By RICHARD LONG
Since the advent of COVID-19 and the shift to work-from-home, employees’ home offices have become the new frontline in business continuity management. In today’s post, we’ll lay out six threats and risks of working-from-home that BCM professionals need to be aware of and plan for.
The Homefront is the New Front Line
In World War II, the homefront referred to life in the U.S. as it impacted how the war was proceeding on the fighting fronts in Europe and Asia.
In our current period, when large parts of the workforce are performing their jobs at home, the homefront IS a fighting front, at least as far as business continuity management is concerned.
For many organizations, the ability to have large numbers of employees work from home has been a blessing in that it has enabled operations to continue even while company facilities are closed. At the same time, the situation has created new risks and vulnerabilities with the potential to negatively impact company activities.
Know the Risks of Working From Home
As a BCM professional, you owe it to your stakeholders to know what the risks of the new situation are and mitigate them as best you can, just as if they resided in your corporate office.
One thing you can’t do is put your head in the sand and pretend the dangers don’t exist.
This is not to say there are simple solutions for all of these problems as they might impact your organization. But at least when you’re aware of the threats, you have a chance against them. It’s when an organization is not cognizant of the threats in its environment that it is most at their mercy.
Six New Risks of Working from Home
To help you get started with envisioning what could go wrong with your organization’s work-for-home setup, here’s my list of six potential problems in that environment, along with some possible ways of mitigating each:
1. Loss of internet access.
Employees could lose access to the internet for a variety of reasons and on a level ranging from one staffer to many if a major provider in the area where they are geographically concentrated suffers an outage (such as T-Mobile experienced two weeks ago). One possible way to mitigate this would be for the company to set up carrier redundancy/dual internet connectivity for key employees. Another might be to set up small company-controlled locations where workers could go to access reliable and redundant connectivity.
2. Loss of electrical power.
Data centers and top-tier office space are protected from power outages by backup electricity supplies. The average home is not. Work-from-home creates a vulnerability in that one employee or many of them could be rendered incapable of working by a power outage. As for mitigation options, key employees could be provided with generators to ensure access to power, or the company might set up a small company-controlled facility with a protected power supply where employees could go to work in critical situations.
3. Routine technical troubleshooting.
Another one of our risks of working-from-home is that it means going from having one office overseen by a professional IT staff to having hundreds or thousands of offices, many or most of which are overseen by nontechnical people. Think of all the routine technical problems that are likely to come up with internet connectivity, tool access, and so on. In the new environment, those problems will become harder to resolve, and they have the potential to cause significant disruptions. Will the company help desk become responsible for troubleshooting employees’ home connectivity problems? Will they be capable of doing so given the large number of different equipment configurations and ISPs that are likely to be in use in different employees’ homes? Possible ways of mitigating this problem include: contracting for additional technical support in different regions and working with the major ISPs to learn how to support people using their service.
4. Prying eyes.
I talked about this aspect of data security in the work-from-home context a couple of months ago in a post called, “Working Remotely Over the Long Haul.” A tip I gave in that blog is applicable here: “Ensure that confidential client, customer, and patient information is being protected.” The post continued: “Does your organization deal with confidential HIPAA (health), PII (personally identifiable information), or PCI (payment card information) data? If so, your legal and other obligations to keep that information away from unauthorized eyes continue when people are working remotely. At the same time, your organization has little to no say over what goes on in employees’ homes.” How to mitigate this problem? As that previous posts suggested, “Your organization must implement the training, policies, and technology necessary to safeguard its stakeholders’ confidential information.” Finally, you’ll want to ensure that auto-timeout for computers and screens are in place.
5. Threats to data and network security.
The other side of the data security issue in the work-from-home environment is remote, technological attacks on company data and networks. As I said in the blog mentioned above, “Having lots of people working from home for a long period is a recipe for IT security problems. This method of working increases the risk of malicious software infecting the network.” How to mitigate this issue? As that blog suggested, “Make sure your network monitoring and protections are sufficient. This might be a good time to have a cybersecurity firm look at what you’re doing and give you some advice on how the organization can tighten things up.” Some other possible mitigation strategies include: setting up mobile device management to ensure devices meet configuration requirements before being allowed access to the network; teaching employees how to change their router passwords from the easily guessed defaults; warning staff about the likelihood of pandemic-themed phishing attacks; and providing company laptops to ensure greater control of the computing environment. Be sure to include security awareness training and information as part of your ongoing communication. Especially important are current or known issues, such as the increase in what appear to be Russian-based attacks targeting people working from home.
6. Threats to physical device security.
Work-from-home may increase the chances that devices containing company confidential information could be stolen, whether by burglars or people with legal access to the household. How to mitigate: one way might be to require two-factor authorization on all devices used for work. Another might be to give warnings or set policies for employees regarding locking the windows and doors of any premises where work devices are kept. This may be a good time to increase the use of cloud-based storage and access. Some organizations are considering or implementing cloud or on-premises data storage only with no local device storage allowed.
A New Slate of Vulnerabilities
We’re fortunate in that the new work-from-home technology has enabled millions of organizations to maintain their operations even though the COVID-19 pandemic required them to shut their offices. However, the new work-from-home regime has brought with it a new slate of vulnerabilities in terms of business continuity management.
As BCM professionals, it’s our obligation to know what the risks of working from home are, and to plan for and mitigate them to the extent possible.
For more information on the risks of working from home, adapting to the pandemic, and other hot topics in business continuity and IT/disaster recovery, check out the following recent posts from MHA Consulting and BCMMETRICS:
- Working Remotely over the Long Haul: Living with COVID-19 as a Business
- Telephone Train Wreck: Crisis Call Chaos in the Time of COVID-19
- When the Quarantine Ends: How to Be Ready to Reopen Your Company
- Key Players: The 7 Most Important Roles on Your Return-to-Work Team
- Home to Stay? Adapting to the Next Permanent Workplace
- Double Trouble: How to Handle Multiple Business Disruptions
- Emerging from the Lockdown: 6 Things to Think About for the Next Phase
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.