There have been extraordinary lessons from an extraordinary time. The resilience we’ve seen is inspirational and the determination, especially by those hardest hit, has been stunning. We’ve seen organisations and their people adapt quickly and selflessly to change, with some of that change looks to be permanent.
The words we hear again and again are : ‘THIS IS THE NEW NORMAL’
Given the rush into this “new normal”, some of the safety nets you would normally expect to be in place are on the light side. Robustness was compromised because of the necessity for speed.
Now is the time to review the changes and make sure they are robust.
1. Security of WFH, and suitableness of the environment
Surveys tell us that 95% of workers want to keep working from home more than before lockdown. That means that the rush-jobs to get this running now need to be strengthened for permanent use. As we’ve reported, there was a huge upswing in cyber-threat activity over the lockdown, targeting home usage, so the following questions IT security questions are more important than ever:
- You need to have reviewed your password policy – make sure people are using unique passwords to access business IT systems, and not recycling the same passwords over and over. You can use a password vault, like the KARE Password Vault, to help track these – just make sure the vault is secure (look for SOC2 certification)
- Every system MUST have MFA – multi-factor authentication. Regular readers will know how strongly we feel about this. MFA needs to be on EVERY business asset, from your Microsoft 365 to your core business systems, your financial tools (e.g. Xero), banking software, and the various other online ‘shadow IT’ you may use – even your website editing tools – literally EVERYTHING!
- Not all remote access systems are secure, and even if they are secure one day, there can be vulnerabilities that emerge later that mean you need to keep these updated and regularly review them. Even how they are configured can make a difference. For example, most of us use some kind of RDP in some form or another. Poorly configured RDP is a very common vulnerability, from old ‘open’ connections to compromised user accounts. Good RDP, especially when combined with MFA and good password policies, will keep you safe.
- Is PC that is being used at home an asset of the organisation or a shared home PC. If it’s a home PC, is it patched up-to-date, with good antivirus and anti-Malware and the latest operating system updates? If you don’t have control over it, because it is a personal asset of the worker, you may need to consider the conditions that must be met before you allow them to access your organisation IT assets from home. If it is a shared machine with other family members, what else is on it? Not every family member might be as diligent as your worker. This could now be the weakest link in your security fence.
2. There are some non-IT questions you must be asking too:
- Is the worker able to meet your workplace standards – for example a set up that is physically safe, with the screens at the right height, comfortable seating position and so on?
- Can they work without compromising your confidentiality obligations. If they are working in a shared space at home, with family or flatmates depending in their circumstances, is any confidential information on screens or papers able to be kept private?
- Are you in danger of breaching their privacy? With the use of Teams, Zoom or other video-calling tools, is it appropriate for the worker to “invite you into their home” so to speak? This is especially true for younger workers who might be working from their bedroom – which is almost certainly inappropriate to share on the screen!
- For that matter, no matter where a worker is operating from, whatever is in their background on a video call needs to be appropriate to your organisation. Who knows what might be in their home environment, which is after all a matter for the worker, but it might not be suitable to share, especially who might be in the background as well. In fact there were no end of stories of the ‘wrong’ people in the background of some online calls! We know of one organisation that banned an employee from using video on calls after their flatmate walked behind them stark naked!
- The work-from-home environment probably needs to be fairly free of distraction – from kids to pets to whatever else someone may have at home, you need them to be able to concentrate on work.
- Part of that might be how they are presenting themselves. Dress standards over lockdown varied wildly, from normal business attire to very casual, including some costume-wear. For the unusual period we were in, there was generally a social license that allowed for this, but now we are getting back to work, most workplaces need their staff to present themselves appropriately – for example collared shirts.
These are just our quick thoughts. By no means is this a comprehensive list and we’d welcome feedback and ideas. We’re really happy to share our own internal Kinetics policies with others as we refine them, in consultation with our staff.
3. Opportunities to work smarter
Tools like Microsoft Teams really made a difference over lockdown. The ability to collaborate in more ways, combining email with chat and calling were instrumental in helping organisations stay productive. Even so, most organisations are barely exploiting 20% of the capabilities of Teams.
- sharing with team members OUTSIDE your organisation (guests)
- embedding richer content such as forms inside Teams – so that you don’t need paper to pass from hand to hand, and then automating some of those forms based on the data captured within them
- incorporating business analytics within channels to complete entire business processes inside Teams, easily presented and shared collection of content
- using various Teams add-ons, including Bots, to exploit the environment and the opportunity to work smarter – for example, our entire internal digital transformation agenda is maintained and tracked inside a single Teams channel
4. Redesign IT strategy with the new business plans
The crisis caused most organisations to revisit their business plans. The need to reassess risk, revenue and opportunity was immediate. Organisations have pivoted with responses to contain costs, to innovate new concepts, to emphasis some services and de-emphasise others. Some plans have come forward and some have been deferred.
- Given that most of these plans rely on IT in some way, has the IT plan been refreshed to match it, putting IT resources in the right places?
- Have IT risks been re-assessed and updated for the new reality and are the capacities and capabilities of the platforms, and the initiatives now matching the new realities or do they still reflect a pre-COVID plan?
Actions you can take
- Call us for an audit to work through your IT security vulnerabilities and needs.
- Run a Kinetics FlightPlan to flesh out your IT priorities and how they should be helping achieve your business plans.
- Build capability though training, either in-person or eLearning, to keep your people up-to-date and to get them in the habit of keeping learning,