The views and opinions expressed in this article are those of the thought leaders as individuals, and are not attributed to CeFPro or any particular organization.
By Victor Lessoff, Managing Director, Head of Internal Investigations, TIAA and Sudharshan Narva, Director, Data Analytics, Internal Audit, TIAA Financial Services
Why has there been an increased risk to data with remote working environments?
In response to the ongoing and evolving COVID 19 Pandemic, almost all organizations have moved employees out of common “on-premise” work environments and into an alternate “off premise” work locations away from other people. The goal has been to move employees who do not need to be in a particular work space away from other employees, including those who do need to be in the common workspace, in order to reduce the transmission of COVID between each other. Many employees who used to work in offices, distribution or manufacturing facilities surrounded by others are now working alone, away from any direct contact with managers, peers, customers or subordinates.
Moving employees away from common workspaces does not, however, come without risk. Traditional anti-fraud and data loss prevention controls that were literally built into to “on-premise” office and other work environments cannot easily be relocated to individual work locations. For instance, entry systems, barriers, locked containers and cameras in work environments to monitor employee’s physical actions (i.e. using a cell phone camera to take “screenshots” of customer PII”) may not be replicable within home environments. IT equipment in employee’s personal possession may be at greater risk of compromise or theft. Supervisors can no longer “walk the floor” or “check in” with employees on a regular basis. In addition, inappropriate, fraudulent or concerning activity that may have been observable to other employees (or perhaps overheard) is now occurring within the confines of a person’s home, hidden from common view.
All of these more physical surveillance and access controls not only served to detect inappropriate employee actions, including data misuse/theft, they also served to provide a perception (call it a deterrent effect) that there was a high chance of getting caught if one were to engage in inappropriate or fraudulent activity, including data theft. When working “offsite” One can now turn off the camera, mute the microphone or even feign connectivity problems if one wants to hide their actions/activities from others.