The pandemic has changed our way of life, not least in the way we work. It has shown us that one size does not fit all when it comes to balancing work and personal lives. As we come out of numerous lockdowns, we’re not seeing a return to the “old normal”.
Businesses are changing their models and continuing to experiment, and we are seeing three approaches emerge:
Full flexibility. In June this year, Deloitte announced that they were giving all 20,000 UK employees the ability to choose where they work permanently.
Office first. Firms like JP Morgan and Goldman Sacks have been very clear that office life is core to their business model and will therefore predominate.
A hybrid approach. Adopted in the middle ground, with remote working supported for a few days each week for many, or all, of their staff.
There may be no perfect model and no one size fits all solution. Each model has its pros and cons. However, caught in the middle of these debates are the compliance department. Working remotely to any degree presents a host of regulatory challenges that many firms are not yet addressing properly.
In this article, we will touch on three of these key areas: data and privacy, cyber security, and conflicts of interest.
Data and privacy
The first regulatory challenge relates to data and privacy. Starting with employee privacy. Some managers worry about productivity and surveys report that one in five firms plan to monitor staff as they work from home. Aside from the obvious trust issues they have, these businesses could be in breach of GDPR, and liable to any damage suffered by their workers as a result of a breach by, effectively, spying on their staff.
Regarding privacy more generally, employees working remotely multiplies the end points coming into the system. This in turn multiplies the risk as it can be hard for the employee and the organisation to know when the data was actually breached, and it will be even harder to identify how it happened.
Most remote workers will have to move data or devices into public spaces such as shared accommodation. This further opens up the risk of devices or data being mislaid. Many breaches have occurred from documents being left on trains, USB sticks falling out of pockets or laptops being stolen. Although it’s hard to stop devices being mislaid, there are ways to mitigate the damage if this happens. For instance, setting strict access rights on devices and systems that those devices access.
Cross-border transfers of data are yet another issue. Firms are liable to educate themselves on the legalities of sharing data with employees situated around the world, as well as global clients.
Regardless of where people work, companies must maintain security standards. This is challenging when data is moving back and forth between offices and remote employees and devices. But with the increased number and diversity of endpoints in the system, there are higher risks of breaches. Added to this is the fact that many employees are allowed to use their own devices and software.
Many businesses are aware of these risks, but few have done much about it. Research shows that 41% admit that their remote working strategies may be in breach of data protection regulation, and 45% expect a breach due to staff using devices which are not fully protected.
The traditional “castle and moat” approach used in the office is no longer applicable in these circumstances. It’s imperative that all ingress and egress points are identified and secured in this newly expanded network. Adopting a zero-trust strategy is not optional, it’s a new business imperative.
People in organisations need to have trust in the technologies that bring them together. The term, “zero-trust” may feel like the opposite of that, but when you assume breach and provide the least privileged access necessary, it actually empowers employees with the flexibility and freedom they want. The hybrid world is largely perimeter-less, so wrapping protections around identity and devices, is critical.
Cyber security also depends on the individual, with one in five breaches caused by human error and ignorance. Organisations must educate and support staff, expand help desk support, and drive a culture where it’s ok to flag concerns.
Conflicts of interest
Or “side hustle syndrome” as we like to call it. Remote working can stimulate an employee’s entrepreneurial side, providing the opportunity to start or develop their side hustle. This is not problematic in itself, but unclear guidance or inconsistent application of the rules regarding personal conflicts are problematic, and can be damaging for both the organisation and the employee involved.
So, the challenges are serious and the message from regulators is also very clear. As Julia Hoggett, CEO of London Stock Exchange Group said, our expectation is that going forward, office and working from home arrangements should be equivalent. Firms need to be as vigilant as they were in the office at home as well, and this places pressure on compliance functions and the accountable executives in times of tough cost controls. There’s no easy solution here to these challenges, but regtech is one of them.