Like so many companies navigating the challenges and changes demanded by COVID-19, we at Taft have had to move our entire workforce home while maintaining a high level of support for our employees and clients. Whether in crisis, design, or other business strategy, companies should carefully and methodically approach the transition of its employees, equipment, and data to a remote environment. Such an approach should be followed in all such moves, whether temporary or permanent. In this article we share what we have learned and some best practices that will benefit any company considering making the move.
A. Operational Support (Andrea Markstrom, CIO, Taft Stettinius & Hollister LLP)
Faced with COVID-19 and moving a firm of 620+ attorneys to home offices, I knew this was not just another business continuity tabletop exercise. I needed to plan thoroughly while still reacting quickly. To do so, I thought about how we were going to be able to keep our employees safe, fully productive, and continue providing excellent service to our clients. To be successful, I think you need to consider and accomplish the following three things.
- Know your Company. It may go without saying, but you need to know your business. Does it have to operate remotely, and if so, does everyone have to? You need to understand your business’s continuity capabilities and how to operate as one company from a field environment. At Taft, during COVID-19, we just happened to also be merging one firm into another, in addition to supporting seven existing major offices. Regardless, everyone across the firm needed to be able to be productive working from outside those offices. Here are some questions to consider.
A. Capacity. Do we have the necessary bandwidth and network capacity to accommodate connecting into our firm resources from home? Both firms did, in our case, but we are constantly monitoring. Business keeps running, so you have to be ready to run with it.
B. Licenses. Do our remote access systems have enough licenses so that everyone can work remotely and in the same fashion? In our situation, both firms had different remote access solutions and we needed to quickly work with our vendors to negotiate, procure, and install licenses for multi-factor authentication, mobile device management software, and terminal server remote access servers.
C. Equipment and Employee Skill Sets. Does everyone have the necessary equipment and capabilities to work from outside the office? We did not know this and quickly put out an online survey to find out if people had home computers, mobile devices, and internet access.
Survey results revealed that not everyone had the necessary equipment and capabilities. We developed a spreadsheet that included every employee and an inventory of equipment and needs.
- Did they have a firm laptop or home computer or did we need to purchase one for them?
- Did they have a mobile device or did we need to provide one for them?
- Did they have internet access or did we need to provide a hotspot?
- Did they need a printer or scanner at home?
We asked these questions for every employee and planned to provide the needed equipment. We inventoried our loaner pool, worked with multiple suppliers, and even used retail outlets to equip our firm.
D. Functionality. You can’t assume systems that work in-house will do the same remotely. We had to consider if we needed additional software to support the new environment and our employees work therein. For example, our dictation software and hardware did not work remotely so we needed to quickly come up with a solution.
E. Security. None of this can happen without maintaining the same level of security for our data and systems as we have in the building. Do we have the appropriate security protocols set up so people can securely work from home? Yes, our firewalls and protections are in place and we are staying close to our managed security services provider to make sure we address and contain any concerns ASAP. We provided security awareness training and instruction on securing home networking equipment.
- Communication. With your employees and equipment in the field, we need to make sure they effectively communicate. You have to evaluate and implement the appropriate collaboration tools to ensure employees can work with each other and your clients or customers. We accelerated our adoption of collaboration technologies and our digital transformation efforts with the following:
A. Focused the use of our firm’s intranet as the single source for COVID-19 information and collaboration. We have sites dedicated to task force and employee communications, and a consolidated space for all communications that would be valuable for our clients.
B. Provided integrated softphone and audio conference service options so you can participate on calls from any location.
C. Procured a stable web conferencing and collaboration solution that is secure and easy to use. We implemented a secure version of Zoom and are continually updating the application so it continues to be secure. We integrated a room-based videoconference system to collaborate with Zoom and other endpoint web conferencing systems so that people could participate in a videoconference meeting from anywhere and with any solution or service provider.
D. Provided software for electronic signature capabilities to accelerate collaboration and document production with our clients and employees
E. Partnered with our accounting teams to transition the paper billing review process to electronic methods.
F. Partnered with office operations to ensure electronic scanning services were available so all mail could be delivered electronically.
3. Alignment. With employees and systems in place, we then worked to continually improve and align our IT resources to effectively support the firm working from home. To do this, company IT departments should consider:
A. Partnering with company operations to assemble a skeleton crew and provide IT resources onsite to ensure issues/needs are being met (e.g., onsite videoconferences, desk side support for users in the office, etc.).
B. Configuring call center systems and call queue so your help desk can answer employee calls and resolve issues from a remote location.
C. Partnering with the company training department or human resources to provide user communications and targeted, daily training classes on the proper work from home technology and processes.
D. Assembling a core IT COVID-19 task force team or other disaster recovery/business continuity team that meets regularly to understand and address any issues with stability and ensure people can continue to successfully and securely continue to work remotely.
As with any major transition, there will be trial and error and you will obviously need to adjust to changing circumstances. Be vigilant in your efforts and you will find the best path forward for any remote strategy. Speaking of vigilance, did I mention how you need to do all of this securely without introducing more risk? Scot can tell you why.
B. Security (Scot Ganow, Data Privacy and Security, Taft Stettinius & Hollister LLP)
As we have written previously, the bad guys do not take a day (or months) off due to COVID-19. Indeed, if we have learned anything, hackers and other bad actors capitalize on the chaos of states of emergencies or other crisis and the distraction that comes with them to either take your data or otherwise induce your employees to give it up. Many of the incidents or data breaches I have been seeing or managing have involved security vulnerabilities created BY employees or company assets being moved and implemented outside of the company.
As Andrea properly notes above, the operational set up for the remote workforce can be no less secure than that in place for the traditional office. This is why risk assessments are an inherent part of making the decision to move employees home and support them, whether in a hurry or more long term. With this is mind, and within the operational framework discussed above, here are some important considerations and best practices for maintaining a secure environment as your employees work remotely.
1. Establish Clear Guidance and Expectations to your Employees.
A. All remote computer and data use should happen in accordance with the same privacy and security policies as you have in your company office. Working remotely should not weaken safeguards for company data.
B. No expectation of privacy. Employees should already know that any use of your company systems or data is subject to monitoring or review and they should not expect privacy on such systems.
C. Establish alternative communication channels. In accordance with your business continuity plan, make sure you have the ability to communicate with employees through non-company devices, such as personal cell phones to convey all updates, especially in view of a security incident or inability to access or use company information systems.
D. Employees must remain vigilant!
- Remind employees to remain aware of their surroundings when using company computers or discussing company information in public spaces.
- With the concerns and constant news coverage about COVID-19, employees might be subject to phishing attacks and other attempts to obtain access to company data masquerading as public service announcements or even company updates. A reminder about such emails and best practices is always appropriate, specifically:
- Always be wary of emails or texts containing links or attachments from unknown senders.
- Do not click on suspicious links or open suspicious attachments. Report all such content to the company IT department.
- Employees should be encouraged to report all suspicious or known security incidents as soon as possible in accordance with your company’s incident response plan.
2. Establish a Secure Connection to your Company Network.
A. All remote connections to your company network should happen via a secure connection or virtual private network (VPN). Such a connection encrypts the communications between your employee’s device and the network, and requires authentication of the employee before access is provided.
B. All remote connections should be authenticated using multifactor authentication. Such steps help prevent a bad actor from using stolen credentials to access your company network (very common these days).
C. Public Wi-Fi networks, such as those at coffee shops, airports, and hotels should be avoided unless a company VPN is in place and used.
3. Company Computer Use.
A. Whenever possible, all such remote work should be completed using company-owned devices and computers. Such use ensures existing security policies are being run on such devices and all system patches and malware protections are up to date.
B. Ensure your devices are running antivirus software with the latest updates from the manufacturer. When possible, updates should happen automatically.
C. Whenever possible, all portable devices should be encrypted at the hard drive level with a key maintained separately from the device. Such protections safeguard company data in the event of theft or loss, and may also prevent the need to issue notice under various state data breach laws.
D. Whenever possible, documents and sensitive files should be saved or uploaded to the company network and not on the company laptop or device, itself.
4. Physical Security. Employees must always protect against unauthorized access to their devices and company data in remote locations, including from family members, friends, and others.
A. Hard copies of company sensitive material should be shredded prior to disposal or recycling. Such documents should be crosscut shredded whenever possible or otherwise rendered incapable of re-assembly or reading.
B. Home or remote offices, closets, or desks in which company data and devices are being used or stored should be physically secured using locks or other means to prevent theft or unauthorized use.
As with Andrea’s points, these security points are not intended to be exhaustive. But, if any of these terms or practices are foreign to your organization, take time to understand the benefits, risks and impacts of each as part of a broader risk assessment prior to commencing any or more remote operations. Rash decisions made in an effort to keep the business running in the face of a crisis can have severe consequences and open the door to security vulnerabilities that can harm the very business and customers you are seeking to protect.