The work-from-home model many employers rushed to adopt during COVID-19 and are expected to keep post-pandemic requires a rethinking of cybersecurity measures, communication strategies and employee work-life balance.
Businesses that choose to transition to a partially or fully remote workforce should plan out that transition and expect it to take 60 to 90 days, according to Michael Sullivan and Chris Wright, co-founders of Sullivan Wright Technologies in Little Rock.
They, along with other central Arkansas information technology professionals, told Arkansas Business that one of the first decisions an employer must make is whether employees will be using their own devices — computers, tablets, phones — or devices the business owns. That first option brings with it many cybersecurity concerns.
“It’s a cost versus convenience versus security discussion. If you have 100 employees and everybody’s working from home, but you all have desktops, you’re looking at a $100,000 expense right there” to buy laptops for everyone, said Jon Waldman, a partner and executive vice president of information security consulting at SBS CyberSecurity, based in Little Rock and Madison, South Dakota. “There’s always a way to mitigate the risk. The business just has to really understand what the risk is and can they get that risk to a level that’s acceptable to the organization.”
He said employee-owned devices may not be capable of handling the required workload as they may be old, not have the right software and not have updates needed to keep hackers at bay.
But a business can mitigate risk by requiring employees to download an app to work, use multifactor authentication and encryption or install an antivirus program before they connect to the business network, Waldman said.
Multifactor authentication requires computer users to present, and have confirmed, two or more pieces of evidence affirming their eligibility before they’re granted access to a website or application. For example, when you try to log into your email account from a computer you’ve never used before, you get a pop-up notification on your smartphone informing you that someone just tried to log into your email account. It asks you to confirm that it was you who tried to log in. Once you click “yes,” you are logged in on the new computer.
Edafio Technology Partners of North Little Rock recommends “a zero trust model,” where companies don’t just put security measures in place for external threats, but go a step further by not trusting anything inside their systems.
A “data loss prevention engine” can also help, according to Will Smothers, Edafio’s cloud team lead. A DLPE can prevent an email that has a certain kind of attachment from being forwarded or allow only the first person it’s been sent to to open it, for example.
A business could also ask employees to sign certain policies making the employees potentially accountable in the case of a breach caused by their violating a cybersecurity policy, Waldman said.
Training Workers Emphasized
Training employees was recommended by all, especially because employees are more susceptible to clicking and downloading things they shouldn’t when no one is looking over their shoulders at the office, several IT professionals said.
Cybercriminals “are preying on people that aren’t sure about what they’re doing. So there’s a big increase in phishing attacks and the types of social engineering attacks that are geared around people that aren’t sure how they’re supposed to be connecting to the network, aren’t sure how the passwords are supposed to work,” said John Burgess, co-founder and president of Mainstream Technologies in Little Rock. “So it’s even more important than it has been: training those workers on how to use their tools, and how to recognize when they are under attack, how to recognize a suspicious email, how to look at it and critically examine it to determine whether it really is from HR or is it someone who’s trying to gain access to my machine.”
Other cybersecurity concerns posed by the work-from-home model include home Wi-Fis that aren’t password protected or have weak passwords.
In addition, connecting a device to a business network from an employee’s home may inadvertently connect that employee’s smart TV, thermostat, spouse’s phone, kids’ tablets and more to that business network. Hackers could get into the network through one of those less-secure devices.
Setting up a guest Wi-Fi that only the work device uses was recommended by IT professionals.
In addition, Waldman suggested setting up a VPN, which is an encrypted tunnel an employee can use to access the business network.
Another option is a remote desktop protocol, which is not encrypted. With it, employees can access their work computers located at the office using another device at home. Waldman said RDP has more well-known vulnerabilities and can be an easy target for ransomware, which encrypts a company’s files and then demands a ransom to unencrypt them.
Another challenge the work-from-home model poses is how to communicate effectively with people who are not in the same room.
Dan Cowling, founder, president and CEO of The Communications Group in Little Rock, said a challenge it faced in sending its 15 employees to work from home in March was being “out of sight, out of mind. … We’re a drop in and talk face-to-face kind of business.”
So the firm asked its employees to make more phone calls and Zoom calls as opposed to sending emails. The Communications Group also set up weekly virtual meetings with the entire staff to review all projects.
“I think what we’re seeing that has been a challenge for all of us, as we’ve gone through a year of pandemic, is relational human connection,” said Keith Woodruff, chief technology officer at Edafio. “It’s just different being virtual versus sitting down and talking with you across the table. And one of the things I think we as a society and people are going to have to realize is there’s going to be a lot more working remote.”
The Communications Group, for example, is planning, post-pandemic, to rotate who works from home. And it’s already reconsidering its location in the Regions Building downtown and the configuration of that workspace, Cowling said.
Technology could be the answer as well. Smothers, with Edafio, said Microsoft has already responded to this communication dilemma by introducing an employee experience platform geared around collaboration, learning and well-being.
“It’s a very interesting, promising product that’s coming out. And the beautiful thing about the way it’s being done is they are integrating it with a mature offering that they already have. So it’s something that many users are familiar with, and they don’t have to relearn these new tools,” he said.
The Issue of Overworking
In addition to addressing cybersecurity and communication challenges, businesses sending workers home should be concerned about those workers doing too much.
Many businesses fear that people working from home won’t be as productive due to distractions, Waldman, with SBS, said. “I would really encourage people to do some homework on actual productivity rates because — almost across the board — you will see that the opposite is the problem. It’s typically folks work too much.”
Sheila Moss, president of the Northwest Arkansas Human Resources Association, a chapter of the Arkansas Society for Human Resource Management, said that people tend to work too much because it’s convenient for them to handle something for work at any time when their office is feet away. Moss also serves on the ARSHRM State Council and owns Information Solutions Team LLC in Bentonville.
She said that employers should be careful not to violate wage and hour laws. On top of that, Moss said, a decline in the mental health of employees has been a concern amid the pandemic. Working from home can exacerbate feelings of isolation kicked off by COVID-19.
“Mental health in the workplace has been a huge crisis, and, now that people are not together in the workplace, it’s a constant concern to all the HR professionals I know. And they’re spending a lot of extra time making sure that their folks are OK, that they have access to mental health guidance and not just [employee assistance programs],” she said, though using an EAP if a company offers it as a benefit is recommended. Moss recommends that employers “just do check-ins and make sure that people have a chance to be heard and that they’re OK.”
Moss said it’s up to businesses to constantly and consistently reinforce work schedules, not only to avoid violating laws, but also for the mental health of their employees.
Cowling said The Communications Group, for example, has asked its employees to hold off on contacting people until after 10:30 a.m. and to view 5 p.m. as the end of their workday.
“So all of a sudden our work schedules, you know, the laptop’s right there in front of you. It’s 2 o’clock in the morning and something pops into your head and you can do this, you can do that. So, in terms of people absorbing this new workload, I think the main challenge that we faced was relationships/morale,” he said. The business also started holding a second virtual meeting every week to play fun games and celebrate employee successes.
Moss said: “We care. We don’t want people to just work themselves to death out of boredom and isolation, and so there’s definitely lines that must be drawn mentally and physically, to make sure that that doesn’t happen.”