This post was originally published by Robert Cruz at Smarsh.
As we all plunge further into the world of remote work, we continue to hear from companies that are all over the map regarding their readiness and level of comfort with this new reality. They want to understand the implications an ongoing virtual working scenario is having on their people, processes and technologies. Sure, there are those for whom this situation is just an extreme application of existing work-from-home policies. But for others, it is like being hurtled into an entirely foreign universe. The questions they’re asking are often fundamental, such as:
- How do you equip employees with laptops and secure VPN connections, and ensure they have sufficient wi-fi coverage to get their jobs done?
- How can firms update policies to govern how individuals can use their mobile devices for work?
- How can you ensure that critical business tasks can be completed by distributed teams without missing key deliverable dates or impacting customer service?
However, for everyone, this unprecedented time has also created some new challenges, including:
- A spike in phishing, malware, and advanced security threats
- Questions arising about the security and data privacy protections provided by technology companies, including Zoom
- “Zoom Bombing” and the arrival of unwelcomed visitors into meetings and conferences
(BTW – I am not bombing Zoom, as their executive team has been quick to acknowledge and pledge response to these concerns within the next 90 days. Let’s face it, it’s not every day that an organization has had to deal with the problem of growing its user base from 10 million to 200 million in a 3-month span…)
We’ve used virtual meetings and conferencing technologies to engage with people who are in the middle of this challenge. This has proven to be informative, not only to share common challenges and best practices, but also to build a sense of community and connectivity that is in such desperate short supply during this crisis. I’ll share some of the insights from two recent Zoominars that included the following participants:
- Scott, Chief Compliance Officer from an Australian-headquartered bank
- Jan, Senior VP of Collaboration for a top 5 global bank
- Caitlin, Deputy Global Chief Privacy Officer at a major insurance provider
- Paul, Corporate Counsel at a major product certification provider
- Garrett, Chief Compliance Officer for a Chicago-based insurance firm
- David, Principle Solution Engineer from a leading collaborative technology provider
Coping with the Stay-at-Home Reality
We began our discussions with a scan of the panelists and attendees. “How’s everyone doing?” seems to be the overtly neutral opening question we are all asking each other, realizing that this is an adjustment for some, but complete and total disruption to others. Not surprisingly, the responses covered the spectrum from those accustomed to the occasional work-from-home day to those whose businesses would make such arrangements appear to be logistically impossible (e.g. how does a marine construction firm work from home?).
Several attendees indicated that while this is new to them, their focus is on trying to figure it out so they can continue to serve their clients. This served as a good reminder that, for some, coping with today’s reality can be as fundamental as keeping the lights on.
Equipping Your Remote Workforce
Turning to the issue of communications, our panelists and attendees were all aware of an underlying shift in the use of new technologies that had begun even before the COVID-19 situation. Several indicated that they were in process of deploying or standardizing Microsoft Teams, while others said they had successfully deployed some combination of Teams, Slack, and Zoom, frequently using the terms “flexibility,” “agility,” “faster decisions,” and “improved responsiveness” in describing the results to date, and which may extend beyond the end of the crisis.
Paul noted, “My company is very heavy on in-person meetings, so I’ve been happy that those have been cut down. And I’m hopeful that even after this is all done, and we’re back to work, we will have fewer in-person meetings since it’s easier to set up Skype or Teams and get things done more quickly.”
However, one of the most interesting comments was provided by the deputy general counsel of a global payments processor, who described the adoption as a “horseshoe” within his firm—those approaching retirement on one end, and the influx of newer demographics on the other. The former group, they said, “doesn’t care to use it, so they’ll call me. It’s a challenge because I’m constantly disrupted by chat and can’t call them right back. The balancing act is very hard because of different expectations, depending on your age.”
Surprisingly, this comment was echoed by David, our collaboration tech expert who noted “there’s a culture that says, I know I sent that to you, but I’m going to think of what I sent you as synchronous and will keep poking you, which is when your phone starts blowing up and it’s whiplash.” I can relate, as my phone continues to blow up.
What are the Risks?
Not surprisingly, panelists had no shortage of risk dimensions to raise that align with those we have previously covered. Front and center were concerns over data privacy, which our privacy experts said are illustrations of the need for privacy impact assessments and due diligence of third-party risks introduced by new vendors.
As Caitlan, our privacy executive panelist noted, “You need to consider the type and the volume of personal data that you expect to be flying around on the communication platform, and consider if is there large scale processing that’s going to be taking place. Certainly, think about the data retention puzzle and whether you can control it.”
Other notable points included:
- CCO Scott noting that regulatory compliance complexity includes, “capturing and supervising 100 people in a chat, some of which shouldn’t be in that chat.”
- Collaboration SVP Jan who noted the ongoing challenge of identifying individuals using unauthorized communications tools, including the growing use of WeChat and WhatsApp.
- Corporate Counsel Paul, who highlighted the need to understand the automatic collection and preservation capabilities of new tools and how they align with policies. He also urged firms to be aware of recording features of conferencing tools to avoid notification requirements.
The discussions were probably best summed up by CCO Garrett who said, “We were dealing with all of these things already. What’s new is that we’re dealing with them in a very different way.”
Governing Your Remote Workforce
While many of us have been dealing with these issues, there is no way to overestimate the disruption and impact this crisis has created for many. How any organization best deals with this situation is, in large part, a function of how accustomed they are, both operationally and culturally, to a distributed workforce. Generalizations are not useful, so let me simply highlight some of the comments from our panel members and attendees.
CCO Scott: “Make sure you understand the business purpose of new technologies. Do your risk assessments, and when you’re putting phones or technology in place compliance should always have a seat at the table. When it comes to supervision and oversight—you don’t get what you expect, you get what you inspect. So, the more communication, the better.”
DCPO Caitlin: “Make sure that you’re in front of the risks. The first and most basic thing comes down to the behavior of your workforce. Make sure that you’re presenting these considerations in a way that isn’t “capital C” compliance, but really brings it home to people and makes it real to them. One of the best practices that we always try to keep in our training is using real-world examples. Using storytelling as a tool and making sure that we drive the message home in a creative way that makes it about the employee, about your day-to-day work, so you can realize the importance of taking the right actions.”
Chief Counsel Paul: “I’ve heard stories about employees working at home using their own machines versus the work provided machine. From a security standpoint, you want your employees to use your hardware with your antivirus software on your security protocols. Make it easy for your staff to work in a way that is compliant with the company’s security posture. Just give them the tools.”
CCO Garrett: “I’ve been partnering with our chief audit executive to think about how we monitor the use of these new technologies or the increased use of technologies that we were already looking at. Make sure that you have insight into what’s going on with these tools, making sure that you’ve got flags popping up when something’s occurring that isn’t aligned to your expectations or isn’t consistent with your policies. Just thinking differently about what controls you have in place and how they apply to these new technologies.”
Good Health, everyone.
Robert Cruz is Vice President, Information Governance for Smarsh. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and discovery cost and risk reduction.