If you run a distributed virtual-assistant team, you have already imported the security problem most ops leaders haven't faced yet: people accessing your customer data, your finance tools, and your inbox, on personal devices, in countries with different threat profiles, from networks you don't control. Most companies handle this with a six-page policy nobody reads.
This is the one-page version we install with VA-team clients. It has five rules. They are followed because they are achievable.
Rule 1 — One browser profile, separated from personal
Every VA's first day includes setting up a dedicated browser profile (Chrome, Edge, or Firefox) that is only used for the engagement. No personal accounts, no personal bookmarks, no extensions installed without sign-off.
Why it works: it converts the question "is this safe to install?" from a judgement call into a process. The personal profile is the personal profile. The work profile gets reviewed.
Why ops teams accept it: it takes seven minutes to set up and zero minutes per day to follow.
Rule 2 — A password manager, with one specific configuration
Every VA gets a seat in the team password manager (1Password, Bitwarden, Keeper — pick one). The configuration that matters:
- No credentials shared via Slack, email, or text — ever
- The password manager is set as the only autofill source
- Personal passwords are not allowed in the team vault, even "just for now"
Why it works: 90% of practical credential leaks in distributed teams come from credentials sent in chat that nobody ever deletes. Removing the channel removes the leak.
Rule 3 — Two-factor authentication, on a defined hierarchy
Three tiers:
- Tier 1 — Money or customer data: hardware security key required (one per VA, you buy it). Authenticator app as backup.
- Tier 2 — Operational tools (CRM, project management, file storage): authenticator app required (Authy, Aegis, 1Password's built-in).
- Tier 3 — Everything else: authenticator app preferred, SMS acceptable if no other option.
SMS-only 2FA is permitted nowhere on Tier 1. The reason is the SIM-swap threat (see our secure SIM guide).
Rule 4 — Device baseline, with a real check
Every VA's device must meet a published baseline before access is granted:
- OS within the last 12 months of updates
- Full-disk encryption on
- Screen lock under 5 minutes
- Antivirus or built-in equivalent (Windows Defender is fine; macOS XProtect is fine)
- No second user account sharing the device
The check is not honour-based. A team lead verifies during onboarding, with a 10-minute screen-share session, and re-verifies quarterly. The 10-minute check is the discipline that makes the rule real.
This pairs with our first 10 SOPs every business needs — device baseline is one of the 10 if your team is distributed.
Rule 5 — The kill-switch
Every VA's access is consolidated under SSO where possible (Google Workspace SSO, Microsoft, or a dedicated identity provider like Okta or JumpCloud). Where SSO isn't available, the password manager holds the credentials and the team lead can rotate them.
The standard: from a single decision in a single place, a departed VA's access to every tool can be revoked within 30 minutes.
If you cannot do that today, your departure process is the security problem.
What's deliberately not in this policy
Things we removed from longer policies that VA teams stopped following:
- Long device-management software requirements (no VA accepts agent software on their personal device)
- VPN-only access mandates (impractical for global teams; redundant if SSO + 2FA are in place)
- Geographic IP restrictions (false positives kill productivity; the cost outweighs the benefit)
- Annual security training modules with quizzes (nobody remembers them; we do quarterly 15-minute reviews instead)
A policy you actually follow beats a policy that looks comprehensive on the audit checklist. For an operator running a distributed team, the five rules above cover roughly 90% of practical risk for less than 1% of the work.
If you want to staff a distributed VA team under this policy, that's what our Virtual Assistant Services practice does — the policy is part of onboarding, not an afterthought.
