Work from anywhere has become the norm for many modern businesses. The pandemic experience aside, high costs of living and long commutes have motivated many companies across industries to invest in technology that enables their employees to communicate and collaborate with teammates, partners and customers from anywhere.
However, many organizations, including those in the financial services industry, remain concerned about the readiness, comfort level, and overall work from home compliance issues they might face if they enable a remote workforce for the long term.
Technology is essential to making work from home (WFH) work. But the pivot to a virtual business model has created challenges for many financial services organizations—especially for their compliance staff. These teams are charged with making sure remote employees follow the rules and regulations that are a reality in the financial services industry. And while every regulated organization may face unique compliance challenges, many of the work from home security risks fall into three areas of focus:
Work from home compliance risks
In heavily regulated industries like financial services, the general mindset is to disable or prohibit access to some of the tools and features of technology tools and applications that are perceived as risky or too expensive to govern. The risk-cost-benefit ratio isn't good enough.
But in a pandemic-disrupted world, companies inflexible about remote work are now at risk of being left behind their competition, piling up the costs of an ineffective home worker, and needing to realize the productivity benefits that modern technologies enabling remote work can provide.
Osterman Research presented their findings on the inherent WFH security risks, particularly surrounding compliance:
- Before COVID-19, 18% of employees in surveyed financial services firms were working from home. Today that figure is more than 80% (and even higher according to other studies).
- Four in five firms indicated they were not “very well prepared” for the crisis based on new IT and security demands for supporting a remote workforce.
The issues cited by those responding as less than “somewhat prepared” are complex and disparate. They range from the ability of their remote access solutions to scale and meet the load required (54%), to security concerns (48%), to recovery from malicious activity (45%).
Yet, despite the challenges, nearly 30% of respondents indicated that they would implement new WFH security policies or prefer that most of their staff remain remote.
IT has dealt with these challenges of remote workers in the past. Now, given new policies and an increase in remote workers, they're forced to revisit how to deal with them in a very different way.
Whether working in the company's office or remotely, employees now rely on platforms such as Zoom, Microsoft Teams and Slack to collaborate. At the same time, teams from sales, marketing, customer service, operations, accounting, human resources (HR) and other functions are turning to a growing number of digital channels to stay connected with one another and customers.
It's no surprise that about 85% of respondents to a recent McKinsey executive survey said that their companies have “somewhat” or “greatly sped up” their adoption of digital tools to help employees interact and collaborate.
The spike in the adoption of Microsoft Teams and Slack has a number of implications, some of which may be visible now at the regulatory executive level — but undoubtedly will impact supervisory processes in the next exam cycle. These implications may include the following:
The fact that the native features to capture content varies dramatically by platform; will complicate the process of meeting regulatory record-keeping requirements.
The interactive and dynamic nature of each collaboration and social media platform. Firms must be able to capture and supervise persistent chats, file and app sharing, and other “multi-modal” features.
- Harassment from co-workers, corporate leaders and third parties in collaboration apps is on the rise. In the wake of the uptick in Slack usage since the start of the pandemic, employment lawyers have seen an increase in harassment complaints involving the platform.
- The reality is that each collaboration and social media platform has become a target destination for cyber risks, such as ransomware, account hijacking and advanced targeted threats.
IT and work from home security
It's not uncommon to have employees working from home using their own machines versus an employer-provided laptop. From a cybersecurity standpoint, firms want their employees to use corporate hardware with provided antivirus software on IT-approved security protocols.
IT should invoke best practices that can be easily understood and followed by what will likely be a perpetually distributed workforce. For example, chances are greater that workers will use their personal devices for work-related calls and communications, intentionally or not.
There's also a need to reduce “shadow IT.” Identify employees using unauthorized communications tools, including the growing use of WeChat and WhatsApp. A common shadow IT practice is to download free apps—often, these are collaboration apps or free or public versions of other apps that IT hasn't sanctioned and doesn't monitor.
IT and an organization's various lines of business need to provide apps that enable employees to do their jobs efficiently and effectively. The goal is to make it easy for staff to work in a way that is compliant with the company's security position. In short, give them the tools.
The solution: remote workforce governance
Companies need to update communications policies for WFH employees. Stakeholders such as IT, compliance and HR should work hand-in-hand to craft internal policy for employees needing WFH security. Provide easy-to-digest security awareness training programs, knowledge of communications policies and periodic compliance reviews.
Also, compliance workers need to make sure employees are especially mindful of the rules regarding electronic communications, outside business activities and personal trading. Employee behavior and training should feel like a partnership. Providing real-world, easy-to-understand, narrative examples can help ensure employees are neither fearful nor dismissive about adhering to policy.
Finally, do periodic risk analyses and be diligent! The rule of thumb: When it comes to supervision and oversight, you don't get what you expect, you get what you inspect.
Subscribe to the Proofpoint Blog