Written by Elannie Damianos
As the push to return to the office gathers pace, it is evident that the workplace has changed forever. Companies that were slow to change their internal processes have started to implement policies to make a hybrid work from home and office achievable. In a survey by Gartner, 82% of company leaders plan to allow employees to work remotely some of the time. This view has matched the expectations of employees. According to a recent survey by McKinsey & Company, 50% of employees would like a hybrid workplace model at least three days per week.
Cybercriminals are improving their capabilities to take advantage of the public’s concerns about COVID-19. According to research by Forcepoint, cyber-attackers sent more than 1.5 million malicious emails per day related to the pandemic over a three-month period last year.
Last year, 61% of malware directed at organizations targeted remote employees via cloud apps. Since the onset of the pandemic, about 30% of organizations have reported a spike in cyber-attack attempts.
In a world of increasingly hybrid workplace environments, it’s vital for organizations to step back and take a closer look at the security processes and infrastructure that support their remote workforces.
Managing remote workers creates several critical challenges for any organization, especially for professional and financial services firms, where protecting client data and sensitive commercial information is paramount. The stakes are high, and getting this wrong may result in costly litigation, reputational damage, and fines from regulators.
Here are some points to consider:
While most businesses have secure internet connections in the office, many will now find themselves with employees logging on from home via personal, unsecured wi-fi systems where the password may be simply “password” rather than through a secure (and monitored) corporate network that enforces password standard policies, firewalls, and so on.
Employers should provide IT support and guidance to allow workers to secure their home computer systems to protect documents sent and conversations had over email, virtual conference calls, and voice calls.
There are significant data protection implications, including new legislation enacted in Colorado, Nevada, and Virginia—not to mention the California Consumer Privacy Act (recently amended), which may soon apply to cover employees. Of course, there’s always the GDPR and the UK Data Protection Act 2018 (DPA 2018).
Businesses with remote workers should assess whether staff use home devices to access critical company data or client documentation. If so, review data protection policies and educate staff to prevent data leakage and personal data from being stored (and backed up) on home devices.
Employers will need to take appropriate technical and organizational measures against the processing of data that identifies an individual’s personal information and protect against the accidental loss or destruction of data.
Processing is widely defined as obtaining, storing, viewing, holding, recording, transmitting, or destroying information or data or carrying out any operation or set of operations on the information or data.
Leakage of personal data may take many forms, from inadvertent back-ups on home IT devices to using home scanners (leaving a digital image of the document stored locally) and printing papers at home (which can result in information ending up in the trash rather than a shredder). It is also worth considering that any future discovery process, should litigation arise, is far more challenging when personal devices are involved.
Email and paper mail
Companies should actively monitor emails to ensure that work accounts are being used and personal accounts are not. Most devices allow multiple email accounts to be accessed via the same application or platform; this should be discouraged.
One of the biggest challenges in managing remote workers is ensuring effective communication. Coordinating work hours to schedule online meetings isn’t easy with team members spread out across multiple locations. This can cause confusion that slows progress and delays the completion of projects.
Equipment: the use and monitoring of communications systems
Employers need to consider what equipment will be required by a home-worker, who will provide and pay for it, and who can have access to it.
If a home-worker will use computer equipment supplied by the employer and will have access to the internet and email facilities, the employer will need to consider applying any systems it has in place for policing the use to which the homeworker might put the facilities at their disposal. Employers will also need to satisfy themselves that the risk of a data security breach is low.
Employers can address many issues by implementing a clear and thorough IT and telecommunications policy. This may include measures to protect the confidentiality of electronic information; to monitor the use of email and the internet and the extent to which (if at all) either may be used on a personal basis; to monitor the use of other electronic communications, and to clarify what will be considered inappropriate use. The policy should include clear information about the types of monitoring an employer may undertake and who will access such information. Employers should also consider whether the policy captures issues that typically affect home-workers. For example, does the policy cover the appropriate use of social media and an employee’s obligations to protect their employer’s reputation, even from home?
A good policy may also include:
- Tailoring standard employment contract clauses to encompass homeworking.
- Strengthening measures to protect confidential information and personal data.
- Reviewing the health and safety implications of homeworking arrangements, including carrying out a risk assessment.
- Deciding what special equipment, if any, should be provided.
- Considering whether any special planning or insurance arrangements are required.
- Deciding what arrangements should be made for the management and supervision of certain types of homeworkers; and
- Identifying the tax consequences of homeworking.
If you need help or have any questions, please call us on +1 212 545 8022 or click here to learn more about our capabilities.