The COVID-19 global pandemic is upending business operations around the world, abruptly sending employees home to work and driving many enterprises into a hurried “tech on the fly” mode to keep business running smoothly. Rushing to virtually connect remote workers to the workplace, however, employers and personnel may overlook security — and cybercriminals have already begun to take advantage. Securing remote work modes now will likely save much time and money later and give companies a long-term advantage.
Never before have we experienced change at this scale and pace. As of mid-February, about 4.7 million US workers worked remotely. Social distancing measures begun in March have caused that number to surge. The percentage of full-time employees working from home due to COVID-19 closures jumped to 61% from 33% throughout the second half of March, according to Gallup.
This sea change requires a shift in skillsets and attitudes and, for businesses, possibly expectations of productivity. More than two-thirds of North American companies surveyed for “Remote Work in the COVID-19 Era” report said they struggle to strike the right balance between flexibility and security for remote work employees. The effect on workforce/reduction in productivity is among top-three COVID-19 concerns for 41% of finance leaders, according to PwC’s COVID-19 CFO Pulse Survey.
To support and enhance robust remote-work environments, CISOs, in tandem with other C-Suite leaders, should focus on three priorities:
Stay in touch with your people. Use emerging tools to visualize the real-time state of your workforce for more informed decision-making, while respecting their privacy.
Assess and close the security and control gaps in your remote work set-up.
Secure the remote and distributed work models for the long term, in case it’s needed for an extended period or permanently.
This seismic work-life shift is only one aspect of “a huge, stressful experiment” in which many Americans unwittingly find themselves. What your organization does during this era matters a lot, not just for workers but also for customers, suppliers and society. How can your organization respond in a way that demonstrates its core values? How can you adjust nimbly with the times and the needs? How can you strengthen trust in your company — one that your customers, employees, business partners and community can rely on during the crisis and beyond?
As the US hunkers down amid aggressive social distancing measures, most companies have been in remote-work mode for at least five weeks. Forty-one percent of Americans surveyed in one study said they don’t have the right equipment or office set-up to work effectively from home, and 31% said they aren’t confident that their home Internet service is robust enough for them to work efficiently. And with home doubling as workplace and classroom, and many facing reduced household incomes, many American workers report psychological distress. Compared to a year ago, reports of daily worry have increased to 60% from 37% among the full-time working population.
As a business leader, you want your team members to have what they need to do their jobs. Are they facing any issues — family, health, domestic situations — that might hinder their work? Are some overloaded with tasks while others have time to take on more? How can you communicate that leadership is there for them and wants to understand how to support them, without infringing on their privacy?
Many companies are looking for a solution that employees across work locations can use to check in easily. Eighty-three percent of companies do not have processes and systems in place to track their workforce as of March 30, according to PwC’s COVID-19 Navigator. Apps, like PwC’s Check-In app, let employees provide information on their work mode (office, work from home, travel, or PTO); their ability to work effectively or need for support; any obstacles they may face, including technology or mobility issues; and any creative solutions they may have built. Leadership can get real-time views — an employee ”work wellness” barometer — to inform decisions about resourcing, workload rebalancing and new employee-support services.
Before adopting any solution, companies should assess the privacy impacts of collecting, storing, reporting and using employee data during the COVID-19 crisis. No one should have to provide personally identifiable data. A good solution should not link to any other employee databases that have protected characteristics and performance metrics. Otherwise, personnel may be less inclined to use the app and provide accurate information.
“Connectivity first” was the focus for many during the early weeks of the crisis. Businesses drastically increased capacity to meet the needs of businesses and consumers: virtual meetings, live streaming, automated customer assistance, business intelligence driven by machine learning, online education and more.
In the rush, many companies compressed or ignored their risk and change management processes. While understandable given the speed the business demanded, those policies exist to protect the business from bad actors (internal and external). The reason risk reviews take time is most companies have very complex IT environments. Many employees now use remote desktops and unapproved file sharing and applications (“shadow IT”). Consequently, many companies can’t answer a basic question: “which assets can my remote users see and access?” Security breaches could be occurring right now and remain undiscovered for months.
One critical shift to remote work is telemedicine. Recently, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) said that it will exercise enforcement discretion and not impose penalties for noncompliance with the requirements under the HIPAA Rules, if provision of telehealth during the pandemic is done in good faith. But health services providers remain obligated to protect personal health information (PHI). And health tech providers should not make claims of HIPAA-compliant platforms lightly. Even during this pandemic, patients should be able to count on the transmission of patient information using alternative audio/visual tech to be treated with the same level of care; they should not feel they have to give up privacy to receive health care.
If your company took short-cuts to expand remote connectivity, you should prioritize doing an assessment that reviews access, the current controls in place (established for a different world) and the threats your remote workers may inadvertently be creating. Your environment is now fundamentally different. What was good just a few weeks ago may not be adequate today.
Organizations should ask: How does the shift to remote-work mode change our cybersecurity posture? Which cyber-hygiene practices do we already use, and which do we need to add for remote work? Which other risks — operational, regulatory and compliance — should we manage?
Organizations should assess how well their critical people, processes and technology are operating when it comes to capacity and capability and which risks are of greatest concern. An assessment of the security of your remote work model should include these questions.
|Connections and access
||Endpoints and applications
Many companies have distinguished themselves by swiftly shifting their people to remote work and giving them the support and access they need to be productive. Those companies have invested in a solid technical infrastructure that supports legacy and modern applications. Their investments in identity and access management, in the cloud, in modernizing their network architectures — and developing the skills of their IT professionals — have paid off. They continued to fill orders, change up production lines or deliver new services needed during the crisis.
No one knows how long the COVID-19 pandemic and its economic impact will last. Companies will likely need to support secure remote-work environments for quite some time: governments and other agencies are concerned about a months-long period of social distancing, and some countries and regions that have endured the pandemic’s first wave aren’t lifting restrictions for fear that the virus may return. Forty percent of CFOs we surveyed think that it may take more than three months for their companies to get back to business as usual, according to PwC’s CFO Pulse Survey.
Companies may also choose to keep some part of the workforce in remote mode even after the crisis is over.
To reduce the risks of remote work over the long term, consider adopting these security standards and solutions.
|Connections and devices||Operations and access||Coordination|
With so many COVID-19 risks yet unknown, our ability to conduct “business as usual” can seem beyond our ken. But there is one risk factor you can control: dropped hand-offs between functions. Coordination among your teams is key for success — distinct areas of expertise don’t have to mean “disjointed.”
Remember, risks can come from an angle your team may have failed to see that a colleague from another department might have raised. Another pair of eyes might have alerted you to that privacy law breach before it occurred or spotted a policy’s failure to restrict access to a system that resulted in a zero-day vulnerability. Someone else might have redesigned a procedure to ease the compliance burden on employees or supported a better, separate set-up for essential workers.
To secure remote-work environments, CISOs should take the lead and rally risk managers and leaders in human resources, finance, compliance and other functions to evaluate the issues and help understand the impacts of changes. Together, they must help confirm that the right policies, procedures and controls are in place — for safe, healthy and productive employees and for operations that customers, workers and business partners can trust.
Cyber & Privacy Innovation Institute Leader, PwC US
Cybersecurity, Privacy & Forensics Integrated Solutions Leader, PwC US
Principal, Risk Assurance, PwC US