How a comprehensive work-from-home policy can boost productivity and prevent security breaches
In the COVID-19-induced rush to embrace remote working, some smaller Australian law firms didn’t get around to establishing or updating their work-from-home policies but not having the rules laid out can lead to confusion, conflict – and increased cyber risk, writes Mark Sinclair.
Does your workplace latterly comprise tens or dozens of employees working from home? The COVID-19 pandemic and the social distancing and shutdown measures it has necessitated have forced thousands of Australian businesses and organisations to make remote working their default modus operandi, in the space of just a few short weeks.
A Gartner survey published in March revealed 88 per cent of organisations had encouraged or mandated working from home during the coronavirus crisis. High-profile companies that have embraced the practice here in Australia, for all or part of their workforces, include News Corp, KPMG, Telstra, and insurance firm RACQ.
For road warriors and regular work from homers, it’s business as usual at the kitchen table or in the study. But for lawyers more accustomed to office-based working, it’s a whole new ball game and one for which they may not know the rules. In some cases, that’s because there aren’t any – at least none that are written down.
While larger firms will typically have well-documented policies and procedures covering remote working, that’s less likely to be the case in small and medium-sized firms where the practice occurs infrequently, or by special permission.
If your organisation falls into the latter category, formulating and sharing a work-from-home policy will help your team understand what’s expected of them while they’re out of the office but still on the job.
Here are some of the things it should cover.
Availability – theirs and yours
Office hours are typically considered to be nine to five, or some variant thereof, but does that apply when employees are “clocking on” from home? Or are you happy to let early birds start and finish sooner? Is lunch hour still at 1pm and should people tell you when they’re planning to swing by the kitchen for a sandwich?
Your policy should specify the hours you expect your team to be available – and when you’ll be available to them.
Some pressing tasks need to be completed yesterday, while others can wait a little longer. So how are employees who are not working under your eye expected to know which are which?
Specifying how urgent requests will be communicated – perhaps by phone, rather than email or messaging platform – and how quickly you expect employees to respond can help ensure urgent work is given priority and deadlines aren’t missed.
Pick your preferred platforms
Zoom, Skype, Slack, Teams, Dropbox… or all of the above? In 2020, there’s no shortage of digital platforms to enable your dispersed team to communicate, collaborate and share documents. But taking an “anything goes” approach to these tools and technologies can increase the chances of commercial and customer information being compromised, either as a result of user carelessness or malicious action by hackers and cybercriminals.
Mandating the platforms you want employees to use, and reminding them how to use them safely, will reduce the risk of a disruptive and expensive cyber incident.
Laptops and mobile phones are ubiquitous tools of the trade for remote workers so it makes sense for your work-from-home policy to outline your rules for using them safely. They might include maintaining a secure PIN on all company devices; not allowing partners and children to access devices; not connecting to public Wi-Fi networks; backing devices up regularly; and reporting their loss immediately.
If you’re allowing employees use their personal devices for work, you’ll need to provide guidance on how they’re to conduct business safely on them too.
Recent weeks have seen cybercriminals make a concerted effort to cash in on the coronavirus crisis, with a rash of phishing and malware campaigns designed to exploit individuals’ hunger for up-to-date information.
In late April, the Australian Cyber Security Centre warned of a surge in COVID-themed malicious activity which, at that time, had already ensnared more than 95 Australians. In uncertain times, even the most cyber alert of employees might slip up with a risky click, which could potentially compromise their device and the corporate network.
If they’re aware an incident has occurred, letting you know as quickly as possible can make it easier for you to mitigate the damage. That’s why your policy should detail how to report a potential breach and any steps the employee should take to minimise the fallout.
Making it official
Whether wholesale remote working is a temporary interlude for your firm or it becomes the new default norm, it works a whole lot better when it’s organised. Formalising your arrangements with a work-from-home policy will provide your team with clarity about what’s expected of them and remind them to observe safe cyber practices while they’re out of the office.
By Mark Sinclair, ANZ regional director, WatchGuard Technologies