SOC 2 and Remote Work: Adapting Security Measures for the New Normal

Remote work is very controversial nowadays. With its pros and cons from many different viewpoints, one aspect that is always a concern is security measures. Remote work raises concerns among the Information Technology (IT) staff within companies which could lead to some exceptions in their SOC report. There are many security threats that could result from remote work. This article will discuss four key security threats and how to adjust these threats to meet SOC 2 requirements.

Data Breaches

The first threat is data breaches. With remote employees working in various locations, sensitive data is harder to contain. Some remote work employees have the ability to work wherever they please; this raises a concern that sensitive data could be leaked to unauthorized individuals. For example, if a remote employee is working at their local coffee shop, anyone could walk by and see their laptop screen or listen into video calls and gather any sensitive data available. A possible SOC 2 requirement to implement would be to enforce a policy that requires remote workers to work in a safe and secure location. This policy could be enforced by an annual signed acknowledgement of the policy noting employees will follow this policy. Implementing this would be a major step toward keeping sensitive data secured.

Phishing Attacks

The second threat is an increase in phishing attacks. This threat not only applies to remote work employees, but also those employees that have email or messaging apps on their phones. These apps sometimes make it harder to see where an external email or message is coming from. Therefore, if employees mindlessly click on any email or messages, it makes malware and cyberattacks more likely to occur. A possible SOC 2 requirement that could be implemented to minimize these phishing attacks would be requiring mandatory annual security awareness training. The training should discuss how to spot phishing attacks and precautions that should be taken for those that have email and messaging apps on their phones. If these security measures are discussed annually with all employees, there is an increased likelihood that several phishing attacks could be prevented.

Unsecured Networks

The third threat is unsecured networks. If a remote worker is working anywhere other than their company’s office, there is a chance that they could connect to networks that are unsecure. When an employee connects to an unsecured network, they are opening themselves up to having their data stolen through unencrypted data transmitting, malware, and session hijacking. Possible SOC 2 requirements to implement to decrease the chances of connecting to an unsecure network would be to implement a companywide virtual private network (VPN) and require connection through the VPN to access any company resources. The VPN will allow employees to access a secure network when they are working remotely.

Security Controls

The fourth and final threat is a lack of enforced security controls. Since remote work allows employees to work in various locations, it is harder to enforce IT polices; such polices could include making sure when a desk is unattended that no sensitive data is left out for anyone to see, or when an employee gets up and walks away from their computer, they lock their computer. With the uncertainty about whether these and similar policies are being followed, there are two possible SOC 2 requirements that could decrease a security incident from occurring. First, IT teams can install monitoring systems on all of their devices to track if any suspicious activities are happening on any company machines. Another SOC 2 requirement would be to disable USB access on all devices. This will prevent anyone from taking sensitive data off of a machine that might not be protected while unsupervised.

Hopefully this explanation of four key security threats, how to adjust these threats to meet SOC 2 requirements, and potential security safeguards to prevent incidents from happening will inspire readers to put additional security measures in place. Adding these additional controls, or similar ones, will strengthen company SOC 2 reports or help prepare for one if the company does not have a report yet.

If your entity is interested in obtaining any additional information on SOC reports, or if there are any other questions related to SOC, please contact us. For more information, be sure to visit our System and Organization Controls (SOC) and Cybersecurity service pages, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding our services.

About the Author

Related Services