Zoom work culture: is it the ‘new normal’ and what are the risks?

5/6/2020

A summary of the second installment of the GRC 'virtual' Supper Club trilogy (the 17th event overall), which took place on 28 May, 2020

Zoom hasn’t only been responsible for hosting more quizzes than Bamber Gascoigne and Magnus Magnusson put together during the lockdown period; the video conferencing platform has also enabled businesses across the world to overcome many of the challenges presented by large scale homeworking – which has suddenly become a forced necessity, rather than a convenient and occasional alternative.

This collaboration tool – and the remote working culture it breeds – has the potential to become the ‘new normal’ for many businesses long after the Covid-19 pandemic has been consigned to history. But what about the potential risks?

With this in mind, we decided to ask our three esteemed speakers: will companies start to embrace the ‘Zoom’ work culture and how will this impact their risk environment?

Stelios Valtzis – Group CISO, SaarGummi Automotive Group

Stelios kicked off by highlighting the sudden need for businesses to conduct risk assessments in the face of enforced homeworking at scale.

Unfortunately, decision-makers often assume that cloud-based organisations like Zoom invest huge amounts into cybersecurity – when in reality this isn’t always the case. The same people have also sanctioned the use of free software offers during the Covid-19 crisis – such as free collaboration and free telephony licences – without considering the potential impact on processes and IT.

The concept of remote working is often hamstrung by a lack of cybersecurity knowledge and experience amongst the workforce, for whom a normal working day previously meant going into the office. The Covid-19 pandemic has forced organisational change – most notably homeworking at scale – in a rapid and often unstructured way, opening the door to cybercriminals.

These ‘bad guys’ prey on uncertainty. So, imagine their delight when overnight millions of people who had never worked from home before were suddenly forced to do so fulltime. In April, Google reported they had captured 18 million phishing emails in one week. This was around the same time that easyJet was hacked and the personal details of 9 million customers were compromised.

To overcome these challenges, Stelios highlighted the importance of striking a balance between continuously evolving cybersecurity threats and the obvious lack of resources; while at the same time preparing the organisation for what might come. Businesses should accept that a major security incident will occur at least once and will result in a financial loss – and that Zoom culture will increase this threat.
To use cloud-based collaboration tools securely, organisations must:

Reassess business processes and ensure there is an IT system for every critical task.
Build effective policies and enforce information classification.
Control communication channels by investing in data loss prevention technology.
Ensure employees understand the meaning of confidentiality.

Chris Phillips – CEO of The International Protect and Prepare Security Office (IPPSO)

Who better to explain the importance of implementing a crisis management plan – something that is often overlooked with devastating consequences – than a counter-terrorism specialist?

Chris posed the following question to the supper club guests, in the context of the Covid-19 pandemic: did your crisis management plan work?

Most people (58%) said yes. However, Chris stressed that far too many business continuity planners have failed to put sufficient measures in place, including those in the government – despite a pandemic being near the top of their list of potential threats prior to the outbreak.

How might the pandemic impact the future and what will the ‘new normal’ be? Whether it’s shopping online more than ever before or working from home full-time, the global health crisis has changed how we live our lives in the blink of an eye. Chris reinforced the notion that because criminals thrive on confusion, they will be rubbing their hands together at the opportunities enforced homeworking presents – and the potential for it to become the norm. Consequently, social engineering threats like phishing attacks could become an even greater threat than they already are.

Homeworking poses many questions in terms of a business’s duty of care. For example, when does its responsibility to remote workers begin and end during the working day? What happens if they’re working from home and suddenly require first aid? These types of issues must be addressed as soon as possible to ensure a safe and effective homeworking environment. Businesses must, therefore, provide employees with the knowledge, support and equipment required to achieve this.

Any business’s weakest point is its people. So, what about insider threats? Employees are suddenly accessing sensitive company data at home from various devices. The amount of information people can access on their PCs/laptops needs to be considered and controlled differently if working from home. The rise of homeworking could also see a shift towards remote offices, where people will be accessing sensitive data within the vicinity of people external to the organisation.

Sean Freidlin – Director of Ethics & Compliance Learning, SAI Global

Last and by no means least, Sean joined us from his home in New York. He opened by asking the audience the following question: how has remote work and Covid-19 changed your organisation’s approach to ethics and compliance training? The most common response (43%) was: our training plans haven’t changed. However, Sean pointed out that when the same question was posed to around 500 respondents across a series of recent webinars, around half said that they are doing the same amount of training but focusing on different risks – the number one risk being data privacy.

Interestingly, SAI Global’s research also revealed a 50/50 split between businesses that are relying less on ethics and compliance programmes in the current climate and those that are speeding up their use of this valuable function. While this is a concern, plenty of people (58%) believe the pandemic has made their organisation stronger and is bringing its employees together, despite being apart physically.

How will the events of today impact the way regulators view our compliance programmes? It’s dangerous to assume there will be leniency or flexibility going forward. Compliance programmes shouldn’t compromise their integrity just so they can meet the challenges of the moment.

The risk posed by bribery and corruption has been elevated by the Covid-19 pandemic. People are still under pressure to perform from home. Unfortunately, some might choose to compromise their integrity and values to achieve their goals, because of a lack of oversight in the home working environment.

The fall-out from Covid-19 has meant teams are being reduced in size, budgets are being slashed and investments in technology are being paused – but the risks still exist. These conditions mustn’t compromise the hard work that has gone into developing and implementing strong anti-bribery and corruption programmes. By using Covid-19 as an excuse to pause these efforts, businesses will expose themselves to increased risk.

Ethics and compliance programmes must focus on data privacy: training, awareness, relaying best practices and reframing them from a homeworking context. The decisions that organisations make today will impact their culture for months or years to come.

Panel Q&A

We concluded by bringing all three speakers together on screen for a virtual Q&A session with our enthusiastic audience. They were joined by two more special guests:

Alan Barr (Senior Manager, Group Operational Risk at Royal Bank of Scotland and representative of the Institute of Operational Risk)
Terence Lee (former VP, Resilience & Continuity, SAI Global)

The usual three-course meal might have been off the menu, but there was plenty of food for thought.

0 Comments