Forget the fancy security software. Forget the enterprise-grade solutions. Forget the complicated compliance frameworks.
Start with two ideas. Build everything else around them.
First: follow the actual data privacy rules that apply to you.
If your Filipino VA touches any personal information (customer emails, payment details, employee records), you’re bound by the Philippine Data Privacy Act.
Second: give people exactly what they need, when they need it, through tools that let you control access.
No lifetime permissions. No shared master passwords. No “just email me everything” setups.
That’s it. Those two pillars.
Everything else I’m about to tell you supports one of those two ideas.
Track Work Hours, Not Their Laptops
Simple clock in/out system shows you when work happens. Skip the device security headaches entirely.
Not All Files Need the Same Protection
Big mistake people make: treating every file like it’s nuclear launch codes.
Or the opposite: treating everything casually.
Neither works.
You need three mental categories:
Personal data – anything that identifies real people. Customer names, email addresses, payment info, ID documents. This triggers all the legal requirements. Needs encrypted storage, access logs, careful handling.
Business confidential – financial records, strategic plans, proprietary processes, unreleased content. Might not trigger legal requirements but losing it would hurt your business.
General working files – published blog posts, public marketing materials, industry information everyone already has. Basic security, nothing special.
Before you share anything with a VA, ask yourself which bucket it falls into.
Takes five seconds. Prevents months of headaches.
How to Actually Share Files
You need business-grade cloud storage with accounts you control.
Google Workspace. Microsoft 365. Dropbox Business.
Not personal Gmail. Not consumer Dropbox. Not “just email it to me.”
Here’s why:
When your VA uses an account you created, you can see what they’re doing. You can revoke access instantly. You can enforce security policies. You can get files back if something happens.
When they use their personal account and you share files to it, you’ve lost all control.
You can’t see anything. Can’t enforce anything. Can’t even be sure files got deleted when the project ended.
Share folders, not credentials.
This is huge.
Create a folder called “Customer Support – VA Access” or “Social Media Assets – VA Access.”
Give your VA access to that specific folder. Not your entire drive. Not your email. Not your password manager.
Just the folder they need.
Make access expire.
Most platforms let you set expiration dates on shared folders. Use this.
When a project ends, access ends automatically. You don’t have to remember to revoke anything.
Turn off downloading for sensitive stuff.
Google Docs lets you share files as “view only” or “comment only.” No downloading. No making copies.
This won’t stop a determined thief. But it prevents accidents and casual over-sharing.
Never share via email attachments or USB drives.
Once you send a file by email, you’ve lost it. No way to revoke access. No way to track what happened to it. No way to know if it got forwarded somewhere.
Device Security for Filipino VAs
Your VA’s laptop is probably their personal device.
They might share it with family members. They might use it at coffee shops on public WiFi. They might not have automatic updates turned on.
You can’t control everything about their device. But you can set minimum requirements.
Updated operating system and antivirus.
Windows updates. MacOS updates. Whatever antivirus software is reputable in the Philippines.
This isn’t complicated. Just make it a requirement before you share files.
Full disk encryption.
If the laptop gets stolen, encryption means nobody can access the files on it.
Windows has BitLocker built in. Macs have FileVault. Both take one click to enable.
Make this mandatory for any VA who downloads files locally.
Strong WiFi security at home.
Public WiFi at coffee shops is risky. Can’t always avoid it.
But home WiFi should be secured with WPA2 or WPA3 and a strong password. Not the default password that came with the router.
No sharing work accounts or devices with family.
Your VA’s kids don’t need access to your client files.
Work account stays on the work profile. Work files stay in work folders. Simple boundary.
VPN for public WiFi.
If your VA works from coffee shops or coworking spaces regularly, get them a VPN subscription.
Encrypts the internet connection. Prevents snooping on public networks.
Costs maybe $5/month. Worth it.
Offboarding Without the Drama
Project ends. VA relationship ends. Time to close access.
Most employers forget this part.
VAs sit there with access to old client files for months or years. Not because anyone meant harm. Just because nobody remembered to revoke it.
Revoke all access immediately.
Google Workspace lets you suspend an account with one click. Instant logout from everything.
Do this the day the engagement ends. Not next week when you remember.
Confirm deletion of local copies.
Your VA probably downloaded some files during the project. That’s normal.
Before you close things out, confirm they’ve deleted all local copies from their computer and any backup drives.
Some employers ask for a simple email confirmation. Others require a signed statement. Up to you.
Remove from communication channels.
Slack. Email lists. Shared calendars. Project management tools.
These are easy to forget. Make a checklist.
Keep documentation.
Contract. Data processing agreement. Access logs showing when you revoked permissions. Deletion confirmation.
Keep this for at least a year. Maybe longer if you’re in a regulated industry.
What Your VA Actually Needs to Know
Here’s what I tell VAs when they start handling files:
You’re responsible for keeping this stuff secure.
Not complicated security. Basic stuff.
Use a password-protected, encrypted laptop for work. Keep it updated. Run antivirus.
Don’t share your work account with anyone. Not family, not friends, not other clients.
Don’t work on public computers. Library computers, internet cafes, shared workstations. Never.
If something goes wrong, tell me immediately. Lost laptop, suspicious email, accidental mis-share. Report first, fix later.
When the project ends, delete everything. Local copies, downloads, drafts. Everything.
That’s it. Not a 50-page security manual. Just basic hygiene.
Most VAs appreciate the clarity. They want to do things right. They just need to know what “right” means.
Track Work Hours, Not Their Laptop
Simple clock in/out system shows you when work happens. Skip the device security headaches entirely.
Making This Actually Happen
Choose your cloud platform. Set up the folder structure. Create role-based permissions. Write your one-page policy document. Add the security clauses to your VA contract.
Done.
After that, it’s just habit.
New VA starts? Create their account, assign their role, send them the policy document.
Project ends? Revoke access, confirm deletion, document it.
Something goes wrong? Follow your incident plan.
The hard part isn’t the security. The hard part is remembering to do it consistently.
That’s why simple systems work better than complicated ones.
And that’s why building security into your tools beats trying to enforce it..
Not fancy. Just effective.