The Covid-19 crisis caused an unprecedented and hasty change to the manner in which we conduct business, with many in the workforce exposed for the first time to extended spells of working from home. Mike Finlay, CEO, RiskBusiness, highlights the many complex issues firms must be sure to address as we begin the transition from remote to office working.
Prior to the Covid-19 lockdowns experienced across the globe, very few firms, especially in the financial services sector, had taken the significant plunge into continuous remote working or becoming a virtual business.
Where firms previously initiated either occasional or continual working from home, they would have undertaken a detailed risk assessment prior to doing so, considering issues such as network access, device and user authentication, versioning of various data forms, applications and devices, MAC and IP address management, data storage and backup, communication methods and security.
In some ways, such a risk assessment would resemble a business impact assessment undertaken in preparation for business continuity planning, typically resulting in a formal remote working policy, or some similar name. This policy would clearly lay out what the employee could and couldn't do, how they should prepare to work remotely, how they should work remotely and how they should return to working at the office.
As lockdowns ease or end and many employees start to return to the office, how does the firm ensure both an orderly resumption of business as usual and the safeguarding of its assets? We must remember that the initiation of disaster recovery is typically well prepared for, follows pre-defined (and hopefully previously tested) plans, which employees have been trained for. With Covid-19, in the majority of cases it was simply a case of ‘take what you need, go home and we will work from home'.
Did anyone take inventory of who took what, who has what and where a multitude of (primarily) digital assets may be? Although there will be many additional aspects to think through and accepting there will be a degree of overlap or repetition, the potential exposures for the firm can be split into three primary categories: corporate devices used at home, personal devices used for corporate work and physical assets belonging to the firm.
Corporate devices used at home
Questions you should consider asking around corporate devices taken home for remote working include: how was the device used to connect to the firm's network and infrastructure? Did the employee use their home Wi-Fi or broadband, did they use VPN, did they use a cellular connection or did they use some form of dial-up connection? What digital footprint was created in using the various connections, both within that connection and on the device? Have these been deleted? Were portals, gateways or dedicated communication ports opened to enable access? Have these since been closed? Were IP address lock-downs eased to facilitate remote access?
Personal devices used for work
Questions you should consider asking around personal devices used for corporate purposes should include: were personal devices connecting to the network subjected to any form of security scan or virus check? Were staff required to maintain a minimum level of anti-virus protection on personal devices used to access the corporate network? Were the MAC addresses and IP addresses registered within the firm's security command console and if so, have these since, at a minimum, been suspended from future access? Was any company-owned software installed onto personal devices to facilitate working remotely? If so, has such software since been uninstalled?
Questions you should consider asking around the issue of physical assets/paperwork should include: did any employee remove physical files of paperwork from the office for use while working at home? If so, have all such files been returned? Are they intact and complete? Did employees print out hard copies of any form of work-related files at home? Were multiple copies made? How were hard copy assets disposed of – were they shredded? Did they end up in the rubbish bin or recycling box? Were any papers given to children to draw on and keep them occupied while homeschooling? Could confidential information of any type in hard copy form be available or given to family, friends or third parties not authorised to have access to such data?
Gain access to the full questionnaire
RiskBusiness has developed a full diagnostic questionnaire that can be rolled out to every remote worker to help determine the level of threat faced by your business. For more information and access to the full questionnaire, send an email to email@example.com.