Blog | Aug. 3, 2020 | 5 min read vCIO Guidance on Managing Your Institution’s Remote Workforce TwitterFacebookLinkedInEmailMessengerRemote workforce technology like virtual private networks (VPN) is nothing new for most financial institutions, though the technology has been primarily viewed as a secondary channel for working. In early 2020, the COVID-19 pandemic forced a new reality upon most businesses, requiring the adoption of a new perspective on how we work. The Race to Standup VPNs As businesses faced the reality that most, if not all, employees and peers were going to be forced to shelter in place, the sudden need to implement or expand VPN access was a logical reaction. However, this proved to be a frustrating exercise for many institutions. Financial institutions faced several challenges as they worked to provide their employees with VPN access. The rush to acquire laptops created a supply issue, and the sudden demand created a backlog for many IT departments and vendors working to configure new laptops. There was also the issue of remotely teaching employees, some of whom were not familiar or comfortable with the laptop formfactor or connecting to a VPN, how to do so while working remotely. Though faced with challenges, the financial services industry navigated an unprecedented situation and continued to serve customers and deliver essential services through remote access, staggered work shifts and social distancing. How to Develop A Work-From-Home Policy That Works Risk accompanies change, and in the rush to provide services without disruption, it is possible that institutions overlooked some risk factors. Some institutions considered allowing employees to use their own devices to access VPN. While there is a way to mitigate the risk involved in this approach, it requires a specific infrastructure and a special type of VPN environment that most institutions do not have. A VPN is a direct connection from a remote machine to an institution’s network, and it is unadvisable to allow any device the institution does not own—and/or have complete control over—to connect to network resources. While many institutions allow BYOD when it comes to cell phones, this is only done with the understanding and consent of the employee to allow the institution to assume a great deal of control over the device. In most instances, this approach only provides access to resources such as email or Microsoft Teams. The cell phone itself is not directly connected to the network, and the data being shared is limited and generally sandboxed through the deployment of some sort of mobile device management. This all combines to create an acceptable level of risk around cell devices. In general, most institutions will and should require the laptop or PC placed at an employee’s home to be owned by the institution. Once the device is acquired, configured and deployed, there is a new level of risk that needs be considered. It is advisable that all institutions create a mobile device and work-from-home policy to establish clear controls and inform employees of the special circumstances and risks involved. A work-from-home policy should include guidelines around protecting and securing access to devices and data that is likely to be stored locally, as well as information regarding the device now being an extension of the institution and a gateway into the private financial data of customers. Since people sometimes become less guarded and perhaps more relaxed in their judgement when working from home, consider extending web filtering to include devices that are off-network, since the web and/or weblinks embedded in email represent a significant threat vector. There are services that can determine the location of a remote device and restrict access to some degree, based upon location, and allow monitoring of access to the device and equipment that is attached and/or removed, as well as force the remediation of issues if needed. In addition, all computers require regular updates, and this is perhaps even more important for remote devices; being able to monitor and remediate patching is critical. At some point an issue will likely arise that requires a technician to be able to access the device, and an institution’s technicians or managed services provider should be able to reach the device without the employee making a special trip into the office. Remote devices should also be encrypted to protect the data and deter an unauthorized individual from accessing the device. It is common for remote workers to create and store digital shadow files on their devices, which highlights the importance of processes. Re-imagining the Work-From-Home Process In their rush to set up and provide remote access for their employees, many institutions realized after the fact that the business process did not accommodate working from home. Some processes would not work even when the employee was simply relocated to another building. Many businesses tried to leverage technology to force traditional, well-established business processes into a reality that no longer accommodated them. While some institutions successfully created inventive workarounds to overcome these issues, the reality is that efficiency was likely lost. This new reality represents a strategic opportunity to fundamentally reassess and rearchitect business processes to rid institutions of inefficiency. Additionally, there is an opportunity to build in some intelligence and leverage robotic process automation, especially for repetitive tasks that require little thought. Systems can now accommodate a relatively sophisticated level of decisioning and routing of information and processes. A Remote Workforce Strategy for the Future The longer any event continues, the greater the lasting effects. The COVID-19 pandemic was a catalyst that dramatically accelerated change. Many analysts believe change was accelerated by three to five years, and most believe that the changes will be equivalent to a decade of change if the pandemic continues through the end of 2020. Grappling with the disruption from forcing a decade of change in the span of a year, how can institutions leverage this new reality for their benefit? The work-from-home phenomenon is likely to be the new standard for a large portion of financial services workers, as well as many other businesses. At the very least, businesses will likely implement a hybrid of working from home and in the office for special events or on a rotating basis. People are receptive to the idea of not spending so much time and personal resources on commuting, requiring institutions to address this topic when it comes to talent acquisition and retention. This also presents the opportunity to reevaluate positions, as the need for full-time employees may change if contract employees are better suited for some tasks. Learn More About Managing A Remote Workforce from the vCIO Team Institutions should consider exploring and investing in infrastructure and technology that facilitates these strategic objectives to compete in the new reality. Learn how CSI’s vCIO services can partner with your institution to deploy secure remote workforces and empower success in the new work-from-home reality by visiting our remote workforce resource center. This document contains proprietary information from the CSI vCIO Team and is provided to vCIO customers as a guide or framework which may be modified to suit the needs of the customer. CSI makes no guarantees or warranties of any kind, expressed or implied, with respect to the use of this information.