Working from Home and the Covid-19 / Coronavirus Crisis – Enabler of Business Continuity or Risk to the Business Continuity?

This article is not aiming to discuss crisis preparation, crisis management, business continuity as a whole nor recovery, but rather aims to examine one aspect of business continuity - information security and data protection with regards to remote or work from home scenarios.

With the current Covid-19 pandemic in full swing, many businesses from large multi-national corporations, to SMBs to government organizations have encouraged or even enforced a work from home policy.

Risk managers should examine the potential of exposure and consider if there BCPs include information and data protection when processed offsite by employees

Whilst not at all new, this is a very innovative way to ensure business continuity whilst practicing social distancing and mitigating risk from the virus, risk managers should examine the potential of exposure and consider if there BCPs include information and data protection when processed offsite by employees.

These policies, procedures and tools, however, are usually designed for the business network and workspace and very rarely consider a work from home scenario, and those that do, are often a check the box exercise as opposed to policies that have teeth and can be enforced across the organization.

Commercial organizations, regardless of size should have some level of information and data protection in place, and the vast majority of large corporations do. Whilst many SMBs have policies and procedures, these are often more basic although in an era where startups have the potential to change our lives, both physical and information security is often neglected by the smaller companies, regardless of the technology they possess. These policies, procedures and tools, however, are usually designed for the business network and workspace and very rarely consider a work from home scenario, and those that do, are often a check the box exercise as opposed to policies that have teeth and can be enforced across the organization.

How does it differ from an earthquake, flood, or other natural disaster where suddenly, access to the business workspace is limited? It doesn’t.

Risk managers and business unit leads may present evidence that indeed, the current crisis is unlike any crisis our generation has experienced and I certainly cannot dispute that point, however, the breadth and depth of this crisis is a reason for the sudden onset, but not an excuse for being ill prepared; how does it differ from an earthquake, flood, or other natural disaster where suddenly, access to the business workspace is limited? It doesn’t.

In the midst of the crisis, it’s probably unfeasible to make major change to policies and enforce new company regulations overnight, regardless, risk managers (physical and information), together with HR and other key partners should be cognisant of the following examples and consider effective and culturally acceptable ways to roll them out, or risk their business sensitive data potentially being exposed:

  • Are mobile devices supplied to employees or are employees expected to use personal devices when working from home?

    • Are employees aware of which devices may be used for business activities and is this governed contractually with the employee?

  • Does your organization have a data protection awareness program?

    • Was a refresher given at the start of, and will it be repeated during this work from home period or has all information focused on the crisis itself?

  • Does your organization have fit for purpose information and data protection policies for work conducted on site?

    • If so, why is off site not related to at the same importance? The information and data access are mostly the same and often onsite has the additional layer of physical security. Does home?

  • Does your organization have network, hardware and software requirements and limitations?

  • How well has your organization vetted approved collaboration software platforms?

  • Does your organization specify at which offsite locations work may be conducted (home versus local coffee shop etc.?)

  • Does your organization provide guidelines and minimal requirements to ensure compliance with organizational information and data protection policies for work from home locations?

    • Are the minimal requirements robust or simply “good enough” to check the box?

  • Is your business providing a stipend for employees to cover secure work from home network setup and ensure compliance?

    • How are you ensuring compliance?

    • Are there ramifications for not being compliant?

In addition, with the increase of employees being made redundant or on leave without pay, or employees that fall victims to the crisis, how does your organization: 

  • Ensure that access to your network is denied in a timely manner?

  • Ensure that information stored locally on mobile devices is not accessible by the former employees still in possession of the mobile devices?

  • Ensure that the mobile devices are returned to your organization?

The above are simply examples of a broader information and data protection strategy and examples of what could be considered when implementing a work from home policy, or any remote working policy where the employee has remote access to business sensitive data.

What about the potentially strongest, and potentially weakest link to any program; the people and non-organization networks when they’re working offsite? 

 To summarize, there’s much attention given to mitigating risk from an (perceived and actual) elevated from remote cyber breeches, but what about the potentially strongest, and potentially weakest link to any program; the people and non-organization networks when they’re working offsite? 

Enablement Advisors is a boutique risk management company providing creative solutions to challenging problems across the globe. Contact us now to see how we can help your organization.

 About the author

IVOR TERRET

Ivor brings over two decades of international counter terror experience at both the official and private sector levels including instructing hundreds of students from high-risk facility security teams, government covert VIP units, government Surveillance Detection units, hotel security senior management, aviation security personnel and senior management, specialized law enforcement and counter terror units as well as corporate EP and SD units.

In addition to training and highly specialized field operations, Ivor has designed and implemented security master plans for covert counter terror units, high-risk facilities, protective details and has consulted on a myriad of projects including mass transport hubs, business parks, hotels, residences, high risk facilities and factories.

Ivor holds an MSc in Security and Risk Management from the University of Leicester where he was awarded the esteemed Dissertation of the Year Award for his research. Ivor is the elected Chairperson of the ASIS Israel Chapter for year 2016 and 2017 and interim Chapter Chair for years 2018 and 2019.