After threatening for years to be an actual “thing”, in the first half of 2020 working from home (WFH) – indeed, working from anywhere (WFA) – finally went properly viral. Literally viral, of course: the sudden and dramatic shift to remote working was pandemic-inspired. Nonetheless, even the sceptics have had to concede that the overwhelming majority of the tech needed to “WFH/WFA” effectively already exists, in abundance, in the form of SaaS/cloud-based services, available from any internet-connected location.
There are, however, several aspects of this workplace transition that require careful review for organization intent on remaining “legal” and in compliance with information security and data protection obligations.
Six-odd months in, it is becoming notable is that many organizations did not, and do not, have in place adequate controls to prevent their far-flung staff from signing-up to and downloading a variety of cloud-based software applications and tools. Six-odd months in, using the initial chaos of the lockdown to justify different methods of working that may not have been acceptable in the office does not really wash (if it ever did).
It’s a simple, familiar process for anyone to download and install an application, or to simply connect to a SaaS platform. Boxes will need to be ticked confirming acceptance of terms and conditions, and – familiarity breeding contempt – it is unlikely that these terms and conditions are either fully read or understood by person doing so, who is unlikely to be a commercial or governance expert. Might this simple act of box ticking put the organization’s data at risk? Well, perhaps. Who will know from exactly where the SaaS provider runs their services, or under what data protection framework? Does the service provider now have visibility of your data (or someone else’s data)? Perhaps excessive marketing campaigns have been authorized; perhaps your organization will need to start paying hefty subscription costs in 3, 6 or 12 months’ time once your “free evaluation period” has expired?
Preventing a hidden backlog
So while you may consider that your IT estate is understood, recorded and properly licensed, there is potential, hidden backlog that (a) needs to be addressed, and (b) prevented from happening again. How?
First: your security culture should provide clear, unambiguous communication of the contents of your organization’s Asset Management Policy and Acceptable Use Policy. This should leave no doubt that downloading and/or use of unauthorized, unevaluated software products will result in disciplinary action being taken.
Second: re-evaluate your process for authorizing and evaluating software products. Once a valid business need has been determined, the engagement of commercial resources will be needed to assess whether there are any unacceptable or undesirable requirements embedded within the lengthy terms and conditions. Involve your governance colleagues too, who will be keen to identify any risks to data from using the service and update the risk assessments that would be in place for an ISO27001-certified Information Security Management System.
They may also seek a Supplier Capability Assessment from the service provider to better understand their security posture.
There’s no guarantee that such an Assessment will provide the clarity you seek, with many larger, global SaaS operations willing only to provide security and privacy summaries on their website. In all cases, the correct time to understand the service is before you start entrusting your valuable data to it.
Also worthy of our attention: asset management challenges relating to the stampede to WFH/WFA. When the UK Government mandated working from home during the early stages of the pandemic, many IT assets left the corporate boundary and entered private residences in a matter of days. While we’d all like to believe that this was a controlled activity with supporting records, we should not be naïve: many organizations will now need to play catch up to work out where all their valuable IT assets have gone. Many will need to establish new processes for periodic audits and the assets’ eventual physical return to the office.
Corporate risk assessment
Pre-Covid corporate risk assessments will have made a set of pre-Covid assumptions about the infrastructure and software (including authorized cloud services) that are used to access corporate data (which may include personal data under the protection of GDPR). Remote working on the scale it is happening, and for the length of time it has already persisted, almost inevitably challenges these assessments. Threats are posed by shared domestic environments and home-based Wi-Fi, while the temptation to use BYOD assets and media are inevitably too great for some to resist. And what of new joiners: how to induct them into your processes and procedures?
Many organizations have publicly declared their intent to extend WFH/WFA beyond the point where Covid-19 can be successfully managed. For organizations big and small, this is going to require a combination of:
- Improved training for personnel on secure and acceptable remote working practices
- More robust security policies that are clearly understood, with disciplinary action if needed to emphasize the seriousness
- Risk assessments that focus specifically on remote working challenges
- Consideration of remote monitoring of user activities and the remote IT estate
- Acceptable security standards for remote telephony and communications
- Regular assessments of all cloud-based services in use, for governance and data protection purposes
The financial challenges of maintaining office real estate on our post-Covid society will inevitably require greater flexibility in future employment arrangements. However, taking care to understand and manage the “risks from change” will be essential in protecting our organization’s data. And, more importantly, it will be essential in protecting the data entrusted to us by our customers, the revenue from which we depend on more than ever in these strange times.
Andrew Beverley - CTO and co-founder, InfoSaaS