Blogpost

Work From Anywhere (WFA) – Upstream Impact of Downstream Lapses

By John Bree, Marya Roddis, Tony Manley, Bob Jones
December 9, 2020

Work From Anywhere (WFA) practices: our thoughts about how to ameliorate the potential impacts

 

From an HR Work From Anywhere (WFA) staffing standpoint new challenges have arisen that go far beyond meeting the typical onboarding controls. Organizations at all levels of the supply chain are experiencing far reaching, pandemic-induced impacts on their ability to effectively screen and onboard new employees, manage existing staff, and vet and onboard vendors.

How do you screen, hire, onboard, and manage team members without the ability to “manage by walking around”? We’ve broken out the main components that can lead to increased risk in WFA environments to project a better picture of what might be done to improve overall outcomes.

  1. HR Hiring and Oversight Processes
  2. Data Security
  3. Information Privacy
  4. Capability, Control and Maintenance

 

Each of these areas impact Third Party Risk Management (TPRM) controls in a daisy chain manner, with each area influencing the others – sometimes in ways we have not previously experienced.

The Challenge

Organizations are just beginning to grapple with how to attain an appropriate level of control over risks resulting from changes in staffing patterns. The biggest risk that organizations face is knowing and not acting! The next biggest risk is not knowing what risks are present.

 

Companies are seeing both positive and negative impacts from the move to WFA, which according to some may become the norm, and is estimated in the future to be upwards of50% of the workers in some industries.

  • Jamie Dimon, JP Morgan Chase Chairman and CEO, has stated that JP Morgan Chase has seen productivity drop on Mondays and Fridays with WFA.
  • Some companies have reported that while network services are reportedly seeing improved response times on trouble tickets, remediation times have increased slightly due to the IT staff working remotely.
  • Managers are having to reassess how they address their employees’ productivity, project task completions, and the overall output and efficiency of workers when their sole contact is through web-based meetings, email and telephone.
  • Managers are also having to consider how to achieve a new organizational duty of care in WFA settings, including well-being check-ins.
  • Outsourcers are having difficulty assessing how effectively their third and Nth parties are implementing WFA programs – a component vital to the everyone’s success.

 

Solutions are harder to come by due to the hydra-headed puzzles of overlapping HR Processes, Security, Privacy, and Control and Maintenance – each has its own problem set – yet they are masked by not knowing what risks may be present in each unique WFA environment. The elements that build for security and privacy that may normally be available in a controlled corporate physical environment setting with defined physical barriers are routinely obliterated in WFA environments. And the risks associated with Work From Home (WFH) are amplified when the move is made to Work from Anywhere (WFA). It is not possible to predict who may be present in a WFA environment with screens open and visible and conversations being heard by nearby people.

Not only is a secure connection not guaranteed in WFA settings, the security of the physical space surrounding the connected device can no longer be assured (e.g., shoulder surfing and listening).

 

Work From Anywhere environments raise a range of privacy issues. How can organizations track WFA environments without violating the employee’s or contractor’s privacy? What privacy really exists if employees may be working with non-employees in a shared space, rather than in a set aside, dedicated, secure and private workspace?

 

Remote work sites create challenges with “unknowns” that lurk inside efforts  in maintaining appropriate controls for system, data, and information security. Companies must know who has access to company IP and networks and when, where, and how that access is being provided. WFA employees must presumably log into their company network/system (with security infrastructure) using company owned (protected) devices; yet in a Bring Your Own Device (BYOD) environment, companies are at increased risk from malware attacks.

 

Capability of the WFA location refers to the availability of Wi-Fi, the associated reliability and “uptime” as well as the power grid and infrastructure. For example, in a number of critical outsourcing jurisdictions, electrical brownouts and blackouts are routine.

 

For example, cell phones were previously physically excluded in some work environments to eliminate the opportunity for screenshots of sensitive data. Now, some contractors and employees are reportedly using their cell phones as the main base from which they conduct business. Something as seemingly innocuous as rogue screenshots taken during a meeting can end in cross border transfer of confidential/private data (i.e., when a screenshot of confidential data is sent outside of the country). And, of course, home printer wireless connections are not connected to the employer’s security network and so are less likely to be adequately secured. Reportedly, traders who are competitors can now be working together in one home environment, under the same roof (and possibly even in the same room).

 

Whether companies have begun to address these issues with established minimum standards for home offices is not broadly known.

  • How are companies managing adherence to the types of standards that complement and maintain high security when these are not feasible in many homes, where discrete, dedicated workspaces may not be available; computer security updates may not be taking place; and computer screens may be visible from exterior windows?
  • What, if anything, are companies doing to set expectations of what WFA standards need to be, and then taking steps to assure that those standards are being adhered to? Some suggest that installing key stroke logging software on employees’ home computers and/or requiring that web cameras be kept on at all times should be considered. While that is obviously fraught with violating employees’ privacy rights, it’s indicative of the kinds of nostrums that appear when managers are faced with unprecedented events.

 

Solution Building

Segregating out the complexities inherent to these settings into a simple-to-understand, location-specific format can help prioritize those issues for examination, which in turn will enable managers to devise solutions that are best applicable to their organization’s TPRM needs. Problems differ by location, industry, sector, jurisdiction, and of course, the workforce itself.

 

Raising awareness about the potential problems and the organization’s need for solution building and implementation of workable solutions can help gain buy-in from all sides – the organization, employees, and third party contractors. Once clarity is gained around the problems being faced, they can be more easily understood, and better controls for those risks can be devised.

 

To facilitate solution building, managers can create a checklist for evaluating their organization’s environment and get a handle on mitigating these risks. The practitioner should document their examination process to create a track record of WFA issues, and then track the results over time for:

  • what risks have been taken into consideration;
  • what controls are currently in place; and
  • what controls can be realistically placed to remediate unaddressed risks.

 

An editable template designed for this purpose is available at the end of this article. Practitioners can examine the factors in the template and ascertain and document what additional issues emerge, if any, that are relevant for their organizations.

 

Practitioners should review the elements of the four main components that can lead to increased risk in WFA environments – HR Hiring and Oversight Processes, Security, Privacy, and Capability, Control and Maintenance – to determine how they may impact their organizations. Additionally, examine in depth the process issues that need to be faced involving the overlapping risk domains. The following list provides some examples:

 

  • Security and Privacy are issues that can arise together. Consider a specific WFA employee code of conduct and acknowledgement signature document to educate employees on WFA expectations. Companies need to ensure a process is in place to respond to events related to unauthorized sharing that involves HR, the business, and InfoSec event management and Cyber Security Operations Center (CSOC) teams. A determination needs to be made about what a company may put in place to identify, measure, and mitigate risks associated with non-company devices, the security of ISP connections, and any monitoring (e.g., router tracking, cameras, recording, etc.). The types of platform and application logs should be reviewed and assessed to identify potential anomalous activity. Simply monitoring and analyzing email metadata can identify suspicious patterns of traffic.
  • Training needs to be proactively put in place to ensure that the potential for workplace violations are understood and effectively managed. An example that has been seen in the workplace is the use of snapchat or a camera by a family member in a WFA environment that captured sensitive information. This violation does not have to be malicious to be a regulatory violation.
  • Third/Nth party capabilities to reasonably live up to organizations’ expectations and contractual standards may be challenged. What are your third and Nth parties doing to identify, measure, and mitigate their WFA risks? Consider the Environmental, Social, and Corporate Governance (ESG) issues to which the parties have agreed. Companies can continue to promote their value statements and have certain security measures in place using proven methods, such as inactive screen locks, blocking certain websites, preventing removeable media and printing, malware screening, etc. For vendors, who may be overly focused on profitability and consequently be inadequately resourced (human and financial), additional attention needs to be paid to whether those third (and Nth) parties are meeting expectations.
  • Duty of Care is shifting towards employees and contractors. Employee Stress is a well-recognized factor for fraud behavior and is compounded by new stressors that can result in behaviors that threaten/compromise security. This and other employee issues can pose serious problems to all involved, and many employees doing WFA, absent office interaction/support and comradery, are reporting increased stress levels. One positive solution that has been visible is employee assistance hotlines. For critical employees (either by role, or access to sensitive data, or even by profiling) more periodic background checks may be considered, inclusive of reviewing social media accounts.
  • Insurance, understand the obligations that are created in this WFA environment, such as the rules that may govern insurance if an employee is injured while working from home. For remote employees who are not working from home (i.e., Work From Anywhere (WFA)), would a commercial establishment share blame/responsibility for unavoidable accidents?
  • Infrastructure, physical plant concerns need to be identified and addressed. Issues may include location-specific rolling blackouts, equipment availability, wi-fi connectivity or access issues, etc.

 

Conclusion

While there’s no magic solution for navigating our way in this evolving “new normal”, which can seem to be shifting like quicksand under our feet, there are solid, proven processes that we can leverage and apply to this unfamiliar and ever-changing landscape.

 

Additional Resources

You can use this editable template designed for tracking Work From Anywhere (WFA) risk management. It is available by download by clicking below.

 

Disclosure: The content of this series is not intended to convey or constitute legal advice, is not to be acted on as such, and is not a substitute for obtaining legal advice from a qualified attorney. These materials include the strategic and tactical processes deemed the most generally applicable to and useful for the most parties, both outsourcers and third parties. This material is not intended to be inclusive of every case required by statute or regulation for any specific industry, nor those mandated by any and all industry standards.

 

By: John Bree, Chief Evangelist – Supply Wisdom (NeoGroup); Tony Manley, Third Party Risk Professional; Bob Jones, Senior Advisor, The Santa Fe Group, Shared Assessments Program

 

Author:

John Bree

John is Chief Evangelist & Chief Risk Officer with Supply Wisdom, the leading patented continuous risk intelligence and monitoring solution for third parties and locations. He is recognized as a global financial industry executive and risk subject matter expert, in vendor/third-party risk management, AML/CTF, KYC, and anti-fraud programs. Prior to joining Supply Wisdom, John held senior positions globally for Citi and Deutsche Bank covering corporate, investment, commercial, and consumer banking. He has managed global staff and corresponding budgets in multiple locations and delivered cost-efficient and operationally effective programs ensuring compliance with local and global regulatory requirements. Through interaction with Business Units, Internal Audit, and regulatory agencies, John resolved MRIAs, MRAs and Findings, on time and without penalty. John is a member of the Shared Assessments US and UK Steering Committees and Co-Chair of the Financial Industry Vertical Strategy Group.

Marya Roddis

Marya Roddis is VP of Technical Writing for Shared Assessments where she has worked since 2013. Before Shared Assessments, Marya served in administrative, technical, and teaching capacities in varied settings including University of Alaska Institute of Northern Forestry and the Medical Identity Fraud Alliance. Marya is not only an artist of writing - she is a visual artist and has served as an Artist-In-Residence with a number of school districts and the Nevada Museum of Art.

Tony Manley

Tony Manley is a seasoned Third Party Risk Professional. He serves as the Shared Assessments’ Best Practices Awareness Group’s Chair. He has over 20 years working in TPRM operations management, including startup collaboration, TPRM department management, managing audit and compliance.

Bob Jones

Bob Jones is deeply committed to contributing to the well-being of the financial services community. A well-known and sought-after expert in risk management strategy, he has 50 years of experience leading fraud risk management and risk management strategy. When not writing blogs for SharedAssessments, Bob enjoys playing with his 4 grandchildren and 2 granddogs.