Work From Anywhere (WFA) – Upstream Impact of Downstream Lapses

Work From Anywhere (WFA) practices: our thoughts about how to ameliorate the potential impacts

From an HR Work From Anywhere (WFA) staffing standpoint new challenges have arisen that go far beyond meeting the typical onboarding controls. Organizations at all levels of the supply chain are experiencing far reaching, pandemic-induced impacts on their ability to effectively screen and onboard new employees, manage existing staff, and vet and onboard vendors.

How do you screen, hire, onboard, and manage team members without the ability to “manage by walking around”? We’ve broken out the main components that can lead to increased risk in WFA environments to project a better picture of what might be done to improve overall outcomes.

1. HR Hiring and Oversight Processes
2. Data Security
3. Information Privacy
4. Capability, Control and Maintenance

Each of these areas impact Third Party Risk Management (TPRM) controls in a daisy chain manner, with each area influencing the others – sometimes in ways we have not previously experienced.

The Challenge

Organizations are just beginning to grapple with how to attain an appropriate level of control over risks resulting from changes in staffing patterns. The biggest risk that organizations face is knowing and not acting! The next biggest risk is not knowing what risks are present.

Companies are seeing both positive and negative impacts from the move to WFA, which according to some may become the norm, and is estimated in the future to be upwards of50% of the workers in some industries.

• Jamie Dimon, JP Morgan Chase Chairman and CEO, has stated that JP Morgan Chase has seen productivity drop on Mondays and Fridays with WFA.
• Some companies have reported that while network services are reportedly seeing improved response times on trouble tickets, remediation times have increased slightly due to the IT staff working remotely.
• Managers are having to reassess how they address their employees’ productivity, project task completions, and the overall output and efficiency of workers when their sole contact is through web-based meetings, email and telephone.
• Managers are also having to consider how to achieve a new organizational duty of care in WFA settings, including well-being check-ins.
• Outsourcers are having difficulty assessing how effectively their third and Nth parties are implementing WFA programs – a component vital to the everyone’s success.

Solutions are harder to come by due to the hydra-headed puzzles of overlapping HR Processes, Security, Privacy, and Control and Maintenance – each has its own problem set – yet they are masked by not knowing what risks may be present in each unique WFA environment. The elements that build for security and privacy that may normally be available in a controlled corporate physical environment setting with defined physical barriers are routinely obliterated in WFA environments. And the risks associated with Work From Home (WFH) are amplified when the move is made to Work from Anywhere (WFA). It is not possible to predict who may be present in a WFA environment with screens open and visible and conversations being heard by nearby people.

Not only is a secure connection not guaranteed in WFA settings, the security of the physical space surrounding the connected device can no longer be assured (e.g., shoulder surfing and listening).

Work From Anywhere environments raise a range of privacy issues. How can organizations track WFA environments without violating the employee’s or contractor’s privacy? What privacy really exists if employees may be working with non-employees in a shared space, rather than in a set aside, dedicated, secure and private workspace?

Remote work sites create challenges with “unknowns” that lurk inside efforts  in maintaining appropriate controls for system, data, and information security. Companies must know who has access to company IP and networks and when, where, and how that access is being provided. WFA employees must presumably log into their company network/system (with security infrastructure) using company owned (protected) devices; yet in a Bring Your Own Device (BYOD) environment, companies are at increased risk from malware attacks.

Capability of the WFA location refers to the availability of Wi-Fi, the associated reliability and “uptime” as well as the power grid and infrastructure. For example, in a number of critical outsourcing jurisdictions, electrical brownouts and blackouts are routine.

For example, cell phones were previously physically excluded in some work environments to eliminate the opportunity for screenshots of sensitive data. Now, some contractors and employees are reportedly using their cell phones as the main base from which they conduct business. Something as seemingly innocuous as rogue screenshots taken during a meeting can end in cross border transfer of confidential/private data (i.e., when a screenshot of confidential data is sent outside of the country). And, of course, home printer wireless connections are not connected to the employer’s security network and so are less likely to be adequately secured. Reportedly, traders who are competitors can now be working together in one home environment, under the same roof (and possibly even in the same room).

Whether companies have begun to address these issues with established minimum standards for home offices is not broadly known.

• How are companies managing adherence to the types of standards that complement and maintain high security when these are not feasible in many homes, where discrete, dedicated workspaces may not be available; computer security updates may not be taking place; and computer screens may be visible from exterior windows?
• What, if anything, are companies doing to set expectations of what WFA standards need to be, and then taking steps to assure that those standards are being adhered to? Some suggest that installing key stroke logging software on employees’ home computers and/or requiring that web cameras be kept on at all times should be considered. While that is obviously fraught with violating employees’ privacy rights, it’s indicative of the kinds of nostrums that appear when managers are faced with unprecedented events.

Solution Building

Segregating out the complexities inherent to these settings into a simple-to-understand, location-specific format can help prioritize those issues for examination, which in turn will enable managers to devise solutions that are best applicable to their organization’s TPRM needs. Problems differ by location, industry, sector, jurisdiction, and of course, the workforce itself.

Raising awareness about the potential problems and the organization’s need for solution building and implementation of workable solutions can help gain buy-in from all sides – the organization, employees, and third party contractors. Once clarity is gained around the problems being faced, they can be more easily understood, and better controls for those risks can be devised.

To facilitate solution building, managers can create a checklist for evaluating their organization’s environment and get a handle on mitigating these risks. The practitioner should document their examination process to create a track record of WFA issues, and then track the results over time for:

• what risks have been taken into consideration;
• what controls are currently in place; and
• what controls can be realistically placed to remediate unaddressed risks.

An editable template designed for this purpose is available at the end of this article. Practitioners can examine the factors in the template and ascertain and document what additional issues emerge, if any, that are relevant for their organizations.

Practitioners should review the elements of the four main components that can lead to increased risk in WFA environments – HR Hiring and Oversight Processes, Security, Privacy, and Capability, Control and Maintenance – to determine how they may impact their organizations. Additionally, examine in depth the process issues that need to be faced involving the overlapping risk domains. The following list provides some examples:

• Security and Privacy are issues that can arise together. Consider a specific WFA employee code of conduct and acknowledgement signature document to educate employees on WFA expectations. Companies need to ensure a process is in place to respond to events related to unauthorized sharing that involves HR, the business, and InfoSec event management and Cyber Security Operations Center (CSOC) teams. A determination needs to be made about what a company may put in place to identify, measure, and mitigate risks associated with non-company devices, the security of ISP connections, and any monitoring (e.g., router tracking, cameras, recording, etc.). The types of platform and application logs should be reviewed and assessed to identify potential anomalous activity. Simply monitoring and analyzing email metadata can identify suspicious patterns of traffic.
• Training needs to be proactively put in place to ensure that the potential for workplace violations are understood and effectively managed. An example that has been seen in the workplace is the use of snapchat or a camera by a family member in a WFA environment that captured sensitive information. This violation does not have to be malicious to be a regulatory violation.
• Third/Nth party capabilities to reasonably live up to organizations’ expectations and contractual standards may be challenged. What are your third and Nth parties doing to identify, measure, and mitigate their WFA risks? Consider the Environmental, Social, and Corporate Governance (ESG) issues to which the parties have agreed. Companies can continue to promote their value statements and have certain security measures in place using proven methods, such as inactive screen locks, blocking certain websites, preventing removeable media and printing, malware screening, etc. For vendors, who may be overly focused on profitability and consequently be inadequately resourced (human and financial), additional attention needs to be paid to whether those third (and Nth) parties are meeting expectations.
• Duty of Care is shifting towards employees and contractors. Employee Stress is a well-recognized factor for fraud behavior and is compounded by new stressors that can result in behaviors that threaten/compromise security. This and other employee issues can pose serious problems to all involved, and many employees doing WFA, absent office interaction/support and comradery, are reporting increased stress levels. One positive solution that has been visible is employee assistance hotlines. For critical employees (either by role, or access to sensitive data, or even by profiling) more periodic background checks may be considered, inclusive of reviewing social media accounts.
• Insurance, understand the obligations that are created in this WFA environment, such as the rules that may govern insurance if an employee is injured while working from home. For remote employees who are not working from home (i.e., Work From Anywhere (WFA)), would a commercial establishment share blame/responsibility for unavoidable accidents?
• Infrastructure, physical plant concerns need to be identified and addressed. Issues may include location-specific rolling blackouts, equipment availability, wi-fi connectivity or access issues, etc.

Conclusion

While there’s no magic solution for navigating our way in this evolving “new normal”, which can seem to be shifting like quicksand under our feet, there are solid, proven processes that we can leverage and apply to this unfamiliar and ever-changing landscape.

Additional Resources

You can use this editable template designed for tracking Work From Anywhere (WFA) risk management. It is available by download by clicking below.

Disclosure: The content of this series is not intended to convey or constitute legal advice, is not to be acted on as such, and is not a substitute for obtaining legal advice from a qualified attorney. These materials include the strategic and tactical processes deemed the most generally applicable to and useful for the most parties, both outsourcers and third parties. This material is not intended to be inclusive of every case required by statute or regulation for any specific industry, nor those mandated by any and all industry standards.

By: John Bree, Chief Evangelist – Supply Wisdom (NeoGroup); Tony Manley, Third Party Risk Professional; Bob Jones, Senior Advisor, The Santa Fe Group, Shared Assessments Program