As recently as just a few years ago, “working remotely” was uncommon. While some people have been doing it for a long time (decades, actually), it was by far the exception.

Since Covid, of course, all that has changed.

Today, a common question from a friend or colleague is, “How often do you go into the office?” It seems that remote work is everywhere and here to stay.

From a security perspective, remote work raises a number of questions and concerns. They are manageable, but they need to be carefully considered and administered to ensure that your data and your customers’ data are protected.

That means that each organization needs to decide what degree of “remote” it will allow and what kinds of restrictions it will put in place as a result.

In practice, there is a tremendous amount of variation. However, in our experience with clients, companies tend to land in one of three categories, each of which has its own risk/benefit tradeoffs…

#1. On-Site Access

In this case, access is restricted to those who are physically sitting inside a company office — i.e., they are directly connected to the network.

At first glance, this may not seem “remote” at all, since if you are in the office you are not working from some other location. However, given that the vast majority of businesses store some data in the cloud (recommended), these days, all work is remote work (at least in part).

This is the most controlled environment (a positive), but also the most restrictive in terms of employee flexibility (a negative).

#2. Conditional Access

Here, employees are permitted to access the company network from any location… with specific exceptions.

For example, we have a client whose policy is that if you visit Russia, China, or any other location where known bad actors operate,you must use a secondary computer, phone, and tablet (none of which have access to the company network). When you return, their policy is that those devices much be completely wiped and reimaged — it’s assumed they will have been compromised.

Other companies impose conditions based not on your physicallocation, but on what you want to access and how. For example, another client lets employees access email and a specified subset of other things from any computer… but they can only access everythingfrom a company-managed device.

Conditional access imposes fewer restrictions than #1, but opens the door a bit wider for bad things to occur.

#3. Anywhere, Any Way, Any Time

This is the other end of the spectrum: employees have full access from any device, regardless of location.

This doesn’t mean that controls such as multifactor authentication, anti-virus and anti-malware protection, regular patching and updates, etc., are not required. But it’s certainly the least restrictive of the three as it removes many of the controls that are inherent in the other options.

Which Approach is Best?

As with so many cybersecurity questions, the answer is, “It depends.”

What business are you in?

A bank and a bakery have different security needs. Further, different industries have different degrees of legal, regulatory, and customer data requirements, much of which dictates where you fall on the remote access spectrum and the controls you must put in place.

What is your risk tolerance?

Even a company lacking in high value digital assets (like a bakery) can be negatively impacted by things like malware, ransomware, or a virus. So some of the decision comes down to how comfortable the individual business owner is in trading off security against flexibility.

How do you prefer to operate?

We have a client that requires staff to use a VPN connection for remote access, ensuring that all traffic goes over a secure link. This is safer than less restrictive alternatives, but it’s more expensive, introduces elements that could break, and has the potential to affect speed.

We also have clients that require all work be done on computers provided by the company (our recommendation, too). This ensures a uniform approach to both security and device maintenance.

In these cases and others like them, the “right” decision depends on personal preference as much as anything else.

Everything is a Tradeoff

Security is not free and what’s perfectly fine for one company may not be a good fit for another.

The one thing that does apply across the board is that when it comes to remote access, the rules of the road should be established deliberately. Each company needs to make clear-eyed and consistent decisions regarding what works best given its set of needs, circumstances, and preferences.