Remote working: lifeline or a tightrope?
- Published: Wednesday, 29 April 2020 08:43
As we look ahead from COVID-19 pandemic response to recovery where does remote working fit in? Chris Butler looks at some business continuity considerations as organizations consider the future ‘new normal’.
The office is dead – long live working from home! Or so many people would have you believe. For many employees, there’s been over a month of home working. But as we enter the next few months, with the expectation that it’s more of the same – what a dispersed workforce looks like and how it operates will differ hugely from the initial transition period.
When we discuss the concept of resilience, we talk about the key traits of flexibility, adaptability and agility. Simply returning to the way things were before disruption strikes is rarely a good idea; everyone should always learn and improve following a disruption, especially one as impactful as the COVID-19 pandemic. There are a number of reasons why we won’t all be working from home once we return to some position of normality, and it would be worth exploring them.
Even if a company has provided the employee with a laptop that has full endpoint protection, the office IT environment is still at risk if that laptop is used on a home network with reduced security. A recent survey found that 82 percent of British broadband users never change their router administrative password, and 48 percent don't know why they should.
The security issue gets even riskier amongst companies with a BYOD policy, which increases the footprint of potential access points for malicious actors to exploit. The solution to this issue lies not only in making VPNs mandatory for any device connected to the network, but a level of direct engagement between IT departments and workers themselves. Crucially, organizations need to lay down clear standards, establish the security controls and directly assist employees to make their home networks as secure as the office environment.
Enterprise-grade technology resilience at home
In a similar vein to the cyber security challenges outlined earlier, the office environment is most likely to provide high-quality IT infrastructure alongside the usual building resilience capabilities. Offices have UPS and generators to keep power going in the event of a disruption. Homes do not. Whether IT is on-prem, wholly in the cloud or hybrid, the office environment is set up to be robust and teams are on hand to manage issues as they arise.
With a diverse workforce, any power failure will only affect a much smaller number of employees, perhaps only one or two, so the impact is much less – unless that person is a single point of failure in a critical business process. With many companies taking more Software as a Service capabilities (eg Salesforce, Office 365) many of these risks are mitigated, but the reality is that the office for many companies will provide the most reliable and secure environment to manage infrastructure.
Robust, available and resilient equipment
Another technology issue is that of testing. If working from home is the strategy, how does the organization execute tests for short-term VPN expansion, if that is part of the solution? What about network latency, or execution of test scripts when all those involved are remote? It’s certainly a big challenge.
The logistics of providing employees with all the necessary technology to work from home successfully has been a real challenge during the COVID-19 outbreak. With advance warning, many companies procured large numbers of new laptops and desktops; some have sent workers home with the latter. With advance notice this is fine, but in many disruptions there are short notice building evacuations where staff have left laptops behind. Safe to say, it’s important for IT departments to realise that they probably won’t have time to plan for full access to their entire infrastructure in the future.
What should companies do to stay resilient?
While remote working policies have been key to maintaining at least some form of continuity during the COVID-19 outbreak, organizations mustn’t overlook the fact that a massive paradigm shift has occurred in business continuity overall. What would be the impact on remote working if there was a critical failure of IT or a crippling cyber attack right now? Not applicable to all companies, of course, but what if that was yours?
While best practice dictates updating business continuity planning on an ongoing basis, now is the time to thoroughly scrutinise existing plans in light of recent events. This will differ from company to company, but there are a number of imperatives which apply across the board:
It will be vital to conduct formal lessons learned workshops to capture events, covering people and workplace from the current COVID-19 response phase. These workshops need to be rigorous and the assumptions they may make tested, because the potential implications for longer term investment in capabilities are significant.
The current disruption only enhances the requirements for good, useable business continuity planning, but companies have for too long been guilty of taking a box-ticking approach to business continuity and now is the time to get them right.
Such plans need to be simple, action-oriented, not too detailed, and contain just enough information to enable the right people to make the right decisions with the right information in the right timeframe. Best practice involves planning activity around three phases: immediate response, extended response, and recovery. Companies need to recognise and separate these phases and have management teams plan and prepare for each.
Strategic risk analysis
The current environment has shown us that it is now time to consider other Black Swan events and not just the standard types of disruption that have been part of business continuity planning for so long. But it’s relatively safe to say that the current situation is not permanent, nor should businesses be expecting it to be so. As a result, when a disruption occurs which makes it fundamentally impossible to access the workplace, working-from-home policies are just as crucial as a business’ exit strategy.
Identify the capability requirements that must be in place to permit extended home working (training, equipment, people, information, plans/procedures, organisational and management structures, suppliers and logistics) for those employees for whom it is a practical solution. But also prepare the office and recovery capabilities for the remainder. If nothing else, identification of the contingency measures will allow companies to prepare better. These are the ingredients that will prove crucial as the current situation slowly moves from ‘response’ to ‘recovery’ over the following weeks.
Chris Butler MBCI CISM, is Principal Consultant for Risk and Resilience, Sungard Availability Services.