In a globally distributed company, sensitive information can move through places and tools that were never designed around company privacy policies. Conversations you’d want held in reserved conference rooms can happen in spare bedrooms, co-working spaces or in coffee shops. While no one may have ever intended to create risk, the inevitability is that they do.
A lot of that risk isn’t even connected to misconduct. It’s just people looking for convenience, speed and small shortcuts. Remote and hybrid work extends all of those risks to new devices, conversations, networks, vendor tools, personal accounts, access points, and now, AI systems.
Leadership teams need to answer one question plainly: Do company privacy practices match how people work every day?
See also: 6 top tips to reduce risk with your HR tech
The network perimeter is gone for data privacy
The old office model gave companies a lot more control. Everything existed in a physical and digital container that had clearer points of entry and exit.
But today’s distributed work tore the roof off, knocked out the windows and doors, and lit the network containers on fire.
Home Wi-Fi, public networks, co-working spaces and personal devices can now function as part of the company’s environment. And the concerns around that are growing, especially as the federal government points to popular consumer networking equipment as a national security risk.
Founders and HR executives need to get ahead of that exposure by first defining what sensitive work is, where it can happen and whose devices can access company systems. It’s also worth noting that there are plenty of ready-made templates for companies to adopt. The process of doing so is a lot easier when done earlier.
Physical space as a privacy control
Data privacy standards can fail without a breach, hack or malicious employee.
A visible screen can expose compensation details. A Slack notification can reveal an internal investigation. A printed document can sit in a home office tray or make its way into a kid’s art project. A sensitive call can carry through a co-working booth wall.
Homes include people outside the company. Family members, roommates, children, guests and service workers may pass through the same room where an employee reviews applicant notes, client records, accommodation details or performance documentation.
Co-working spaces create even more exposure. Competitors, vendors, applicants, customers and strangers may be close enough to see a screen or hear a call. A booth that looks private may carry sound.
HR teams have to treat physical space as a privacy control. Personnel files, compensation records, investigation notes, performance reviews, accommodation details and hiring conversations need handling rules that match their sensitivity.
Sensitive work belongs in controlled spaces, on approved devices, with limited screen visibility and limited audio exposure.
Data sprawl creates added exposure
Privacy risk often grows after data leaves the system where it belongs.
A customer record inside a CRM may have strong permissions and audit logs. The same record becomes harder to protect once someone exports it to a spreadsheet, saves it locally, uploads it to a personal drive, forwards it to a private email account, screenshots it or pastes it into a chat thread.
There’s the old web meme showing the 90-degree turns of a planned sidewalk, and the sloping dirt path that follows the human desire for shortcuts. That happens a lot in work as employees involve their own tool stack away from the known corporate ones.
The actual tool stack may include personal Google Drive folders, Dropbox links, iCloud storage, browser extensions, informal Slack threads, free PDF tools, old downloads, AI chat tools and one-off spreadsheets.
Privacy controls need to be usable. When approved tools are slow, confusing or too restrictive, employees create workarounds. The workaround becomes the risk.
Leaders should audit where data actually goes. The approved software list helps, but conversations with employees about what they use, how they use it and why likely help flesh out meaningful insights.
HR processes control access
Access management often gets assigned to IT. In distributed companies, HR has equal influence.
Hiring, onboarding, role changes, contractor changes, leaves of absence and terminations all affect access. Employees may keep permissions after moving roles. Contractors may have broader access than their work requires. Former employees may retain access through shared drives, SaaS accounts, calendars, email aliases, password managers or group credentials.
HR can also be educated to spot concerning gaps, like when someone moves to a region with greater cybersecurity risks or if a team member has a disruption at home that requires a change to a public workspace.
Having an IT-educated and empowered HR team helps close those gaps and ensures yellow flags are raised before red flags go up.
AI tools need rules
AI tools are also now part of daily work. Employees use them to summarize calls, draft emails, review resumes, rewrite feedback, analyze spreadsheets and prepare client communications. They also tend to be favorite playthings for productivity hacks.
And because of that, sensitive data can sneak into 3rd party systems quite quickly.
A best approach for AI is to treat it like a new hire. Where does it live? What’s its experience? Can you get a background check done? Is there a way to test its capabilities in a siloed environment?
A useful AI policy should name approved tools, define restricted data and give examples that employees will recognize.
What leaders should do next
Start with your work environments. Define which types of work can happen from home, co-working spaces, public locations and while traveling. Educate your team on areas that are more sensitive and need more diligence.
Require managed devices for sensitive systems. Use MFA, SSO, password managers, endpoint management and VPNs where appropriate. Restrict local downloads where possible.
Create specific rules for AI tools, transcription tools, file-sharing tools, file conversion sites, browser extensions and personal storage accounts. Come up with plans for “hiring” and “onboarding” AIs. And for firing them.
Build access reviews into HR workflows. Train managers separately because they handle more sensitive information and make more daily privacy decisions.
Then audit actual behavior. Look at the tools employees use, where files are stored, how access is granted and where sensitive work happens.
Distributed work can be run responsibly. Privacy practices need to match the places, tools, and habits where work now happens.
Credit: Source link
