Managing Sensitive Data When Employees Are Remote

In August, a Nashville man was indicted for running a "laptop farm." He allegedly convinced companies to hire him as a remote worker but instead of doing the work, downloaded and installed software on company computers that granted access to foreign bad actors posing as workers, breaching company security and funneling money abroad. This may sound like an outlandish story, but easy access to AI-generated audio and video heighten the risk of employee impersonation. Ways for companies to protect against employee impersonation: Before hiring: • Running background checks (and following state/local notice and disclosure requirements) • Vetting educational and employment background • Using secure methods for checking identity and work authorization. Especially for sensitive roles that are fully remote, consider flying the candidate out to meet in person or hiring a vendor who can vet their identity in person. • Requiring employees to sign robust confidentiality agreements During employment • Working with IT/InfoSec to develop best practices for securing company data • Monitoring employee login patterns and downloads • Developing protocols for exchanging money and sensitive information (for example, requiring multiple points of verification) • Even if you don’t regularly work on video, doing this occasionally. • Training managers to keep an eye out for suspicious activity After employment • Reminding employees of their confidentiality obligations • Securing company data immediately upon separation and monitoring use when employees give notice of resignation • Reviewing hardware that is returned and properly wipe equipment What else?

𝐀𝐜𝐡𝐢𝐞𝐯𝐢𝐧𝐠 𝐒𝐎𝐂2 𝐚𝐧𝐝 𝐇𝐢𝐓𝐫𝐮𝐬𝐭 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐟𝐨𝐫 𝐑𝐞𝐦𝐨𝐭𝐞 𝐎𝐟𝐟𝐢𝐜𝐞𝐬 In today's rapidly evolving business landscape, remote work has become the norm rather than the exception. Ensuring compliance for remote offices presents unique challenges, but it's a journey I've navigated successfully for multiple companies. Here’s how I’ve helped companies with remote offices achieve SOC2 and HiTrust compliance: 1. 𝐑𝐨𝐛𝐮𝐬𝐭 𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐚𝐧𝐝 𝐏𝐫𝐨𝐜𝐞𝐝𝐮𝐫𝐞𝐬:    - Developed comprehensive policies and procedures tailored to remote environments, ensuring they are as stringent and effective as those in traditional office settings. 2. 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐌𝐞𝐚𝐬𝐮𝐫𝐞𝐬:    - Implemented advanced security measures, including VPNs, encrypted communications, and endpoint protection, to safeguard sensitive data accessed remotely. 3. 𝐑𝐞𝐠𝐮𝐥𝐚𝐫 𝐀𝐮𝐝𝐢𝐭𝐬 𝐚𝐧𝐝 𝐀𝐬𝐬𝐞𝐬𝐬𝐦𝐞𝐧𝐭𝐬:    - Conducted regular internal audits and assessments to ensure ongoing compliance and identify any vulnerabilities specific to remote operations. 4. 𝐄𝐦𝐩𝐥𝐨𝐲𝐞𝐞 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐚𝐧𝐝 𝐀𝐰𝐚𝐫𝐞𝐧𝐞𝐬𝐬:    - Launched continuous training programs to educate remote employees on compliance requirements and best practices, fostering a culture of security and vigilance. 5. 𝐑𝐞𝐦𝐨𝐭𝐞 𝐌𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠 𝐚𝐧𝐝 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐑𝐞𝐬𝐩𝐨𝐧𝐬𝐞:    - Established remote monitoring systems and incident response plans to quickly detect and address any security incidents, minimizing potential risks. Helping companies adapt to the new normal while maintaining the highest standards of security and compliance has been incredibly rewarding. If you're navigating the complexities of #SOC2 and #HiTrust compliance in a remote work setting, let's connect and discuss how we can achieve your compliance goals together. #SOC2 #HiTrust #RemoteWork #Compliance #DataSecurity #Infosec #CyberSecurity #RemoteOffices

When I first started working with a remote team, I realized that I needed to have a loss-prevention mindset. I couldn't afford to wait for something to go wrong. If confidential info were leaked or there was unauthorized access to your company's financial data, the consequences could be catastrophic. Trust would be eroded clients might leave, and  the financial loss could set you back months or years. I didn't wait for this to happen to me, and neither should you. I never want a situation where there's even a sliver of doubt because I don't want the added stress to distract me from my vision. So, it's important to plug in the holes before they become sinkholes. Here's what you can do: Secure Access ‣ Implement multi-factor authentication (MFA) for logins and regularly review and update access permissions. Regular Reviews ‣ Employees leaving the team or changing roles should have their access revoked or adjusted accordingly. Confidentiality Agreements ‣ Have all team members sign confidentiality agreements (NDAs). Open Communication ‣ Regularly discuss the importance of data security with your team. Data Encryption ‣ Encrypt sensitive data both in transit and at rest. Backup Systems ‣ Implement backup systems for your data. Education and Training ‣ Phishing scams and social engineering attacks constantly evolve, so keep your team informed. Create an access repository sheet ‣ This document should list all authorized users, their access levels, and the specific systems they can access. Take proactive steps now to protect your business before it's too late. Helpful?  ♻️Please share to help others. 🔎Follow Michael Shen for more.