Even as the COVID-19 pandemic subsides in the United States, it has become increasingly clear that Work-From-Home (WFH) arrangements will remain the “new normal.” But what does this change mean for employers’ data privacy and network security?
Many companies’ workers not only adapted to WFH, but thrived under it. According to a VoxEU.org study, American workers increased their productivity as they used their former commuting time to do more work. Many American workers have also taken a liking to the WFH model. In recent surveys conducted by Harris Polls and reported by USA Today on May 19th, 2021, 40% of American workers report they prefer WFH on a full-time basis, with up to 75% of workers wanting a working arrangement which includes some WFH flexibility. Another survey reported on April 19th, 2021 by FlexJobs.com (a remote work job board) found that nearly 30% of workers would either quit or resign from their current positions if their employer forced them to return to the office full-time. The sentiment has even produced a hashtag, #thegreatresignation, across social media platforms like LinkedIn.
Whether #thegreatresignation is merely hyped up social media buzz or not, the public data is being bolstered by internal company surveys and conversations with employees. Prudent management teams are currently rethinking their return-to-office strategies, and the accommodations they need or are willing to provide in order to retain and maintain their workforce. Some companies see adoption of a hybrid WFH-Office work model as a means to not only retain current employees, but attract new ones. While some positions simply cannot be performed well remotely, others can, affording talented workers the flexibility they are demanding. Therefore, post-pandemic WFH arrangements, whether full-time, hybrid or on-demand, are likely to remain a reality.
Companies making any formal changes to their pre-pandemic office-based employment arrangements are now going to need to take a careful look at their cybersecurity and data privacy policies and procedures in order to properly re-assess them, make the necessary adjustments, inform employees about the new requirements, and consider any necessary training. Exceptions to security measures temporarily afforded during the height of the pandemic must be re-evaluated if they are going to become permanent rules. A blended and expanded digital environment may result in more exposure to threat vectors, and a dramatically larger attack surface area that employers must defend.
Joe Kurlanski CISSP® HCISPP®, President of Prince Lobel strategic partner, Monarch Information Security Consulting, LLC, advises: “Permanent WFH or hybrid models present an interesting challenge, particularly for small to medium sized enterprise clients who likely do not have the budget to provide uniform equipment to their workforce. From a network security perspective, they are going to be faced with the choice of making significant hardware, software or cloud investments in order to ensure the security of their systems, or accepting the risk that employees may not be up to the challenge of properly securing home networks and computers. We also recommend creating a ‘security checklist’ for home networks, and adding language to Acceptable Use Agreements to cover new WFH responsibilities.”
Joshua Paquette CIPP-US, an Associate in Prince Lobel’s Data Privacy and Cybersecurity Practice Group agrees. “This is going to unfortunately push a lot of companies out of their existing comfort zone and compliance posture and present new policy, training, and education challenges. Employers and employees who were previously able to rely on the in-house IT support system really can’t any longer. Additionally, with the complex tapestry of various data security laws and regulations, companies are going to need to revisit their data mapping and data inventories in order to remain in compliance with those laws going forward.”
Joshua is a member of Prince Lobel’s Data Privacy & Security practice group, where he specializes in privacy-by-design consultation, privacy risk analysis and mitigation consultation, and the development, implementation, and governance of privacy programs in compliance with local, national, or international regulations.
Sign up for updates
We publish Client Alerts regularly on a variety of business topics of interest to our clients. Please let us know if you’d like to be added to our mailing list.