Social Security numbers. Bank account information. Customer passwords. Every business needs to protect its most valuable data, and most offices have a common last-resort option: If you close and lock the doors, nobody's going to access your system from the inside by, say, sticking a malicious USB drive into a computer.
With remote workers, keeping your company's data secure is a lot trickier. "When everyone's in an office, it's easy to turn someone's computer off," says Jerry Bennett, founder and CEO of Melbourne, Florida-based consulting firm Privateer IT. "But in a remote workforce, you're dealing with things like HIPAA laws and cybersecurity laws. And you're dealing with people's real lives."
Bennett's six-year-old startup, which ranked No. 295 on this year's Inc. 5000 list of fastest-growing companies in America, has 20 employees. All but one of them work remotely. That presents a challenge for a company that gets paid to advise on cybersecurity issues--and with clients like the U.S. Department of Veterans Affairs and the Defense Intelligence Agency, maintaining data security is especially crucial.
Those concerns aren't restricted to startups working with federal agencies. Mark Loveless, a senior security researcher at San Francisco-based GitLab, says data security is always a work in progress--especially for GitLab, a company that creates tools for software developers and has one of the world's largest all-remote workforces. The nine-year-old company attained a $2.75 billion valuation in September, and currently employs more than 1,100 employees across 65 countries, meaning 65 different sets of cybersecurity laws and compliance regulations.
Despite the ever-changing nature of remote data security, Bennett and Loveless agree that these two best practices can make a huge difference for any startup.
1. Software redundancies
Bennett and Loveless agree: No one tool will ever be a perfect solution. Bennett says Privateer typically has three to five security tools running on each employee's laptop, which feature capabilities like remote access, remote wiping or bricking, and secure channels for communication. His favorite, he notes, is fairly common: Microsoft 365 Enterprise, which has multifactor authentication and the ability to restrict specific users' access to individual files.
Instead of worrying about security on 1,100 employee devices, GitLab devotes its attention to properly restricting access to every individual piece of company data--each of which is stored in the cloud. Loveless's preferred program to enable this: Okta, an identity and access-management tool. He refers to the strategy as "fail-close," enabling multiple layers of protection without burdening users.
Access to each piece of data requires specific access credentials, which Okta automates so employees don't have to constantly reenter passwords. The company also monitors other data access metrics--so, for example, an administrator can be immediately notified if a sensitive piece of data is accessed from an unfamiliar location. Loveless also says that when GitLab last upgraded its security protocols, it kept the old protocols--a more tightly restricted system, with access based on both user credentials and IP address locations--as a "break-the-glass" option to keep the business up and running during emergencies.
2. Employee training
The human element can undermine even the world's strongest security systems. Bennett says he's constantly training his employees, which includes a monthly all-hands conference call dedicated specifically to maintaining data security. His company policy: If anything ever smells fishy, for any reason, contact him and wait for a response before proceeding.
Not all CEOs are security experts, so Bennett recommends hiring one. "You don't need to hire someone full-time to do it," he says. "Find someone you have vetted, that you trust, that you can pick up the phone and call. And they're the smart person that goes and solves the problem."
GitLab loads most of its data security training into its onboarding process, which is heavily documented in the company's sprawling (and publicly available) employee handbook. The goal is for new workers to internalize best practices at their own pace, and each potential change to those protocols is measured by a simple litmus test: Will the increased security be worth the additional hassle to employees?
The company also works to educate employees on new protocols by holding regular company-wide meetings, which Loveless says are "thoroughly documented" for anyone who misses. "As an all-remote company, we try to really be accommodating of users and team members," he says. "We try not to make it a dictatorship--you must do this, you must do that. We try to give them choices."