For many, a silver lining of the Covid pandemic was the rapid shift of working practices. A move to more flexible working, including working from home, has improved the work-life balance for many employees. But it has also led to data privacy, security and confidentiality challenges. As WFH matures, how can employers best mitigate the risks of the new paradigm? Phil Taylor investigates.
Remember when working from home was a novelty, something frowned on and often viewed with suspicion? How times have changed. It is becoming rare to find a company in which all employees attend their office daily; even where fully remote-working has not been embraced, there are many other models being implemented, under a range of labels: agile, flexible, hybrid … Of course, not every company has embraced new ways of working with equal enthusiasm. Some are now pushing back and asking their employees to be physically present in the office more frequently, often to justify their expensive real estate. But whatever your views, it seems working from home, in one way or another, is here to stay.
Many employees are happy with this new normal, and employers are seeing the positive side, too. Guidance published by NI Business includes an impressive list of benefits, including increased flexibility and agility; improved employee retention; the ability to better attract new talent; increased staff productivity, motivation, health and wellbeing; financial benefits (with savings on office space, office supplies, utility bills, business travel, and potentially tax bills); and lower sickness absences. In some cases, the driver of hybrid working has acted as a catalyst for companies to improve their technical infrastructure, too.
But this way of working also brings significant risks for individuals themselves, and compliance risks for their employers.
For employees, remote working may lead to complacency about unsolicited contact via email or instant messaging, and less ready access to a second pair of eyes to check whether an email is real or a scam. This leaves workers much more open to certain types of fraud such as phishing (scam emails) and smishing (a cyberattack carried out via mobile text messaging or a messaging app such as Slack). These attacks can obviously impact the employer too, for example where clicking on a link in a work email opens up a channel into a firm’s systems. It’s easy to forget that employees often act (perhaps unknowingly) as gatekeepers of a company’s network.
Invoice and other payment frauds can also prevail in this environment. Hong Kong lawyer Kevin Bowers gives the example of an employee who receives a scam email asking for an invoice payment to be made to a new bank account.
“In an accounting department in an office you may physically sit across from your colleague or supervisor, ask them about it, and be told not to approve it or at least to check the origin and authenticity of the email payment instruction and fresh invoice details,” Bowers says. “There will be a lot more fraud cases where accounts people are sitting at home on laptops and not always following internal protocols for approvals of transfers.”
Tech headaches
For those whose job it is to maintain information security, remote working can be a significant challenge. Information security risks are significantly escalated where employees work remotely, and therefore need to access company servers from outside of the usual company ‘bubble’; sometimes, this may be through a public, unencrypted WiFi hotspot – a notoriously insecure system.
Employers who do not use encryption software and VPNs may find their data being accessed or even stolen by unauthorised bad actors. It can also potentially be harder for IT teams to roll-out updates and fixes, offer IT support and ensure employees’ equipment is optimised and suitable.
Risks, physical and ethereal
For companies, there are other WFH-related risks which can impact them, either as an incidental side-effect of their employees working conditions, or in some cases as a result of their deliberate actions. Some risks are physical, such as an increased likelihood of theft of equipment from an employee’s home or car, a greater danger of abuse of company property, and higher chance of accidental damage (children and pets are not usually found in offices).
Other risks are equally substantial but may be financial rather than physical. Companies could, for example, find themselves falling victim to fraud committed by their own employees.
“It’s worth thinking about the ‘fraud triangle’ here,” says Bowers. “One side of the triangle is ‘opportunity’: there is certainly more opportunity when sitting at home. Then there’s ‘means’: employees will generally have the same means whether at the office or home. And finally ‘justification’: it might be easier to justify your actions when you are not surrounded by your team members.”
The loss of important lines of sight between employer and employee, as well as between fellow employees, can also translate to an impact on compliance reporting. According to a report by Gartner published in June 2022, the overall rate of compliance reporting by employees dropped by 30% pre- and post-pandemic, and employees working remotely appear to report 11% less misconduct than their colleagues who work in the office. Lower levels of reporting can leave companies blind to crystallising risks, and in some cases failure to report can be a regulatory, civil or criminal breach.
Failure to record
We have already discussed how keeping an eye on employees is made significantly more difficult when employees work away from their office. Over the past few years a number of well-known banks have found this out the hard way.
According to two financial services regulators in the US (as cited in this report written by Alvarez and Marsal), between January 2018 and September 2021, bankers at 16 Wall Street firms “often used messaging apps like SMS text and WhatsApp to discuss business topics, including debt and equity dealings with co-workers, clients and other third-party consultants.”
These were conversations conducted on the employees’ own devices meaning the firms involved generally did not keep records. This led to breaches of strict U.S. federal regulations on preservation of business communications.
The period of time in question spanned the start of the Covid pandemic and the introduction of lockdowns and work-from-home edicts. But although some firms, understandably, may have struggled to keep up with the unprecedented and rapid changes forced on them by the spread of the virus, their regulators allow very little leeway.
“As companies transitioned to remote work models, government regulators have increased focus on the use of unofficial channels of communication, particularly in heavily regulated industries which require companies to honor their recordkeeping and books-and-records obligations,” explained US law firm Squire Patton Boggs in a recent article for Lexology.
In a newsletter published in January 2021, the UK’s Financial Conduct Authority (FCA) warned of these types of risks and made clear that firms it supervises must continue to comply with their usual recording obligations. “Risks from misconduct may be heightened or increased by homeworking. This includes increased use of unmonitored and/or encrypted communication applications (apps) such as WhatsApp for sharing potentially sensitive information connected with work. Use of such apps can present challenges and significant compliance risks, since firms will be less able to effectively monitor communications using these channels,” the FCA wrote.
In December 2021, JP Morgan became another high profile example of how these risks can crystallise; the bank was fined a total of US$200 million (US$125 million by the Securities and Exchange Commission (SEC) and US$75 million by the Commodity Futures Trading Commission) for failure to monitor employees’ communications. Less than a year later, the two regulators announced the outcome of what had been a long-running and wide-ranging investigation into these practices, and imposed fines approaching US$2 billion between them on a number of other institutions including Bank of America, Citigroup and Goldman Sachs. And on 11 May this year, HSBC Securities and Scotia Capital admitted breaches of recordkeeping requirements by way of their employees’ use of personal devices and apps for work communications, and significant civil penalties imposed by the same regulators. The SEC said it had uncovered “pervasive and longstanding use of off-channel communications” at the institutions.
Unfortunately, and as these cases show, it does not seem that financial services firms have learnt their lessons. A survey conducted by SteelEye in 2022 (for its Compliance Health Check report) found that although 41% of firms highlighted communications surveillance as a top investment priority, only 15% monitored WhatsApp.
Listening in
Perhaps a less obvious risk is the potential for confidential information to be leaked in a more old-fashioned way: being overheard. Employees may be working in an area (whether at home or in a coffee shop or on public transport) where conversations can be overheard and screens overlooked. This could be a significant compliance problem for regulated firms. Roommates, visitors, members of the public or even family members may not always be trustworthy and are unlikely to be subject to the same confidentiality and integrity standards as employees. They could even be working for a competitor or client.
There’s another ear which may be listening at home, too: the smart speaker. Always-on products such as Alexa, Siri and Google Home work by listening to the sounds around them, waiting for a “wake command”, and then recording the further dialogue. Recordings are uploaded to the cloud for further processing and parsing. Conversations are usually saved (the details depending on the user’s settings). The presence of smart speakers clearly poses a significant risk for businesses handling sensitive or confidential work, but many companies have not yet considered this in their risk assessments and policies.
Fixing the leaks
So how can companies best protect themselves as WFH continues to bed in and mature? Some firms clearly prefer the stick to the carrot. Morgan Stanley reportedly imposed stiff financial penalties directly on its own employees who were found using unauthorised messaging platforms for company business, according to two sources familiar with the situation.
While this approach may work in some settings, for Ben Blackett-Ord, CEO of consultancy firm Bovill, it comes down to culture.
“In a remote working environment it’s a great deal harder for firms to demonstrate their culture and for employees to live that culture,” he says. “The key is how you enhance that trust in a work-from-home environment rather than letting it dissipate.”
“Working from home can impact communication and collaboration among team members, which may lead to delaying and providing incorrect advice to the management and business,” adds Joyce Wong, Chief Operating Officer of Lukfook Financial, a wealth management consultancy based in Hong Kong.
In an article for Regulation Asia published in December 2022, Rupal Patel, Head of Risk Intelligence at Acin, set out a number of “essential steps” firms should take to reduce their risks in this area. A number of these focused on the use of technology, including network data and intelligence, risk intelligence to allow ongoing risk management, monitoring of apps on work devices, and allowing employees access to the same tech both at home and in the office, including recorded phone lines.
Wong agrees that employers should provide their employees who are allowed to work from home with all relevant tools and technologies, such as secure devices and networks.
As regtech continues to rapidly evolve, helped by advances in AI, and compliance functions use this technology more and more, there is arguably less scope for human error and more scope for audit of what has been done, by who, and when.
“Without question the more tech is used, the less scope there is for people to do the wrong thing or not do anything in the home working environment,” says Blackett-Ord. “But it all still comes back to the culture point.”
One of Patel’s essential steps is aligned with this view: he suggests that embedding and improving a culture of compliance, including a “speak-up culture” where employees are encouraged to flag poor behaviour, is key.
There are a number of steps that can be taken here. The first is to make sure relevant policies, such as protection of corporate assets and data security policies, are up to date and relevant, including for those working remotely. This is a point made by the UK Information Commissioner’s Office (ICO) which suggests that policies, procedures, and guidance should cover topics such as accessing, handling, and deleting of data. (The ICO has collated some useful guidance around working from home which is available on its website.)
“Employers really need a specific WFH policy saying what their employees can and can’t do while working from home, to be an integral part of the staff handbook and a social media policy which complements that WFH policy,” says Bowers, who also points out that policies and procedures must be regularly updated to keep up with the rapidly changing IT landscape and data protection rules, and must also be readily accessible rather than hidden “in the deepest darkest corners” of an intranet site.
“There are other ways of making sure people know about and follow policies: you could have regular Teams meetings to make sure everyone does know about and follow the policies, and make them well-known during the onboarding process to make them part of the corporate culture. Both awareness and implementation are key to minimising risk,” he says.
Training and communication programmes should be also adapted and frequently updated, to keep pace with trends in technology and working practices.
“Provide proper training to employees on data privacy and protection, record keeping, internal policies and procedures, on a regular basis,” advocates Wong. “The most difficult part is assessing the productivity and work oversight risk: a clear KPI should be set and the manager in charge should perform regular checking to make sure all the works are properly carried out and followed up,” she adds.
Moreover, tone from the top and corporate compliance messaging – including in relation to information security, anti-fraud practices, ethical standards and reporting of misconduct – becomes more important than ever. Over all this should sit a comprehensive and fully updated business continuity plan which considers every potential scenario.
None of this is easy for companies which will undeniably need to work harder in this new environment, and may need to invest more money in the short term. As Blackett-Ord says, “many companies are quite a long way from working out what the right answer is.”
However, businesses are likely to find an investment of time and money at this stage more than worthwhile in the long term. Assessing and addressing the many and varied issues associated with working from home should significantly reduce the risk of potentially very costly regulatory breaches, employment law issues and civil or even criminal liability.
