Before the pandemic, working from home was both a luxury and a resilience strategy. People looked forward to those days without long commutes, when they could sleep in or walk the dog. Companies liked the resilience of mitigating risks from office system outages, real estate issues, worker sick days and more.
Now, companies have leaned into the work-from-home model. Working from home is no longer a luxury offered to entice new talent or retain staff. It’s often an expectation. In short, working from home has become business as usual. That impacts the value of working from home, for both employees and employers. While some of the impacts are clear, the impact on an organization’s resilience is complex.
Has the normalization of working from home changed its effectiveness as a resilience strategy? In some ways, it has.
From resilience to routine
“The fact that working from home has become business as usual means we can no longer treat it as a resilience strategy.”
“The fact that working from home has become business as usual means we can no longer treat it as a resilience strategy,” said Grant Thornton Cybersecurity and Privacy Manager Nick Johnson
Resilience strategies are what we use to mitigate the risks in business strategies. Now that working from home is simply a feature of our working environment — a business strategy — we need resilience strategies to mitigate its risks appropriately.
The IT world went through a similar transition with cloud computing. Cloud platforms mitigate some of the risks of on-premise platforms, but they also elevate different risks and have different validation requirements. Now, most resilient cloud architectures mitigate risks by deemphasizing traditional testing while emphasizing production monitoring and validation. Our transition to the work from home environment requires similar adaptation.
Same risk, different day
“While the risks are the same, our vulnerabilities have changed.”
It’s important to understand what has changed, and what’s affected. “While the risks are the same, our vulnerabilities have changed,” Johnson said.
Working from home mitigates the risk of losing capabilities at an office facility. With a distributed workforce, it’s unlikely that a single event could create a significant business disruption. However, while working from home mitigates that risk, it elevates vulnerabilities to other risks.
When people are working from home, they are not on the corporate building’s network that is controlled, managed and protected by the enterprise’s information security team. The known borders of the network are no longer viable, the attack surface has expanded and the vulnerabilities can be less clear.
Potential vulnerabilities in a work-from-home environment:
- VPN vulnerabilities: Many companies have seen an increase in exploits targeting their VPN since adopting remote work.
- Phishing: Phishing scams became more common during the pandemic, and are still more common for people working from home.
- Lax security practices: Many organizations have said that lax enforcement of security policies in work-from-home environments has led to compromised security or increased security risk.
- Large-scale power outages: While a distributed workforce reduces the impact of a power outage at one building, large-scale power outages and attacks on power infrastructures have become more common. Consider whether buildings have modified their generator/fuel contracts due to lower occupancy.
- VOIP reliance: Many business disruptions would cause an outage in your VOIP. Consider your dependence on collaboration and sharing applications, whether you rely on VOIP to mobilize your plan, and whether your plan includes non-VOIP numbers.
How do we respond?
Many of today’s businesses still have office-centric cyber resilience programs. How should those programs adapt to our work-from-home environments?
“Your resilience plans must include the failure of working from home.”
“Your resilience plans must include the failure of working from home,” said Grant Thornton Manmohan Singh Cybersecurity and Privacy Managing Director. That means work-from-home tests are obsolete, and we need production metrics that validate work-from-home’s effectiveness.
Prevention is at the core of any cyber resilience program. Prevention means being aware of, and prepared for, the threats in the environment. It means patches and updates, but it also means education and awareness.
“Education and awareness are often an issue. The way we train people doesn’t work the same way at home as it does in the office — because we don’t work the same way at home as we do in the office,” Johnson said.
A simple and informational presentation or video might meet compliance requirements, but it will not engage an at-home audience. It might meet the requirement to provide information, but it won’t increase an employee’s vigilance.
From a personnel perspective, resilience means shifting the work or shifting the people, depending on the disruption. Some firms are large enough to have multiple hubs or be spread across multiple regions to mitigate the geographic risk. Most firms do not have this luxury. They need plans that mitigate the loss of remote work capabilities. Depending on your needs and resources, this include bringing people back into the office, using traditional warm-site offices or other options.
The work-from-home environment has created new vulnerabilities, and most organizations have not adjusted their resilience strategies. Now is the time to update your strategy, before unforeseen disruptions leave your workers home alone.
Our cybersecurity and privacy insights
No Results Found. Please search again using different keywords and/or filters.