Companies must develop risk assessment and containment strategies that reflect the new working-from-home (WFH) dynamic. Companies which have adopted WFH strategies to preserve efficiency and productivity in the face of the coronavirus (COVID-19) pandemic now need to carefully review their risks profiles.
WFH has become commonplace across the business world, with companies moving quickly to adapt to social quarantine measures and stay-at-home orders. Global Workplace Analytics has forecast that around 30% of the global workforce is expected to work remotely by the end of this year, .
One of the most profound discoveries has been that rather than lost productivity, employee output has either remained the same or, in many cases, increased – although the productivity rate does vary between different industry sectors. But with concerns around sustaining productivity outside of the office largely somewhat allayed, now is the time for managers to begin focusing on the various risks and challenges posed by remote / flexible working.
Employees working from home – where distractions and temptations are more numerous, the threat of cyber attacks is higher and the sense of professionalism and adherence to corporate policies, procedures and protocols is lower – all invariably present a greater risk to their employer companies.
Kevin Bowers, founding partner at Hong Kong-based bowers.law, told Conventus Law that companies needed to start weighing-up the broad spectrum of risks posed by a remote workforce.
Phishing trip
“Employees are much more likely to fall prey to phishing attacks when working from home. This boils down to their removal from a professional environment, where procedures and protocols can be more easily implemented, applied and reinforced.”
Kevin Bowers, founding partner at Hong Kong-based bowers.law
He said: “Employees are much more likely to fall prey to phishing attacks when working from home. This boils down to their removal from a professional environment, where procedures and protocols can be more easily implemented, applied and reinforced.” Phishing attacks accounted for 90% of data breaches, according to Cisco’s 2021 Cyber Security Threat Trends report which was published on 1 November 2021. The success rate of these attacks lies in the fact that they target the weakest link in the security chain – the user. Whilst companies have traditionally leaned on their IT teams to employ hardware, software and training solutions to combat this ever-increasing threat, these approaches have been undermined by WFH strategies. Home offices are often characterised by inferior network security, the use of personal hardware rather than the company vetted systems, and an increased number of distractions. Add to this list the fact that employees WFH are less motivated to liaise directly with their colleagues, and the chances of a successful phishing attack soar.
Automation platform Ivanti reported in July 2021 that from a survey of more than 1,000 enterprise IT professionals, 74% of respondents reported that their organisations had been compromised to a phishing attack within the previous 12 months, with 40% noting that they had experienced an attack in the previous month. Bowers said: “A classic phishing attack targets accounts teams with payment requests or a request to change banking details. Employees who are working from home – where they’re less engaged / more distracted and without any actual pressure or oversight to implement or apply corporate and accounting policies, procedures and protocols – are more likely just to hit the send button in response to these these phishing requests.”
Reputational risk
Beyond the security risks created by a geographically dispersed workforce, companies must also weigh-up the potential reputational risks WFH strategies can create. Employees have always been a source of risk in terms of their behaviour on social media platforms – either their own or their company’s – and these platforms have seen a marked increasing in use since the start of the pandemic.
All social platforms – including LinkedIn, Facebook and Twitter – experienced an 8-38% uptick in their monthly active user bases between 2019 and the start of 2021, according to Statista.
“There is a heightened risk of employees working remotely posting inappropriate material on personal social media which could create negative and damaging publicity for their employers,” Bowers said. “However, companies’ efforts to track employee activity have also led to poor management decisions, including the infiltration of employee groups and tracking online activity in order to covertly observe their behaviour.” Corporate reputation is an intangible asset that is difficult to manage, but carries considerable benefits such as increased customer and employee loyalty. As such, protecting that branding and reputation should be of paramount importance. Bowers said: “Companies need to adopt a ‘prevention is better than cure’ approach when developing policies for risk management. Once that cat is out of the bag, it’s a nightmare to get back in.”
Prevention better than cure
With WFH becoming more commonplace, it is more important than ever for companies to double down on policies, procedures and protocols. Employers need to both understand the challenges that remote working creates and aim to mitigate the associated risks. Bowers said: “It’s vitally important that those policies, procedures and protocols are actually implemented and not simply posted on the intranet with little to no follow through. Remote working requires companies to develop greater engagement with their teams.”
“There are insurance risks connected with employees working remotely. For example, professional indemnity, occupiers’ liability and employee personal injury compensation. Companies also need to consider the increased risk of breaches of confidentiality, personal data rules as well as breaches of regulated activities in regulated financial or professional services sectors.”
Kevin Bowers, founding partner at Hong Kong-based bowers.law
Bowers argued that a broad spectrum of risk had emerged owing to the shift away from a centralised working environment to home offices. He said: “There are insurance risks connected with employees working remotely. For example, professional indemnity, occupiers’ liability and employee personal injury compensation. Companies also need to consider the increased risk of breaches of confidentiality, personal data rules as well as breaches of regulated activities in regulated financial or professional services sectors.”
As the world transitions towards a post-pandemic era, where COVID becomes endemic, the push for flexibly working overseas is only likely to increase. Bowers said: “Remotely working overseas creates its own set of risks. For example, which law will be applied to
the employment relationship? Is it the jurisdiction of the country in which the employer company is based, or the jurisdiction of the country where the employee is working remotely? These are questions that need answers now.”
When all else fails…
Ultimately, human error can and will inevitably lead to lapses in judgement and breaches of protocol. The rising tide of successful phishing attacks is testament to this fact. Whilst developing a comprehensive prevention strategy should be a company’s leading priority, management also needs to embrace the development of an organised crisis management plan (CMP). Bowers said: “Companies must be ready with an organised CMP with personnel from each key department allocated appropriate roles.” This means, he said, having members of the legal, PR, communications, accounts and IT departments (in addition to the c-suite) on permanent stand-by in order to be able to mount an effective rapid response to any crisis, as maintaining control over a rapidly evolving crisis situation is key to overcoming the problem.
The pandemic has changed almost everything and will likely continue to shape how the business community operates for several years to come. Developing the necessary strategies to counter existing and emerging threats before they happen is essential to remaining competitive. Bowers advises: “Dust-off and update those risk and crisis management playbooks today”!
This article was written by Andrew Kemp for Conventus Law in association with Bowers.Law.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position or policy of Bowers.Law or its other employees and affiliates.
For further information, please contact:
Kevin Bowers, Partner, Bowers.Law
kevin.bowers@bowers.law
