Subscribe to industry newsletters

3 data safe work-from-home habits CIOs should consider

Organisations have been exposed to a significant number of megatrends and disruptors in a short space of time. One such disruptor that, rightly so, is getting quite a bit of attention is the megatrend of remote-working, also called work-from-home (WFH) or work-from-anywhere.
3 data safe work-from-home habits CIOs should consider

Gartner and the likes are regularly canvassing organisational decision-makers to track this mega-trend. With each survey the realisation cements a bit further that business and consumer technology, workplaces and society or families have morphed and evolved to make remote work a viable option for a wider variety of positions.

But whether any percentage of employee groups are working away from the traditional office environment some or most of the time, the fact is that there is a risk of new habits forming that could reach far beyond the productivity of employees. Because when the digital and data privacy age intersected paths with the post-pandemic age, organisations entered an era where cyber security is an always-on priority. Compromised security may lead to considerable and costly organisational down-time. Moreover, when the Protection of Personal Information Act (PoPIA) comes into effect on 1 July 2021, organisations and their information officers will be held accountable for non-compliance with significant consequences.

To help organisations set priorities and make decisions that better protect the safety of organisational data, devices and personal information, organisations can empower employees to navigate the change in a way that balances a need for convenience and security by considering habits relating to these three themes:

1. Bring your own (unsecured) device

Allow me to start at the beginning – with the potential threat of connecting unsecured personal devices to work. There is no denying that the bring-your-own-device (BYOD) trend is not a new layer of security for organisations to consider. We regularly advise organisations to proactively consider BYOD security and data handling policies now that many employees are not as desk bound as they may have been before.

The parameters as set out in organisations’ cyber policies or similar are intended to create both a safe and convenient work environment. But for these policies to be effectively implemented, employees and employers need to enter a trust circle where both parties fully understand and accept that when only one employee’s device is compromised, lost or stolen, it puts the data of the entire organisation – as well as any personal information stored on their device – at risk.

When facilitating this change process, we often recommend to our clients to host a BYOD policy question and answer information session as part of the overall implementation of a cyber policy. This provides employees with a forum in which they can ask questions relating to the implementation of the new policy. This ‘townhall-style’ session offers employees a sense of ownership and inclusion, which, in turn, will give greater clarity as to the level of access that an employer has to their personal information. The end result is an employee who trusts the system, is aware of the access the organisation has to the device and how that access protects the organisation and its stakeholders. In the event that the device might be lost or stolen the information could, for example, be secured or deleted remotely.

2. Using unsupported collaboration tools

We often find that teams start to adopt productivity tools and systems at their own discretion, without taking into consideration the ‘consumification’ of popular productivity and collaboration platforms such as Facebook Workspace or WhatsApp. These chosen ‘systems’ may not support the organisation’s workflow, employee culture or the needs of the teams who are required to work on them. The result is that workflow is fragmented. Data is also at risk when the IT department or other team members do not have line of sight of all the different tools and systems used to manage information. We also find that productivity suffers quite a bit in such a siloed environment.

To address this during the change management process, we work closely with organisations and all their relevant departments to understand their culture, workflow and desired business outcomes. Only then can we determine which tools and systems align best to optimise security and productivity – which creates a solution whereby systems work for people, as opposed to people working for systems.

Providing the tools employees will actually need and use is a much more successful strategy when curbing adoption of unauthorised tools. Such a strategy also prevents a scenario where teams do not contact the IT department for help, assuming their needs will be turned down leading to the adoption of unsupported platforms – a particular challenge in large organisations.

3. Information and human error over-exposure

Besides having too many conflicting productivity tools and systems that can hamper productivity and dissolve work-life boundaries, working from home can also lead to over-exposure of organisational data and, ultimately, diluted attention management. By this we mean that with every new productivity tool the employee is exposed or introduced to, the risk of a breach or human error increases when employees are managing multiple systems all at once.

A practical example is an organisation where Microsoft Teams is the official internal communication platform – a team may have started a WhatsApp group at their own will without consulting the IT department or perhaps there was a lack of proper policy enforcement. Employees now manage notifications on several platforms including email. Humans were not designed to manage so many notifications.

We recommend that organisations educate employees on practicing safe work-from-home and device habits. Empower employees with sufficient awareness of potential security threats that may lurk when defaulting to the convenience-driven habits of saving work (or worse collaboration platform login details) directly on their hard drives.

Conduct regular training sessions to familiarise employees with basic security practices like the rules of secure data sharing and the regulations of the PoPIA to which organisations are required to lawfully and fully adhere to with effect July 2021. Enforce a sense of shared responsibility. The IT department is not the sole protector of the organisation. The collective organisation – and anyone a part of it – is accountable. It may also be a good idea to schedule regular check-ins to make sure employees have applied the information they have learnt and know how to move forward practically and securely with organisational data whether they work remotely or at the office. 

Privacy by design with security in mind

CIOs and the like should give top priority to addressing these and other questionable cyber security habits – even if these habits may be unintentional. The consequences of compromised organisational data simply become too large as more and more leadership embrace remote work policies.

Under the guidance of experienced change managers and legal experts, organisations are best able to fully embrace up-to-date policies and technologies within day-to-day activities, especially when they are designed specifically around the needs of the organisation.

As the post-pandemic and cyber security ages are colliding, it also creates new benefits. And these go far beyond the need to simply avoid non-compliance fines and unsurmountable loss of profit or reputational damage. Instead, these evolving organisations are flourishing as they adopt business unusual and go a couple steps further to embrace this much talked about workplace of the future – but one that is safe.

Learn more:

The multi-disciplinary change management consultant and attorney team of Kriel & Co and ENSafrica has the experience and expertise to design organisational privacy that fits the needs of any size organisations committed to protect data and personal information. Contact moc.ocdnaleirk@olleh

More about the author:

Francois Kriel is an IMCSA-accredited management consultant with change management and digital transformation as specialisation areas. He works full-time as director at Kriel & Co where he leads a dynamic team currently facilitating digital change at several high-profile organisations. Kriel also supports Stellenbosch University as guest lecturer to business management honours students. He is an advocate for collaborative leadership, mentorship and LGBTQI+ inclusivity.

Kriel  & Co
Francois Kriel is an IMCSA accredited management consultant with change management and digital transformation as specialisation areas. He works full-time as director at Kriel & Co where he leads a dynamic team currently facilitating digital change at several high-profile organisations. Francois also supports Stellenbosch University as guest lecturer to business management honours students. He is an advocate for collaborative leadership, mentorship and LGBTQI+ inclusivity.

Let's do Biz