WFH: Has your business thoroughly assessed the risk?

Britain faces a new model of working due to the lockdown imposed by the Government due to COVID-19.

The spread of the COVID-19 coronavirus is growing as are the anxiety levels of businesses around the globe.

Offices these days tend to be more open plan and collaborative, so the chances of a virus spreading between employees may be increased because of this. Whilst key man risk is often considered within business continuity planning, this particular virus has a more significant impact on the elderly who are likely to no longer be working.

Most companies have either implemented a more flexible work policy or mandated a period of working from home. Prior to the Coronavirus outbreak, working from home as a norm had not largely been implemented within the insurance, pensions and investment industries. As relationship industries, our front-line rely on face-to-face interaction, most significantly personified by the continued tradition of non-life insurance business being transacted at each syndicate’s “box” in the underwriting “Room” at Lloyd’s of London. Additionally, there remains a stigma around productivity dropping when you work from home. Working from home clearly isn’t our norm… yet.

Those businesses that have fostered a culture of enabling employees to work flexibly will be better prepared for the coming months. Whether your organisation has or hasn’t embraced flexible working being aware of the areas below can enable you and your teams to navigate the next few months and the changed world beyond that more successfully.

We’ve developed a series of questions and recommendations to help businesses and individuals to manage homeworking and its cyber risk implications:

These fall under the key themes of enabling employees to work and replicating the functionality and atmosphere of the office.

Supporting employees with infrastructure and equipment:

• If laptops malfunction and can’t be fixed remotely, can your organisation safely allow personal laptops to be used for business related purposes, does it need to accept the loss of the impacted resource or are there plans in place to enable the deployment of pool equipment for these situations?
• Given the limited prevalence of working from home to date is this the first real test of whether the organisation’s network architecture has been designed securely to support teleworking? Are there cascaded plans in place to work around internet or network failures?
• Can employees print from home if necessary? Are they aware of safe disposal techniques?
• Are solutions to prevent the communication of particular types of data externally to the organisation configured properly and do they actually perform as intended?
• Is Citrix or any other remote desktop solution tested for potential security flaws and misconfigurations that may allow malicious individuals to leverage such weaknesses acting against your organisation? Can legacy systems that are traditionally accessed on site still be accessed and is this secure? What workarounds exist if data can’t be updated and for how long will those workarounds remain valid?
• Remind employees of the importance of strong passwords for their wifi routers (try https://howsecureismypassword.net/). Access to a wifi router can enable a bad actor to hop onto the same VPN an employee is using and, thereby access the corporate network. Given the increased level of working using a home network, now might also be the time to help them understand how to set up a guest wifi network and which IoT devices might be less secure and thus should use that rather than the main network.
• A time of disruption creates a perfect opportunity for Cyber bad actors. How do you remain vigilant to intruders in your network whilst allowing for potential changes in behaviour and responsibilities of individuals?

In terms of recreating the office experience and adjusting to operating in this new norm, we would suggest considering the following points and recommendations:

• Group chat and collaboration tools such as Microsoft Teams, Slack and others, enable teams to replicate the in-office collaboration experience.
• Is there an understanding of how lawful processing of personal data can be impacted by use in the home environment? This is more pertinent in the case where two working spouses may be sharing working space at home?
• Are the colleagues in touch by email or phone really who they say they are? There is friction to checking in with someone when they are a phone call or message away rather than a few desks away. Should organisations consider running a phishing campaign to raise employees’ security awareness, when they are far from sight?
• Can legacy systems that are traditionally accessed on site still be accessed and is this secure? What workarounds exist if data can’t be updated and for how long will those workarounds remain valid?
• How do you maintain team camaraderie in an isolationist environment? Maybe try a conference team tea break with no work on the agenda.
• This is the ideal opportunity to work out how you best maintain internal and external face to face relationships when you can’t physically meet.

Visesh Gosrani, Chair of the Institute and Faculty of Actuaries Cyber Risk Working Party, and Stephanie Eybers, Infrastructure and Managed Services Consultant and Account Manager at Cynance/Transputec explore the risks insurers and employees.