How Secure Are Your Policies for Out-of-Office Work?
This article was updated on July 26, 2018.
With the rapid pace of changing technology impacting work habits, clear policies for out-of-office work are essential. With the need to secure both information and resources, HR leaders must ensure there is a robust system in place to protect the organization while supporting employees' needs.
These policies should educate and guide your workforce toward an understanding of what constitutes appropriate and secure behavior while working outside the office.
When implementing remote work access policies, prime consideration should be given to the security measures expected of employees while using employer-provided equipment as well as the rules for accessing email or secure remote work connections.
To begin, a register should be compiled with the names of those pre-approved to remotely access information, with policy acknowledgment as a prerequisite. Employees should be instructed to consistently log out of their remote connection, and a timeout tool should be installed to log out idle connections. Audits should be regularly completed on this system and abnormal behavior addressed promptly, with known consequences for repeat offenders.
Health care organizations, such as UCLA Health, for example, have additional layers of security that must be enforced. Their systems contain private health information, and unsecured access may compromise the security of outside parties. Understanding this, UCLA Health added several layers of additional language into their policy to protect the organization, the employees and patients.
Access to mobile devices has changed the way we work. Employees are sometimes working at all hours of the day. Although it's seemingly wonderful to have devoted employees working around-the-clock, it raises the question of whether these efforts are considered part and parcel of an employee's working day or whether additional compensation should be provided. An occasional email is normally acceptable, but regular interruptions are not as clear cut.
SHRM conducted research that showed that only 21 percent of those surveyed had a written policy for work after hours. But any organization without policies for out-of-office work does so at their own risk. For example, according to an article on Law360, a police officer has filed suit against the Chicago Police Department claiming he received so many emails on his police-issued Blackberry while not officially at work that he should be due overtime pay.
According to Gigaom Research, the French and Germans are stricter on this issue, with labor agreements for some sectors dictating an obligation to disconnect communication tools and some companies, such as BMW, Volkswagen and Deutsche Telekom, banning after-hours calls and emails to workers entirely.
Another highly contentious and fluctuating issue is the use of social media. Although not strictly limited to out-of-office behavior, employees should understand, via a signed policy, that it is an offense to communicate any confidential information, trade secrets or anything defamatory or copyrighted.
Furthermore, employees should be made aware that the organization has the right to monitor social media activity made from workplace computers and work-issued smartphones.
Know the Law
Vigilant awareness of recent National Labor Relations Board activity addressing employee social media use is advisable, especially as the board continues to review the varied cases related to social media policies and disciplinary actions taken.
One of the biggest challenges your organization will face is the blurred lines between employee work and home life and the impact this has on securing organizational information. Transparent and formalized policies for both employer and employee are necessary to avoid potential exposure for either party. These policies should still reflect the organization's culture but also install a framework that enables trust and flexibility, ultimately leading to increased workplace productivity and security.