How Small Firms Stay Safe Post COVID-19by
Faced with the immediate need to work remotely to keep their staff safe from COVID-19, many small firms accelerated their adoption of technologies for remote work earlier this year. This often resulted in firms deploying the lowest cost solution that was quickest to implement.
Now that the urgency has passed from COVID-19, firms should consider risk management and take a step back to ensure that they have properly addressed cybersecurity, privacy, employee engagement and client experience aspects of their remote work solution.
Mitigating Cybersecurity Risks When Working From Home
Even if you or your team is already working from home, you may want to “dot your I’s and cross your T’s” to ensure that you’ve addressed all of the following cybersecurity risks:
Reduced firewall effectiveness: Home firewalls and wifi routers may not be properly configured to protect your devices from being seen on the Internet. Some home firewalls also may have antivirus protection and intrusion detection/prevention features that may not be on by default—turn them on to maximize your protection. Also be sure that all WiFi connections are encrypted and required a password to access them.
Bring Your Own Device (BYOD): If people are working on home devices and remoting into their office computer or a hosted environment, you need to ensure that their home devices are fully updated and that there is an active anti-virus. Even with a hosted desktop, keyloggers could still be used to capture passwords or account numbers from keystrokes made on the personal device.
Threats from other home devices: Even if your device is secured, the devices of other household members may not be, so you need to ensure that you’ve adjusted your network security settings to treat your home network like a public network (e.g. as if you were using the WiFi at Starbucks).
Cross-network infiltration via VPNs: Because VPNs create a “tunnel” between your home network and your office network, malware on the home network may be able to travel over to your corporate network. Ensure that VPNs are configured properly to limit what can travel across them and also use two-factor authentication to prevent a password breach from also becoming a network breach.
Increased phishing risks: There has been a notable increase in phishing attacks, particularly featuring COVID-19 information. Be sure that you have enacted advanced email scanning, employee awareness, and phishing testing programs to reduce your risk of being a victim of these attacks.
You may want to ask your IT service provider to help address each of the above for everyone that is working from home. These should be simple things to check, and it should also not cost a lot for an additional antivirus license or device management subscription.
Mitigating Privacy Risks When Working From Home
Addressing privacy risks requires more than just addressing cybersecurity (technical) risks. Be sure to consider the following privacy risks when working from home:
File downloads and printing: If you’ve allowed file downloads to personal devices or printing of documents, be sure to train people to properly dispose of them if they contain personally identifiable information (PII): social security numbers, credit card numbers, financial account numbers, or health information. The best practice however is to not allow these to leave a corporate device or to be printed away from the office.
Unintended disclosure risks: Are you working in an area where your screen can’t be seen by others or your calls can’t be overheard by others? This is especially important if you have PII on your screen or are discussing highly confidential matters. Many of us don’t realize how much our voice volume raises when we’re on the phone or how far our voice may travel so don’t just assume that because you’re in a room that others can’t hear you.
Risk of recordings or chat logs: If you are collaborating with others via chat or instant messaging, or recording any virtual meetings, check whether they are being saved anywhere. Some of these software are configured to save them by default. If you discuss anything related to PII or other highly confidential information, these recordings or logs may pose a disclosure risk if they get into the wrong hands. We usually recommend that auto-saving of recordings or chat logs be disabled to reduce this risk.
In addition to the above privacy risks, increased used of email, email recordings, chat logs, or even notes within workflow applications or workpapers may also pose e-discovery risks. Be sure to consider when you revisit your procedures for what information can be shared or type of conversations can occur via various electronic means.
Mitigating Employee Engagement Risks
With everyone working remote or if you plan to use a staggered in-office schedule to allow people back in the office, there is a higher risk of disintermediation and reduced employee engagement. It’s a lot easier for people to leave a firm if they don’t feel like they have a connection to the rest of the team. Consider some of the following ways to increase employee engagement online:
1. Presence and instant messaging/chat
Online presence (e.g. green dot next to a person’s email when they are online) replaces walking by a person’s desk to see if they’re there. Most software that provides presence usually allow an instant message or online chat to be initiated with just a click. This is built directly into Gmail and Office 365 and it is also available in many other software and virtual phone systems.
2. Incorporate some social time into virtual meetings
When meeting in person, casual social conversation often occurs as people gather in the conference room or are walking to the meeting space. Consider allowing the first 5-10 minutes of virtual meetings to be used to “catch up with each other,” which enables some of the interpersonal bonding to occur that would normally have occurred in person. Our firm has also done virtual coffee hours that were purely social to replicate the effect of our team going out to lunch or grabbing a coffee together.
3. Intentionally communicate to everyone
It’s amazing how much information spreads via word of mouth in the office. When we’re not in the office, it’s important to transition that informal channel into the firm’s virtual operations. This doesn’t have to be formal newsletters and official proclamations.
Leverage firm-wide chat rooms or even an electronic bulletin board area where people can share information with each other. Especially if you are going to have some people in office and some working remote, be sure to make extra effort to keep remote workers “in the loop” to avoid them feeling disenfranchised.
Employee engagement is one of those tricky areas that really requires firm leaders to think differently than they have in the past. These risks are even more prevalent in small firms where people are used to having more interaction with each other. Luckily the techniques above are also easier to implement in small firms since there is less hierarchy and less people to have address as part of the change.
You Can Mitigate Your Remote Work Risks
Mitigating remote work risks is the responsibility of every firm leader. This article provided some simple and low cost measures you can take to reduce these risks. I also know they work because my firm has actually implemented all of these and we have operated as a hybrid firm for over ten years now. Don’t let your firm become a COVID statistic, implement these measures to protect your firm today.
Take the Survey
Interested in learning how your firm compares to other firms in managing your remote work risks and cybersecurity? Participate in this non-technical survey that looks at the business and technical practices that firms are implementing (or plan to implement) to mitigate their remote work risks: Remote Work Policy & Cybersecurity Survey.
Editor's Note: Want to learn even more for CPE? Donny will be hosting a webinar Thursday, July 16 2pm EDT for 1 CPE credit entitled: Revisiting the Risks of Working Remote Post COVID-19. Register here for free.