I have been thinking about whether there are are any risks unique to remote facilities when it comes to a company's IT security design. This could be locations in different cities, near-shoring, off-shoring, etc.
From the article Bad Communication Can Create Risk, the author lists four risks mitigated by effective communication:
- Increased employee resignations
- Decreased employee productivity
- Overt employee subversion
- Inability to achieve company goals
From an IT security perspective, I will add:
- Back doors
- Data leakage
- Malicious behavior (unintentional or otherwise)
The knowledge of being observed is itself a deterrent to bad behavior. There is the Observer (or Hawthorne) effect, which "refers to changes that the act of observing will make on the phenomenon being observed." Distance or separation from the company could reduce efficacy of this control, and may embolden a subversive contractor or employee.
Also, with a lack of proximity to the end users, you have no choice but to make assumptions to fill in the gaps during the requirements gathering phase. Like in Jurassic Park where the geneticists filled gaps in the DNA with frog DNA: we know how that turned out. If the design proceeds on incomplete information, mistakes will undoubtedly be made. Architectural and security decisions should not be based on what is "believed" to be the environment and usage behavior of a distant location. The risk is that you may proceed with a false sense of security because the design and implementation are based on a false set of premises.
There are also language and translation challenges, as well as time zone differences. These factors can add layers of confusion and misinformation, and can be additional challenges to effective security (see the four risks above). Miscommunication could also lead users to unintentionally break security rules because they are not fully understood, and because monitoring is not in full effect, the behavior goes on unnoticed.
Distance and communication challenges should inform the security design. Assumptions, due to lack of communication or sheer exasperation, should be kept to a minimum. This may require a few trips to the distant location, as well as establishing a mechanism to virtually visit (e.g. WebEx, video conference) the location on a regular basis. The first step to good security is to candidly identify the differences between a remote and home location, and to design accordingly.
