Last Fall, when JPMorgan Chase, Goldman Sachs and other Wall Street firms started asking their employees trn to their office desks despite the Covid-19 threat, I was sure they were jumping the gun. In retrospect, it may have been yours truly who was jumping the gun, criticizing the investment behemoths without fully appreciating their reasoning. Michael Coden (more on him later) helped set me straight.
As readers may know from my previous , I’ve been closely involved in BCG’s efforts to rethink the future of work. This had led me to become a strong advocate of flex work: providing employees with more flexibility both in terms of where and when they work—in effect, redesigning work around life, rather than requiring employees to twist their lives around work.
I’ve also been reminding employers that the new model of work won’t suit everyone. Companies will have to make accommodations for colleagues who perform more effectively in a formal work environment—even if their jobs technically can be done from anywhere. They will also need to arrange for formal together time, so colleagues can build and maintain relationships and work through thorny problems together.
The concept of flexibility doesn’t sit well with some leaders. When they’ve voiced their concerns to me, my response generally has been: What does it matter where and when they work as long as they deliver results?
That’s why I was concerned—even a bit annoyed—when some of Wall Street’s key investment firms , where it’s standard practice for employees—especially younger employees—to work long, grueling hours. In the age of Covid, the risks seemed unreasonable to me. “Wow,” I thought, “what does this say about the culture of trust in these banks?”
Not long after, when I was chatting with my colleague , a cybersecurity rock star long associated with CAMS (), I realized I was wrong (not a rare experience) because I was seeing only what I wanted to see. Coden showed me the bigger picture.
He stressed that some work simply shouldn’t be done from home, not because the overwhelming majority of people performing such tasks aren’t trustworthy or don’t follow proper security protocols, but because even with proper training and state-of-the-art malware-, spyware- and virus-protection it’s impossible to guard “100%” against security breaches. Moreover, as many organizations have learned the hard way, some employees aren’t trustworthy and remote workers can more easily collude to commit fraud. That’s why there need to be rules, sometimes imposed by government regulators, to prevent fraud and other criminal acts. And those rules need to apply to everyone.
Among the work that never should be handled at home, he cautioned, are functions involving certain types of high impact financial information and financial transactions. This may include some trading information, account numbers, account balances, accounts payables, and M&A information that could enable someone to manipulate the financial markets or just plain steal money. When work is being done off-site, often on a laptop or personal computer, systems may be even more vulnerable. Besides, all it takes is one or two bad apples. Michael explained that it was partially this concern and the slow speed of remote connections that caused the investment banks to summon employees essential to the financial infrastructure of our country back to their offices, where both the cyber-weaknesses of home networks and ever-present “insider threats” are easier to minimize than when employees are working remotely.
I understood totally, having recently watched the movie which is built around the premise that if one (in this case two: cousins Vincent, the schemer, and Anton, the coding genius) could gain even a millisecond advantage in executing financial trades—the amount of time it takes a hummingbird to flap a wing—he or she could anticipate market moves, creating or destroying billions of dollars.
Perhaps I was being too hard on the investment banks. But I wasn’t completely wrong either. Just because some people need to work in a secure setting doesn’t mean everyone should be required to do so. And it looks like it is not just cyber concerns that have – or never having let them leave in the first place. There should be clear guidelines on which functions (such as those who serve in deal- and market-making roles) are so sensitive they can’t be done from home and which can be done easily from anywhere even in these firms.
While Coden’s focus is on cybersecurity, he realizes that a substantial percentage of knowledge, service, and technical workers, perhaps a majority, will be working remotely in the future, at least some days. By definition, this will increase the cybersecurity risks.
There are no perfect solutions. But there are plenty of straightforward things companies can do to minimize the threats, Coden said. Among other measures, he recommended the following:
· Upgrade end-point protection (EPS) software to end-point detection and response (EDR) software, which he described as “anti-virus software on steroids” that both protects computers from malware and automatically notifies the IT department when it’s detected, so the security wizards can make sure other employees aren’t being impacted.
· Require employees to quickly apply updates, including “security patches,” to their operating systems as soon as they’re available. Some people ignore notifications asking them to download a patch or a newer version of a program. That has to stop. When employees get such messages, they need to do as instructed—and if they don’t within the prescribed amount of time (say, 14 days), cut off their access to email and other company programs. Patching is basic hygiene. Equifax didn’t do this and that’s why it got hacked.
· Provide remote employees with company computers pre-loaded with all the necessary security software to get them off their family networks and personal devices, where infection risks are higher. During the Covid crisis, he noted, organized crime and nation-state hackers have been targeting children of CEOs, installing malware in their computers and “pivoting” on their home networks to gain access to the CEOs’ laptops.
· Teach employees to avoid risky online behavior, at least on their work computers. This includes no personal email on their work computers.
· Make sure they understand the “” threat, also known as voice-based-phishing. Companies need to establish ways for employees to verify that the person to whom they’re talking is who they say they are—especially if they claim to be from the IT help desk.
· Track when people are working online, even if they work at odd hours. The IT department should be more vigilant about an account that’s active after the employee’s designated office hours. This is tricky; but it’s doable.
In the end, cybersecurity depends as much on education, ethics and honesty as it does on technology. Remote and hybrid work increase the risks, but they’re here to stay. So employers need to be smart about minimizing the risks, which in some cases will require that certain activities be done only on secure equipment in the company office. If organizations listen to experts like Michael Coden, remote work post-Covid will be even more secure than it was pre-Covid, when cyber concerns were not as high on the working-from-home radar screen.