Like the auditors, evaluators, assessors and certifiers before us, we are now confronted with a new cultural reality brought on by medical concerns. People at risk and people at a lower risk of COVID-19 are changing what they work on, how they work and where they work. This has led to a distributed workforce that, for the most part, is working from home. Telecommuting has brought into play collaboration tools that were, until now, used relatively infrequently compared to face-to-face meetings. The following are 3 areas that need to be revisited to ensure that the intent of employment is met:
- Product selection—The rules of product selection have not changed, however, today organizations are relying more and more on external collaboration services. I must have evaluated at least 20 collaboration products and services in the last 3 months. I cannot emphasize this enough: Just because the technology of a product or service is configured securely, this does not mean it is secure. The evaluation of traditional safeguards such as enterprise ownership, investors, etc., is just as important. In my evaluations, I found that securely configured products and services were putting my customers’ data at risk. There were 2 ways these flawed vendors were working, although they were the least probable of being suspected. The ones I identified had all proper government certifications, their technology was hardened and their data paths were encrypted. But here is what was wrong: using a sniffer, we found their applications were “calling home.” We also believe the applications were scanning the hard drives of every computer on which the applications were installed. The second error was just blatant. On the servers in the cloud, a vendor was tapping into conferences and providing recordings to other countries. Yet this vendor would pass your technology checklist. However, I did find a collaboration tool that encrypts all the data in transmission and at rest. The encryption key changes for every transaction, whether it be a message, video conference, etc. The user gets to choose the root key, and all subsequent keys are derived from that key.
- Point-of-entry biometrics—I have been involved with many biometric projects, including everything from contactless capture of fingerprints to face and voice recognition from a distance of more than 200 meters. I have also worked on issues with capturing body measurements in terms of respiratory rate, pulse, etc., to determine the stress level of an individual. Today’s latest biometric is body temperature, both locally and at a distance. In fact, in some cases, it is captured at a distance without the individual’s knowledge or consent. The thought process and advertising of the vendors clearly state that if your body temperature is elevated, then you may have COVID-19 and should not be allowed entry to a building, for example. It is unclear and remains unchallenged whether this is a US Health Insurance Portability and Accountability Act (HIPPA) violation. The fact remains that organizations need to be sensitive to the fact that capturing biometric information, using the information to make a diagnosis and then acting on that information can put organizations at risk. In everyone’s zeal to protect the workplace and society, we may put the organization at financial risk from those who are denied entry or refuse to have their temperature captured. If your organization is considering implementing this process, you should obtain a signed release from your employees.
- Productivity—The question of how to measure the productivity of those who telecommute has been an ongoing issue. However, this is a lesser concern for those organizations whose employees do piece work. If a person is supposed to build 30 widgets an hour and they produce 15, there is a productivity issue. However, in the service industry, concise measures are not always possible. In fact, all measures of the service industry, to me, are subjective. When conducting reviews associated with telecommuting, the number-1 indicator I use to determine productivity is whether the employee cancels their childcare. Being a parent, I am familiar with the distraction associated with chasing kids around the house.
I have also learned that the idea of “well-managed” small teams communicates that objectives were met, but neglects to identify who in the group was productive and who was not, although it does allow individuals who people perceive are not contributing to be identified. To address this, every team member should have a telecommuting plan that includes their responsibilities and goals. An independent manager needs to evaluate the distribution and difficulty of each task across the team. This ensures that there is a realistic division of labor. Teams should also be subject to job rotation to help ensure that people who are perceived as not productive are, in fact, not productive, rather than simply not well liked.
Even productivity tools that monitor every interaction on an employee’s computer do not tell you how productive the person may or may not be. (If you are unfamiliar, these tools determine what applications are being used and for how long, what websites an employee visits and an employee’s key stroke counts.) Relying on tools such as these may be an invasion of privacy, but more important, it looks at the mechanics of doing the job vs. performing the work. It is consistent with the expression “Accountants know the cost of everything, but the value of nothing.”
Determining the number of meetings or teleconferences employees attend is not a factor. Outliers who are gatekeepers are normally critical to organizations, but not terribly active. In one case, an organization terminated a gatekeeper who was viewed as not productive, then, after an annual event, the organization had to pay the person a very large sum to come back and help with a series of seasonal events that the responsible person could not lead. Finally, realize that telecommuting will not make problem employees better. In fact, it can be argued that whether people are productive or not, it is almost assured that they are less efficient.
In the end, the decision of which of these points, if any, need to be addressed or even should be addressed is up to senior management. Informing your decision-makers and providing options is something well within the responsibility of a cybersecurity professional. It is critical to understand senior management’s position of monitoring productivity and selecting collaboration services. It is critical, as I have found out, that even if a senior manager recommends a product, all products or services need to be evaluated.
Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, he provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.