At a glance
- Remote working offers operating cost reductions, as well as greater flexibility and productivity for staff, but it can pose risks.
- The risks largely relate to a remote worker’s physical safety and the safety of business systems and confidential information.
- Successful remote working also depends on employees with skills and personality traits that enable them to work productively and safely.
Spare a thought for lawyers and IT teams as remote working proliferates. Sure, such work practices can dramatically reduce the costs of office space and result in greater flexibility and productivity for staff.
However, incidents such as an employee falling down the stairs of their home office, or a hacker stealing confidential data through public wi-fi can present complex legal and technology challenges for any business.
With a study from serviced office provider IWG indicating that about 70 per cent of professionals around the world work remotely at least one day a week, the conundrum is not going to go away.
“It’s happening everywhere,” says Simone Herbert-Lowe, director of Law & Cyber, which provides cyber resilience advice for businesses.
She says for accounting firms dealing with sensitive details such as tax, finances and company insolvencies, there is a clear obligation to maintain confidentiality, whether workers are in head office, a virtual office or sitting at the airport or in a cafe.
“Clients don’t really care how their information was breached, it’s the fact that it was breached at all that is the problem. Training staff, or having processes or policies in place, would be part of any reasonable steps to protect that information.”
Security train wreck – the Eurostar train case
Perhaps no case better sums up the risks of remote working – and the need for safeguards – than the Eurostar train case. On 15 July 2014, asset manager Vincent Le Stradic sat on the Eurostar train from London to Paris typing on a number of mobile phones. He did not realise that fellow passenger Alexandre Zaluski, a UBS banker at the time, could glimpse information on the phones.
Zaluski tipped off a colleague about a soon-to-be-announced US$15 billion takeover bid by French mobile phone company Iliad SA for T-Mobile US Inc. Was this a case of wrongdoing on the part of the UBS worker, or sheer opportunism? Ultimately, French regulators cleared Zaluski, declaring it was part of his job as an investment banker to share the tip.
However, the case highlights potential risks of remote working, which often involves communication taking place in a decentralised and often insecure environment. This can jeopardise sensitive information as employees, tech savvy or otherwise, send and receive information over wireless networks – everything from passwords, email addresses, personal information, proprietary information, financial data, you name it.
A survey by cloud computing company Rackspace of more than 200 Australian business executives and IT decision-makers revealed that more than one-third of respondents felt that “enabling staff access to data any time and anywhere” posed a high or extremely high risk to their organisation. Forty-three per cent of participants saw extreme risk in sharing data with third parties or partners, their main concerns being data loss, data breaches and business interruption.
Kim Grady, a former safety lawyer and now a management consultant with Corvus Group, says smart professional services firms dealing with commercial-in-confidence or confidential information typically have two kinds of safety walls – laptops with regular password protections, and additional login security to files and other systems.
“Of course, once you are in the files it doesn’t stop someone on the train from looking at what you’re doing,” she says.
Recruit wisely for enhanced cybersecurity
In today’s constantly connected virtual working world, the imperative is not just about having the required cybersecurity infrastructure in place. Organisations also need the right people – those who have the appropriate technology skills and personality traits to work productively and safely from home or on the road.
Free Range Lawyers, a hub of freelance lawyers who work remotely for law firms, understands the importance of having lawyers with the right mindset for remote work.
Dr Bailey Bosch, who is responsible for the hub’s psychological assessment of workers, says while legal coverage, policies and procedures can mitigate some cybersecurity and other risks, most threats are the result of the specific behaviours of individuals.
“[In hiring lawyers we take] an evidence-based approach,” says Bosch, noting that a plethora of data is used to assess candidates.
“We then use that data to minimise the risk of employing the wrong person whose work styles and personality and behaviour preferences don’t suit a remote-working model.”
What constitutes the right fit for remote working? People with a strong sense of “individual agency” are best, she asserts. They should be well organised, have integrity and attention to detail, be self-driven and honest. The other aim is to eliminate workers who are likely to be guilty of “cyber slacking”; that is, those who show a disregard for security protocols.
Occupational hazards and remote working
Occupational health and safety policies are well understood in most traditional offices, but with accidents that occur within homes or virtual offices there may be less clarity about the duty of care. What about a car accident while driving to a job? A fall when putting the washing out during work hours?
Or a case of burnout from not taking regular breaks while working from home? Businesses can pay a high price if such “workplace” accidents result in compensation claims. Training and regular updates about such threats – and the policies to prevent them – are just the starting point.
Professor Cathy Brigden, an industrial relations expert at RMIT University, says there is often a blurring of lines around workplace health and safety when people work flexibly or remotely.
“[But] as the employer, you have the responsibility to ensure the safety of employees when you’re saying it is OK to work in the home,” she says.
An obvious response from risk-sensitive managers is introducing and enforcing protocols for staff who work remotely. For example, in terms of the office environment, management could inspect home working environments to ensure their staff are working in a safe place.
Brigden says that means ensuring desks and chairs are set up properly and the worker is “not hunched over a laptop on a kitchen table”. In larger organisations with hundreds or thousands of staff, an employee’s self-assessment of their workspace may be more appropriate, or they may have to provide written or photographic details about their work environment.
Management should focus on health and safety
Whatever managers do, they should not ignore workplace health and safety issues. “You need to be able to demonstrate that you have turned your eye to it,” Grady says.
Of growing relevance, she adds, are mental health issues in the traditional and remote workforces. With employees increasingly needing to be available around the clock via phones, texts and emails, the boundaries between work and home have never been more obscure, and that can take a mental toll.
“The culture of ‘busyness’ is tied up with some of the really great benefits of working flexibly,” Grady says, “but it comes with some negatives as well.”
There is no doubt that the incidence of remote working will increase in years to come, putting pressure on companies to make the practice safe and employee-friendly.
Simple actions can help. To combat the sense of isolation that many remote workers experience, businesses can encourage regular video catch-ups with staff, so they still feel connected to head office. With cybersecurity, boards or senior managers must understand the risks to their organisation, define cybersecurity governance and instil vigilance among employees through cybersecurity training.
There is no room for complacency. Brigden says a key to remote-working security will be to have proactive and rigorous HR departments that inform and educate all managers and employees about guidelines, policies and procedures. Under no circumstances should individual managers and employees make their own arrangements that fall outside the organisational policy.
As the army of remote workers swells, Brigden says there is the danger of employers getting lazy and for proper oversight of working environments to “start to erode”. That can lead to employees taking their chances with security. Just ask Vincent Le Stradic.
CPA Australia Resource:
4 ways to play it safe with remote working
Here are four tips for businesses as they implement remote working:
1. Updates policies
Too often, companies implement a remote working security policy but then fail to monitor or update it. Every quarter at least, assess and revise the policy.
2. Enforce rules
No one wants to work for Big Brother, but it is important for employees to know and follow remote working security policies. Ensure that staff have adequate initial training around best practices to follow.
3. Identify threats
Cyber threats change continuously, so alert employees to any potential new threats. Video chats are a great way to keep them informed.
4. Protect networks
Not all employees require access to all aspects of a business’s private network. Identify who needs access to what information and minimise the risk of fraud or accidental data errors.
Remote working: how to protect yourself and your business
Dialling into a conference from an airport lounge? Working from a hotel while using an insecure email platform? Sound familiar?
Such actions are risky and may breach legal requirements, driving home the importance of having ironclad employment contracts or policy documentation.
Do you know, for example, if your work contracts are up to date in terms of the scope of work activities for staff ? A failure to assess an employee’s new remote office location could also cause legal or client privacy issues in the event of a cyber incident or data breach. Likewise, doing business in a cafe with insecure wi-fi could threaten client privacy requirements and nondisclosure agreements.
Kim Grady says while most companies have confidential information provisions in employment contracts and general policies to safeguard the business and its clients, they may not then apply those rules effectively.
“[For many employees] it’s like ticking the box on accepting the terms of conditions these days. They don’t read the contract necessarily or think about the potential ways they could breach it.”
A robust induction program that addresses “real-life risks” is essential, according to Grady.
Simone Herbert-Lowe agrees that it is important to educate staff so that in the case of a breach of confidential information, a business can respond appropriately to a court or tribunal.
“You want to be able to show that you’ve taken steps to educate people and that you have policies in place. Nobody can guarantee that their business won’t be hacked or suffer a security breach, but if you have to defend a legal action or your business reputation, the question will be whether you took appropriate steps to prevent a data breach occurring.”