COVID-19 caused an unprecedented and hasty change to the manner in which we conduct business, with many in the workforce exposed for the first time to extended spells of working from home. Mike Finlay from RiskBusiness highlights the many complex risks firms must be sure to address as we begin the transition from remote to office working
Prior to the COVID-19 lockdowns experienced across the globe, very few firms, especially in the financial services sector, had taken the significant plunge into continuous remote working or becoming a virtual business.
Where firms previously initiated either occasional or continual working from home, the firm would have undertaken a detailed risk assessment prior to doing so, considering issues such as network access, device and user authentication, versioning of various data forms, applications and devices, MAC and IP address management, data storage and backup, communication methods and security, etc.
In some ways, such a risk assessment would resemble a business impact assessment undertaken in preparation for business continuity planning, typically resulting in a formal Remote Working Policy (or some similar name). This policy would clearly lay out what the employee can and cannot do, how they should prepare to work remotely, how they should work remotely and how they return to working at the office.
As lockdowns ease or end and many employees start to return to the office, how does the firm ensure both an orderly resumption of business as usual and the safeguarding of its assets? We must remember that the initiation of disaster recovery is typically well prepared for, follows pre-defined (and hopefully previously tested) plans which employees have been trained for. With COVID-19, in the majority of cases it was simply take what you need, go home and we will work from home. Did anyone take inventory of who took what, who has what and where a multitude of (primarily) digital assets may be? Although there will be many additional aspects to think through and accepting there will be a degree of overlap or repetition, the potential exposures for the firm can be split into three primary categories: corporate devices used at home, personal devices used for corporate work and physical assets belonging to the firm.
Corporate devices used at home
Questions you should consider asking around corporate devices taken home for remote working include: How was the device used to connect to the firm’s network and infrastructure? Did the employee use their home wifi or broadband, did they use VPN, did they use a cellular connection or did they use some form of dial-up connection? What digital footprint was created in using the various connections, both within that connection and on the device? Have these been deleted? Were portals, gateways or dedicated communication ports opened to allow access? Have these since been closed? Were IP address lock-downs eased to facilitate remote access?
Personal devices used for work
Questions you should consider asking around personal devices used for corporate purposes should include: Were personal devices connecting to the network subjected to any form of security scan or virus check? Were staff required to maintain a minimum level of anti-virus protection on personal devices used to access the corporate network? Were the MAC addresses and IP addresses registered within the firm’s security command console and if so, have these since at a minimum, been suspended from future access? Was any firm owned software installed onto personal devices to facilitate working remotely? If so, has such software since been uninstalled?
Questions you should consider asking around the issue of physical assets/paperwork should include: Did any employee remove physical files of paperwork from the office for use while working at home? If so, have all such files been returned? Are they intact and complete? Did employees print out hard copies of any form of work-related files at home? Were multiple copies made? How were hard copy assets disposed of – were they shredded? Did they end up in the garbage or recycling? Were they given to children to keep them occupied while home schooling? Could confidential information of any type in hard copy form be available or given to family, friends or third parties not authorised to have access to such data?
Get access to the full questionnaire
RiskBusiness has developed a full diagnostic questionnaire which can be rolled out to every remote worker to help determine the level of threat faced by your business. For more information and access to the full questionnaire, contact us at firstname.lastname@example.org.