Remote Working: Lifeline or Tightrope?
01 May 2020
THE OFFICE is dead – long live working from home... or so many people would have you believe. For plenty of employees, observes Chris Butler, there has now been over a month of home working, but as we enter the next few months, with the expectation that it’s going to be more of the same, exactly what a dispersed workforce looks like and how it operates will differ hugely from the initial transition period.
When we discuss the concept of resilience, we talk about the key traits of flexibility, adaptability and agility. Simply returning to the way things were before disruption strikes is rarely a good idea. Everyone should always learn and improve following a disruption, especially one as impactful as the Coronavirus pandemic. There are a number of reasons why we will not all be working from home once we return to some position of normality, and it would be worth exploring them.
Even if a company has provided the employee with a laptop that boasts full endpoint protection, the office IT environment is still at risk if that laptop is used on a home network with reduced security. A recent survey found that 82% of British broadband users never change their router administrative password, while 48% simply don't know why they should.
The security issue becomes even riskier among companies with a Bring Your Own Device policy, which increases the footprint of potential access points for malicious actors to exploit. The solution to this issue lies not only in making VPNs mandatory for any device connected to the network, but a level of direct engagement between IT Departments and workers themselves. Crucially, organisations need to lay down clear standards, establish the security controls and directly assist employees to make their home networks as secure as that one which is present within the office environment.
In a similar vein to the cyber security challenges outlined earlier, the office environment is most likely to provide high-quality IT infrastructure alongside the usual building resilience capabilities. Offices have UPS and generators to keep power going in the event of a disruption. Homes do not. Whether IT is on-premises, wholly in the cloud or hybrid, the office environment is set up to be robust and teams are on hand to manage issues as and when they arise.
With a diverse workforce, any power failure will only affect a much smaller number of employees, perhaps only one or two of them, so the impact is much less severe unless that person is a single point of failure in a critical business process. With many companies adopting more Software-as-a-Service capabilities (eg Salesforce and Office 365) many of these risks are mitigated, but the reality is that the office for many companies will provide the most reliable and secure environment to manage infrastructure.
Robust, available and resilient
Another technology issue is that of testing. If working from home is the strategy, how does the organisation execute tests for short-term VPN expansion if that's part of the solution? What about network latency, or the execution of test scripts when all those involved are remote? It’s certainly a big challenge.
The logistics of providing employees with all the necessary technology to work from home successfully has been a real challenge during the Coronavirus outbreak. With advance warning, many companies procured large numbers of new laptops and desktops. Some have sent workers home with the latter. With advance notice this is fine, but in many disruptions there are short notice building evacuations where staff have left laptops behind.
Safe to say it’s important for IT Departments to realise that they probably will not have time to plan for full access to their entire infrastructure in the future.
While remote working policies have been key to maintaining at least some form of continuity during the Coronavirus outbreak, organisations mustn’t overlook the fact that a massive paradigm shift has occurred in business continuity overall. What would be the impact on remote working if there was a critical failure of IT or a crippling cyber attack right now? Not applicable to all companies, of course, but what if that scenario played out in your organisation?
While Best Practice dictates the updating of business continuity planning on an ongoing basis, now is the time to thoroughly scrutinise existing plans in light of recent events. This will differ from company to company, but there are a number of imperatives which apply across the board.
Evaluation of current planning
It will be vital to conduct formal lessons that capture events covering people and workplace from the current Coronavirus response phase. These workshops need to be rigorous and the assumptions they may make tested because the potential implications for longer term investment in capabilities are significant.
The current disruption only enhances the requirements for good and useable business continuity planning, but companies have for too long been guilty of adopting a box-ticking approach towards such planning. Now is very much the rime to rectify that situation.
Such plans need to be simple, action-oriented, not too detailed and contain just enough information to enable the right people to make the right decisions with the right information in the right timeframe. Best Practice involves planning activity around three phases: immediate response, extended response and recovery. Companies need to recognise and separate these phases and have management teams plan and prepare for each in some degree of fine detail.
The current environment has shown us that it's now time to consider other 'Black Swan' events and not just the standard types of disruption that have been part of business continuity planning for so long. It’s relatively safe to say that the current situation is not permanent, nor should businesses be expecting it to be so. As a direct result, when a disruption occurs which makes it fundamentally impossible to access the workplace, working from home policies are every bit as crucial as a business’ exit strategy.
Identify the capability requirements that must be in place to permit extended home working (training, equipment, people, information, plans/procedures, organisational and management structures, suppliers and logistics, etc) for those employees for whom it's a practical solution. Also be sure to prepare the office and recovery capabilities for the remainder.
If nothing else, identification of the contingency measures will allow companies to prepare better.
These are the ingredients that will prove crucial as the current situation slowly moves from ‘response’ to ‘recovery’ over the following weeks and months.
Chris Butler MBCI CISM is Principal Consultant for Risk and Resilience at Sungard Availability Services