COVID-19: Making remote work productive and secure

The sudden and swift shift of tens of millions of workers from on-site to remote work environments is challenging organizations as never before.

Employees are experiencing major disruptions in their work and home lives. Companies should consider tools to help gauge employees’ needs and manage workloads.

Cybersecurity investments are paying off. Companies that modernized their infrastructures and trained their people transitioned to remote work quickly, without compromising security.

But many companies emphasized “connectivity first” in their initial response. Now is the time to assess security and control gaps to stop cybercriminals eager to take advantage.

Issues arising from COVID-19

The COVID-19 global pandemic is upending business operations around the world, abruptly sending employees home to work and driving many enterprises into a hurried “tech on the fly” mode to keep business running smoothly. Rushing to virtually connect remote workers to the workplace, however, employers and personnel may overlook security — and cybercriminals have already begun to take advantage. Securing remote work modes now will likely save much time and money later and give companies a long-term advantage.

Never before have we experienced change at this scale and pace. As of mid-February, about 4.7 million US workers worked remotely. Social distancing measures begun in March have caused that number to surge. The percentage of full-time employees working from home due to COVID-19 closures jumped to 61% from 33% throughout the second half of March, according to Gallup.

This sea change requires a shift in skillsets and attitudes and, for businesses, possibly expectations of productivity. More than two-thirds of North American companies surveyed for “Remote Work in the COVID-19 Era” report said they struggle to strike the right balance between flexibility and security for remote work employees. The effect on workforce/reduction in productivity is among top-three COVID-19 concerns for 41% of finance leaders, according to PwC’s COVID-19 CFO Pulse Survey.

Three practical steps to help reduce risk and build trust during these unsettling times

To support and enhance robust remote-work environments, CISOs, in tandem with other C-Suite leaders, should focus on three priorities:

Stay in touch with your people. Use emerging tools to visualize the real-time state of your workforce for more informed decision-making, while respecting their privacy.
Assess and close the security and control gaps in your remote work set-up.
Secure the remote and distributed work models for the long term, in case it’s needed for an extended period or permanently.

This seismic work-life shift is only one aspect of “a huge, stressful experiment” in which many Americans unwittingly find themselves. What your organization does during this era matters a lot, not just for workers but also for customers, suppliers and society. How can your organization respond in a way that demonstrates its core values? How can you adjust nimbly with the times and the needs? How can you strengthen trust in your company — one that your customers, employees, business partners and community can rely on during the crisis and beyond?

1. Stay in touch with your people

As the US hunkers down amid aggressive social distancing measures, most companies have been in remote-work mode for at least five weeks. Forty-one percent of Americans surveyed in one study said they don’t have the right equipment or office set-up to work effectively from home, and 31% said they aren’t confident that their home Internet service is robust enough for them to work efficiently. And with home doubling as workplace and classroom, and many facing reduced household incomes, many American workers report psychological distress. Compared to a year ago, reports of daily worry have increased to 60% from 37% among the full-time working population.

As a business leader, you want your team members to have what they need to do their jobs. Are they facing any issues — family, health, domestic situations — that might hinder their work? Are some overloaded with tasks while others have time to take on more? How can you communicate that leadership is there for them and wants to understand how to support them, without infringing on their privacy?

Many companies are looking for a solution that employees across work locations can use to check in easily. Eighty-three percent of companies do not have processes and systems in place to track their workforce as of March 30, according to PwC’s COVID-19 Navigator. Apps, like PwC’s Check-In app, let employees provide information on their work mode (office, work from home, travel, or PTO); their ability to work effectively or need for support; any obstacles they may face, including technology or mobility issues; and any creative solutions they may have built. Leadership can get real-time views — an employee ”work wellness” barometer — to inform decisions about resourcing, workload rebalancing and new employee-support services.

Before adopting any solution, companies should assess the privacy impacts of collecting, storing, reporting and using employee data during the COVID-19 crisis. No one should have to provide personally identifiable data. A good solution should not link to any other employee databases that have protected characteristics and performance metrics. Otherwise, personnel may be less inclined to use the app and provide accurate information.

As a backdrop to remote work: CFOs report both labor supply constraints and intense cost pressures

As a result of COVID-19, which of the following does your company expect to occur in the next month? (Select all that apply). (Select up to three.)

Productivity loss due to lack of remote work capabilities

Higher demand for employee protections (e.g., including sick leave policies, increased demand for benefits, discrimination)

A change in staffing due to low/slow demand (temporary furloughs)

Separation of staff (layoffs)

Insufficient staffing to accomplish critical work (workforce capacity)

Other (please specify)

Source: PwC COVID-19 US CFO Pulse Survey
April 8, 2020: base of 313

2. Close the security and control gaps in your remote work set-up

“Connectivity first” was the focus for many during the early weeks of the crisis. Businesses drastically increased capacity to meet the needs of businesses and consumers: virtual meetings, live streaming, automated customer assistance, business intelligence driven by machine learning, online education and more.

In the rush, many companies compressed or ignored their risk and change management processes. While understandable given the speed the business demanded, those policies exist to protect the business from bad actors (internal and external). The reason risk reviews take time is most companies have very complex IT environments. Many employees now use remote desktops and unapproved file sharing and applications (“shadow IT”). Consequently, many companies can’t answer a basic question: “which assets can my remote users see and access?” Security breaches could be occurring right now and remain undiscovered for months.

One critical shift to remote work is telemedicine. Recently, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) said that it will exercise enforcement discretion and not impose penalties for noncompliance with the requirements under the HIPAA Rules, if provision of telehealth during the pandemic is done in good faith. But health services providers remain obligated to protect personal health information (PHI). And health tech providers should not make claims of HIPAA-compliant platforms lightly. Even during this pandemic, patients should be able to count on the transmission of patient information using alternative audio/visual tech to be treated with the same level of care; they should not feel they have to give up privacy to receive health care.

If your company took short-cuts to expand remote connectivity, you should prioritize doing an assessment that reviews access, the current controls in place (established for a different world) and the threats your remote workers may inadvertently be creating. Your environment is now fundamentally different. What was good just a few weeks ago may not be adequate today.

Organizations should ask: How does the shift to remote-work mode change our cybersecurity posture? Which cyber-hygiene practices do we already use, and which do we need to add for remote work? Which other risks — operational, regulatory and compliance — should we manage?

Organizations should assess how well their critical people, processes and technology are operating when it comes to capacity and capability and which risks are of greatest concern. An assessment of the security of your remote work model should include these questions.

Questions to ask about the security of your remote work model

Connections and access	Endpoints and applications	Operations
How is your Virtual Private Network (VPN) and Virtual Desktop Infrastructure (VDI) environment holding up? Are your VPN and VDI able to handle the large influx of connections? Have you reviewed what remote users have access to? Do you have multi-factor authentication? How well can your systems handle peak loads? How well can your systems handle outages? How are you monitoring inactive computers left behind in the office? How are you handling the continuing needs of essential services workers, particularly in critical infrastructure industries or high-security networks?	How well are you monitoring employees’ use of devices and applications (e.g., file-sharing, video-conferencing, collaborative work)? Do the machines have properly configured firewalls, including installed anti-malware and intrusion prevention software? How are you communicating with employees regarding secure practices like encryption of home routers and wifi networks, prompt installation of software updates, the handling of digital and printed information and adherence to confidentiality rules? Are you looking at your third-party risk management controls and how your vendors are working securely at home? Do you have a strategy to confirm access revocation and reallocation when employees’ productivity or job status changes?	How have your security, risk and compliance and governance staffing been affected? How is your security operation center set up? To what extent do these risk and security functions rely on on-premises resources and environment? How have procedures and business processes been adjusted to help these personnel continue to do their work? Have you made changes to your access and firewall policies that could affect your controls framework? How are you managing risks posed by reliance on managed security service providers (MSSPs)? How have you adjusted algorithms that are intended to detect threats and monitor identity and access in the remote work environment? How are you handling any spikes in “false positive” anomalies?

3. Secure the remote and distributed work models for the long term

Many companies have distinguished themselves by swiftly shifting their people to remote work and giving them the support and access they need to be productive. Those companies have invested in a solid technical infrastructure that supports legacy and modern applications. Their investments in identity and access management, in the cloud, in modernizing their network architectures — and developing the skills of their IT professionals — have paid off. They continued to fill orders, change up production lines or deliver new services needed during the crisis.

No one knows how long the COVID-19 pandemic and its economic impact will last. Companies will likely need to support secure remote-work environments for quite some time: governments and other agencies are concerned about a months-long period of social distancing, and some countries and regions that have endured the pandemic’s first wave aren’t lifting restrictions for fear that the virus may return. Forty percent of CFOs we surveyed think that it may take more than three months for their companies to get back to business as usual, according to PwC’s CFO Pulse Survey.

Companies may also choose to keep some part of the workforce in remote mode even after the crisis is over.

To reduce the risks of remote work over the long term, consider adopting these security standards and solutions.

Security standards and solutions for more secure remote work in the long term

Connections and devices	Operations and access	Coordination
On-demand infrastructure using cloud technology, as cloud capability often can scale up as well as scale out Cloud security and network security Adoption of a combination of architectures and solutions that dissolves the traditional on-premises boundary in favor of anywhere-anytime security that authenticates and protects devices, information and systems at their Software-as-a-Service (SaaS)-delivered network connectivity Software-defined network architectures Endpoint security Mobile device management (MDM) is part of the enterprise security stack and an extension of endpoint security solutions Controls on routers and access points to increase visibility of network-connected assets	Virtual security operations centers (SOCs) that enable remote analyst work, enabling increased productivity and availability MSSPs designed as a cost-effective solution An identity platform to enable seamless digital experiences for customers and employees Updated algorithms and analytics solutions to help detect anomalous behavior and establish holistic identity	Within cross-functional teams, continuous assessments, prioritization and response plans to mitigate potential risks associated with third parties Robust risk analysis and scenario planning to account for possible disruptions

The one risk you can control

With so many COVID-19 risks yet unknown, our ability to conduct “business as usual” can seem beyond our ken. But there is one risk factor you can control: dropped hand-offs between functions. Coordination among your teams is key for success — distinct areas of expertise don’t have to mean “disjointed.”

Remember, risks can come from an angle your team may have failed to see that a colleague from another department might have raised. Another pair of eyes might have alerted you to that privacy law breach before it occurred or spotted a policy’s failure to restrict access to a system that resulted in a zero-day vulnerability. Someone else might have redesigned a procedure to ease the compliance burden on employees or supported a better, separate set-up for essential workers.

To secure remote-work environments, CISOs should take the lead and rally risk managers and leaders in human resources, finance, compliance and other functions to evaluate the issues and help understand the impacts of changes. Together, they must help confirm that the right policies, procedures and controls are in place — for safe, healthy and productive employees and for operations that customers, workers and business partners can trust.

Contact us

Sean Joyce

Global Cybersecurity & Privacy Leader, US Cyber, Risk & Regulatory Leader, PwC US

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Emily Stapf

Cybersecurity, Privacy & Forensics Integrated Solutions Leader, PwC US

Bhushan Sethi

People & Organization Joint Global Leader, PwC US

Carrie Duarte

Partner, Transformation, PwC US

Kevin O’Connell

ESG Trust Solutions Leader, PwC US

Pete Goodhart

Partner, Assurance, PwC US

Trust solutions Consulting Tax services Newsroom Alumni US offices Contact us

© 2017 - 2022 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.