Recent announcements from the UK and Scottish Governments mean a return to traditional office work is still on hold for most of us. This article, which is the first in a series of collaborative content from ScotlandIS Cyber and Data Clusters, FinTech Scotland and LawscotTech, considers how working from home can impact on employees’ attitudes towards diligence and how companies can encourage a compliance-driven culture in a remote setting.
As we have now passed the six-month mark since lockdown officially began, for many companies and individuals the impact of continuing to run their business remotely is starting to take its toll; whether it is maintaining the team bond or the company culture, supporting their staff as they return from furlough or perhaps having to deal with the difficult situation of downsizing and letting people go.
It is very easy during these emotional, frustrating and sometimes isolating times to let ourselves become distracted and for bad habits to kick in – are you downloading that file which you shouldn’t be or clicking on an unknown link on your work laptop?
Many employees are probably also still in the mindset of the current situation being temporary and that it will end, which can also result in not having the right outlook and attitude when it comes to working from home processes and policies. It is very hard as individuals to always be as diligent as our companies need us to be, especially when working in our home environment.
Even when offices do start to open up, we will no doubt be working in a hybrid model for quite some time and for many companies that will remain the mode of operation. These more flexible ways of working can bring benefits for both companies and employees in the long run, saving costs on office space, reducing commuting time etc. For these new models to work without exposing businesses to risks, it is essential that companies help their staff maintain good working habits to ensure compliance.
Companies should have clear working from home policies and procedures which help employees to understand the differences between operating in an office and working from home. Examples of such guidelines include:
- Keeping separate work and personal accounts for video calls and other digital exchanges, and not starting to merge or mix these two domains
- Policies for bringing devices between the office and home
- Procedures for updating anti-virus protection and ensuring work is backed up regularly
As well as having guidance and clear policies, companies also need to ensure that any new tools and processes have been factored into their current certifications and compliance frameworks such as Cyber Essentials and GDPR.
Companies should already have a robust data classification system, but guidance may need to be updated as to how different classes should be handled in a home environment particularly with others in the household.
Businesses should also run company-wide regular security awareness training focusing on risks of everyday situations such as password security, phishing emails and protecting sensitive information. A number of security providers offer programmes of videos and scenarios to help engage employees to shift culture and reduce the risk of human error. It is also hugely important for companies to respond to such errors in a compassionate and supportive way and not lay the blame on the individual – encouraging staff to be open about mistakes they may have made, rather than hiding them.
With October being cyber security month, now is as good a time as any to re-think your approach to maintaining compliance for the long term in whatever mode of operation you find your business to be in.
- NCSC guidance – 10 steps to security
- Scottish Government Cyber Scotland bulletin
- Find a local cyber security company on the Cyber Directory or data company on the Data Directory
- Cyber Resilience exercise in a box – details here
If interested in knowing more about the collaboration between ScotlandIS Cyber and Data Clusters, FinTech Scotland and LawscotTech or about any of these individual organisations please get in touch with firstname.lastname@example.org or email@example.com.