Decide which remote workers are allowed to use their personal assets
- Define BYOD rules of permitted and banned devices
- Create and communicate a sound policy based on risk assessment
- Provide ongoing financial and technical support
- Establish a process to remove access to all user accounts of an employee personal device(s), upon the termination of the employment contract.
As remote workers do not operate in the organization’s offices, that does not indicate that there should not be any investments on resources (usually tech-related resources). Organizations should provide resources for them just as to on-location employees. In this regard, it is crucial to provide the right technical resources for remote workers.
Organizations establishing remote work as a business strategy should consider tools and technologies in which they will rely on their operations. Without the operational resources, organizations might fail to reach milestones set by the top management. There are two ways in which remote workers can work with resources. One way is to take the assets from the organization and the other one is to allow employees use their own resources (BYOD). In terms of security, the first option gives the organization more control over using the devices, but it comes together with the cost of administering the distribution and use. Whereas, the second option offers a lower financial cost of purchasing new equipment when hiring a new employee.
Depending on their roles and responsibilities, remote workers mainly need proper hardware and software tools. Some of the essential tools for remote workers are tools for team communication, meetings and presentations, writing and editing, file sharing, design and development, and more.
Nevertheless, given the conditions of limited resources, the organization should conduct a cost-benefit analysis to assess its business needs and resources. The need for tools and technologies may depend on the organization’s size and complexity of operations., however, communication and security tools are some of the key aspects of remote work.
Effective communication is key for organizations that have remote workers or teams. The ability to communicate and collaborate remotely is essential for a remote working strategy. There are many software and other platforms that enable reliable, secure, and timely communication and collaboration in projects. Considering the continuous advancements of technology, various communication channels allow different stakeholders to connect, share, and exchange information. Organizations should choose the appropriate communication channels to communicate and share information effectively with remote workers, including:
- Remote Access – Enables employees to access the organization’s servers
- File sharing remote cloud storage software – Enables employees to store, transfer, and share data.
- Communication software– Video conferencing, VOIP calls, and instant messaging.
- Project management software– Platforms for goal setting, task tracking, deadline management, and more.
Also, organizations should guide employees to use tools and technologies authorized by management only. With the rise of cyber attackers, some of the channels may be used to compromise the data of organizational network. As one of the most common cyberattack during this pandemic are phishing emails, users should be very careful with emails that seem suspicious.
Remote workers need secure tools and technologies to access organizational information and information systems. Therefore, organizations should provide some software tools which are needed for the protection of information, such as:
- Virtual Private Network (VPN). VPN is used to establish a secured network from a public internet connection.
- Antivirus. Antivirus is a utility program that protects computer programs from malware by analyzing files against a list of signature files or virus definitions.
- Anti-malware. Anti-malware is a utility program that is designed to protect a computer program from a certain or more than one type of malware by running checks against definitions.
- Firewall. A firewall is a system that is designed to prevent unauthorized access from entering a private network by filtering the information that comes in from the internet.
Additionally, some other important security tools and technologies are intrusion detection and prevention systems, encryption software, and mobile device management. The organization may choose which tools and technologies fit better according to its needs.
Organizations have to provide platforms to ensure the continuity of business and enable cooperation between remote workers. Cloud computing is an IT service provisioned by a cloud computing provider to access specific applications, files, or other software services in order to store and back up information. Cloud solutions are compatible with the most browsers and enable easy access of remote workers to mobile applications. Organizations practicing remote work use cloud services to ensure:
- Flexibility. Cloud computing enables remote workers to work in any location.
- Security. Encryption of files restricts access from unauthorized entities.
- Scalability. Provides access to an organization regardless of the number of staff.
Some of the considerations to make when deciding on a cloud platform are the folder syncing capabilities, security, privacy, and cost. Some of the best platforms that are used widely by different organizations are:
- Dropbox – It allows file sharing and file syncing with different storage capacity options.
- Google Drive – In addition to Dropbox services, it also allows to seamlessly work with office tools of Google.
- Sync.com – Besides file sharing and file syncing, it also follows a zero-knowledge policy
Training Development Manager, TRECCERT
Don Agaj is a Training Developer at TRECCERT, who develops content for training and blog posts mainly in remote work, information security and cybersecurity. He combines his interest in cybersecurity with the TRECCERT vision to create engaging content and share insights on recent frameworks and methodologies.