The compliance challenges of hybrid working

When employees were asked to work from home at the start of the COVID-19 pandemic, some people struggled to adapt. Isolated from colleagues and lacking the structure of office life, it felt like it would be a long, tiring wait until working life returned to normal.

But in the year and a half since, we have come to accept that remote working is here to stay – although perhaps not quite as prescriptively as before.

A report published by Microsoft Surface and YouGov found that 87% of organisations have adopted hybrid working, in which employees divide their work time between the office and home.

There are clear benefits. For a start, you keep the positives that come with remote working while regaining the advantages of office life.

Employees can again meet face-to-face and will feel less isolated, and employers can make sure staff are staying on top of their workload.

But if you’ve adopted a hybrid working model or are thinking about it, you must acknowledge the challenges that it brings. A new approach to work requires careful consideration – and one of your biggest concerns should be your compliance posture.

In this blog, we look at the key issues that you will face.

Protecting employees’ privacy

When you put in place a hybrid work model, you immediately create a divide between employees who are in the office and those who are at home. One of the biggest problems is the way you monitor their activity.

You may take a softer approach with office-based employees, as it’s easy to see how they spend their days. For remote employees, you either have to trust that they’re getting on with work or install software to keep track of them.

Perhaps surprisingly, the former option is more popular, with a Skillscast study finding that only 20% of organisations have installed or are planning to install software to monitor remote workers.

This might be fine if your only concern is productivity, but if you also have regulatory compliance challenges, you may feel compelled to install such software.

For example, financial services firms may be worried about employees breaching insider trading laws. More broadly, organisations may fear that employees are misappropriating sensitive information or gaining unauthorised access to certain parts of their database.

The way you monitor employees will therefore differ depending on their location. Although monitoring software comes with understandable privacy issues, remember that the GDPR (General Data Protection Regulation) doesn’t prohibit their use.

Indeed, if you have a lawful reason to monitor employees and you document that reason, you are justified to keep an eye on their activities.

However, you need to make sure that you can separate the monitoring of work and personal activity. You should also ensure that monitoring is as unobtrusive as possible and that you review your practices regularly.

If you’re not confident that you can monitor remote employees without jeopardising their privacy, you can ask them to work permanently from the office.

Preventing data breaches

Employee monitoring software not only helps track productivity and the possibility of data being misappropriated but also helps your cyber security team spot poor cyber security practices that could result in cyber attacks.

Although some employees say they are more productive working remotely, others may feel disconnected or lose motivation. In the office, employees often follow the lead of those around them, working longer hours to contribute to the team and asking for help when they need it.

But when we work from home, that discipline can be lacking and may result in costly mistakes.

For example, when an employee spots a suspicious email, they can’t ask the person next to them if they’ve received the same message as part of a phishing campaign or speak directly to the person who supposedly sent the email.

As such, they are far more likely to fall victim, which could result in their device or their credentials being compromised – issues that are much harder for the cyber security team to rectify if the employee is working remotely.

Monitoring software is therefore essential to ensure that data breaches are spotted promptly and to give your organisation the opportunity to respond.

However, to meet your compliance requirements, you need to conduct regular staff awareness training to help employees respond appropriately.

If you adopt a hybrid working model, this training programme must highlight the mistakes employees may make while working from home, and the differences between effective remote and office working practices.

Addressing technical vulnerabilities

A hybrid working model creates new security risks for organisations – not least because data is frequently transferred between office-based and remote employees.

This is most likely to occur over a Cloud server, which may provide added protection for an organisation but isn’t impervious to attacks.

For example, there are several phishing campaigns in which scammers replicate automated notifications of file shares to capture people’s login credentials.

Additionally, the Cloud service provider itself may be vulnerable to attacks – as we saw recently with the ransomware attack on Kaseya.

There are steps organisations can take to protect their compliance posture in the face of a third-party breach – typically, these relate to contractual agreements with the supplier regarding their commitment to cyber security.

With the right protocols in place, you can avoid liability in the event of a data breach, but unfortunately, it’s all but impossible to eradicate the risk of a security incident occurring.

That’s simply the nature of cyber security; there are too many cyber criminals and many things that could go wrong to guarantee safety at all times.

This is an issue you must also address regarding your own hybrid working security practices. Unlike a fully office-based set-up, in which employees’ computers all run through the same network, remote employees will each connect to your systems using individual networks.

As such, you will have dozens, if not hundreds, of additional endpoints – each of which is vulnerable to an attack.

You are responsible for implementing appropriate technical controls to prevent data breaches, which means employees must be issued work devices. This is the only way you can ensure that the appropriate tools, such as antivirus software, are deployed.

It also enables your IT team to monitor the traffic of that device without infringing the employee’s privacy – something that wouldn’t be possible if they were using their personal device.

Looking for more advice?

You can learn more about the compliance risks of hybrid working by registering for our free webinar: How to Navigate and Implement a Successful Hybrid Workforce.

Presented by IT Governance’s founder and executive chairman, Alan Calder, this presentation explains:

  • How the shift to hybrid working impacts organisations;
  • The privacy and cyber security risks organisations face during and after the transition to a hybrid working model;
  • Key areas organisations must consider when operating under a hybrid working model; and
  • Six practical steps to successfully implement hybrid working.

The webinar takes place on 1 September 2021, from 4:00 pm. If you’re unable to make it, the video will be available to download from our website shortly after the presentation.

No Responses