People decision trees
As we discussed in part one, there is no one size fits all when it comes to a “secure” remote worker. You can load up as much secure tech as you want, but if your workforce doesn’t understand how to work securely in their new distributed world, you may as well not bother.
The bad news is; there’s no quick fix. As with any decision, there are extenuating factors to consider and not just which tech works with which device. Some elements are personal circumstances.
As you’ve discovered, many of your workforce will never have worked from home, but have you thought about whether they have the right conditions to do so? Laptop sales grew 2.8% in the second quarter of 2020, highlighting the scramble for suitable work from home equipment. I think we can safely say we knew they needed the right equipment if they didn’t already have a portable corporate device.
I know of a few companies who began to prepare for lockdown by surveying remote working suitability, quite early in the year. I’ve not seen one of these surveys so unfortunately, I’m unable to comment on their thoroughness into circumstance.
Circumstances, to name a few
Let’s delve into a few extenuating factors for “secure” remote preparedness.
Living conditions: Do they live in a suitable working environment? Is it a shared property, with shared WiFi and communal areas? Do they have access to a practical, comfortable and private location to do their work? Can they work from home safely (and I mean physical safety)? Are they able to manage childcare whilst schools are closed?
Finances: Do they have a partner who’s suddenly out of work, meaning cash is a bit tight? Do they have the home resources to effectively and efficiently work? Can they manage the increase in utility costs by redirecting commuting costs into household bills? Are they able to sustain themselves without a subsidised canteen or the team biscuits? Do they have suitable internet connections, that aren’t limited by fair usage, without additional cost?
Cohabitation: Do they live with anyone who would pose a risk to them or the business? If you require background checks, how do you manage relationships which may gain access to company data? Are they able to carry out their work away from cohabitees?
Education/knowledge: Are they able to carry out the tasks independently, away from a support network? Do they have the cognitive skills to adapt? Do they have the physical tools and the knowledge of their use to work effectively? Do they have refreshed data protection and secure working knowledge, in light of the changes made to working conditions?
Mental wellbeing: Are they able to cope with the isolation of remote working? Are they going through tough or challenging times that can have an impact on their mental wellbeing? Are they scared/anxious/nervous about new ways of working, their job security or the global situation?
The list is endless!
Do any of these ring any bells from when you’ve previously encountered an accidental or malicious insider?
Data and system access controls
We wouldn’t be doing our job correctly if we weren’t all over data controls and who has access to what, and for what purpose. As part of the remote working transition, did you make any reviews to these controls?
If you didn’t, I hope the cogs are now turning. Let me give you a few scenarios;
Worker: Female, aged 19, Call Centre Operative
Living Conditions: 6m x 5m room in a shared house with shared WiFi and bathroom
Finances: a 20% drop in household income, increased living expenses
Cohabitation: Shares room with a furloughed partner who has a higher than average amount of high-interest debt
Education/knowledge: Often used as an example of how to perform tasks and communicate with customers. Carried out data protection and information security refresher 10 months ago
Mental wellbeing: Due to the stress of increasing bills and a loss of income, her partner is becoming increasingly agitated. They live in a small room and are unable to distance from each other while in lockdown.
As a Call Centre Operative, she has access to customer data, such as name, address, email, direct debit information. She accesses the systems through shared WiFi, using the corporate VPN. Your worker doesn’t always lock her screen when visiting the bathroom or grabbing a drink, after all, she’s working from her room and they only other person in there is her partner, and they overhear her work calls anyway. She reuses the same password for her work and personal accounts.
What could possibly go wrong?
Worker: Male, aged 26, Marketing Executive
Living Conditions: 2 bedroom flat, private facilities and connections
Finances: Maintained salary and household income
Cohabitation: Lives with a roommate of a similar income bracket
Education/knowledge: Talented in his field, known as a little workshy but makes up for it with creative ideas. Was due to take information security refresher 2 months ago
Mental wellbeing: Is enjoying getting up late, but misses social connections and the team snacks
As a Marketing Executive, he often receives creative assets through file transfer systems, from Creative Agencies. The company doesn’t have a preferred file transfer system. He and hs his roommate often work to music and play office Olympics in their living room (home office). He has access to company social media channels, via a shared login as well as other web assets. With private WiFi, and no systems requiring the use of a VPN, he rarely connects, in fact, the VPN sometimes causes issues when using some of the sites he needs for work.
What could possibly go wrong?
Worker: Female, aged 40, Head of Department
Living Conditions: 3 bedroom suburban house, private facilities and connections
Finances: Maintained current salary and household income
Cohabitation: Lives with a long-term partner and their 5-year-old child
Education/knowledge: Well regarded by team, peers and stakeholders. Carried out data protection and information security refresher 3 months ago
Mental wellbeing: Is adapting well to remote working, it’s not the first time she has worked from home; however, it is the first time with a house full
As a Head of Department, she has access to confidential staff data, such as name, address, email, timesheets. She can also access internal finance systems, and approve purchases and funds transfers up to the value of £50,000. Systems are accessed through private WiFi, using the corporate VPN. During her evening bath, she often lets her 5-year-old watch YouTube on her corporate machine, while her partner goes for a run. Desktop notifications are enabled for email and instant messaging.
What could possibly go wrong?
Worker: Male, aged 33, First Line Support
Living Conditions: Living at home with parents
Finances: A 66% drop in household income
Cohabitation: An only child, living at home with parents who’ve both been made redundant
Education/knowledge: Due to the job, feels he has an excellent understanding of secure working and IT systems. He carried out data protection and information security e-learning upon joining the company two years ago.
Mental wellbeing: With both parents out of work, there is mounting pressure to support the household financially. With limited social interactions, other than through digital means, he begins to feel overwhelmed and isolated.
As First Line Support, he has access to staff data, such as name, email and some admin accounts through a shared login. Very familiar with using the right tools, such as VPN to access support queues. He spends most of his time in his bedroom, away from the family and distractions, other than a gaming PC. At the moment, the family don’t have enough food to sustain them as they usually would, they are mainly surviving on cereal and water until his parents’ Universal Credits kick in.
What could possibly go wrong?
Risk assessing secure remote preparedness
It’s near on impossible to risk assess preparedness if you don’t have an understanding of your workforce. If we look back to the early days of school closures when teachers remained at work for the children of key workers or vulnerable children. Those at risk were highlighted, and even that didn’t secure their safety. According to Sky, lockdown saw a 53% increase in child abuse cases. We know that fraud also went through the roof, along with domestic violence. Statistically, one of your team is at risk of poverty, violence or worse. Do you know how far they’d go to survive? How can anyone on the brink of existence behave securely?
So where do you start? Firstly, this isn’t a team project; this is a business-wide project. This is where collaboration is vital. HR/P&C must be involved, DP must be involved, Security must be involved, IT must be involved, Risk must be involved, everyone has a responsibility for information security, data protection, employee wellbeing and more!
A platform for assessment
Here’s an example of what a “People Security” decision tree could encompass, but, again, the possibilities are endless and belongs to everyone!
Whilst the current situation did seem to be sprung upon us; Bill Gates did call it back in 2010. From the outside looking in, we did seem to have lost touch with our dusty, filed away Business Continuity Plans, and I do wonder if theses plans considered the interpersonal, economic and social impact on our teams.
The moral of the story
I guess it’s ‘Seek to understand before you are understood’. To create a secure remote worker, you must understand the worker. What motivates them, what hinders them, their knowledge and understanding and ability to roll with the enforcement of change.