Most businesses began 2021 with ambitions to return to the office. But in keeping with a trend of disruption, we are faced with new COVID variants, questions on when and how schools will respond, a cultural shift towards flexible work, and more. Given this uncertainty, remote and hybrid work paradigms are here to stay for the foreseeable future.
This is where legions of companies landed at the start of 2022. The hybrid work environment is now the work environment for many; and for those with essential onsite work, the way work is done has forever changed. Compliance and risk concerns that arise from the new normal work environment are increasingly complex and challenging – and compliance leaders must work cross-functionally to stay abreast of changes impacting business operations. Three concerns stand out as perhaps the most important of these challenges.
Cybersecurity Will Be a Bigger Priority for Everyone
Cyber threats have existed for decades, and as one business process after another underwent “digital transformation,” each transition exposed more of the enterprise to those dangers. Moreover, digital transformation allowed businesses to collect more data: about customers, consumers, employees, third parties. That spawned a wave of new data protection laws such as the EU General Data Protection Regulation and a bevy of state laws, such as the California Privacy Rights Act.
The pandemic, however, accelerated those digital transformations even more. Now essentially all business processes have to exist digitally to accommodate a combination of remote, hybrid and on- premises work. Businesses today must assume every business process happens digitally. Because of this, cybersecurity and privacy concerns permeate all business processes, all the time.
Many organizations were already well along in their digital transformation journey, but the new normal work environment means companies can’t rely primarily on physical office locations to provide strong cybersecurity. A distributed workforce means increased complexity to maintain cybersecurity across an unprecedented variety of work locations.
While IT security teams can continue to implement best practices such as a Zero Trust approach to cybersecurity, companies also need to rely more on employees themselves adopting a security-aware mindset. In the same way companies have relied on the tone from the top, training, and incentives for anti-corruption; they’ll need to do the same for cybersecurity awareness and training. Employees should be trained and coached to be vigilant about cybersecurity – because in the hybrid world it will take a collective effort to maintain.
The Ability to Map the Company’s IT Assets Will Be Critical
Mapping is the ability to locate where corporate assets exist, both physically in the real world and logically as part of your company’s IT infrastructure. This includes data, devices, and critical applications. Prior to the pandemic, most IT assets existed in physical offices most of the time. In a hybrid work environment, those assets can be anywhere.
Compliance officers need to know where IT assets exist physically to understand privacy obligations and other regulatory compliance concerns. For example, China’s new data privacy law requires that data collected in China about Chinese nationals must remain in China; so, you need to know whether employees have mistakenly transferred that data to a technology service provider based in North America. Or, if employees start using corporate IT devices on a home network, you need to know so you can implement security protocols such as extra password protections.
Risk managers and CISOs, meanwhile, need to know the “logical” map of their IT environment. That lets them understand which applications are mission-critical to operations; which applications were installed onto the network without proper permissions; or which troves of data need maximum protection from ransomware attacks.
Mapping IT assets is critical to regulatory compliance and business continuity. A hybrid work environment makes the task more complicated, so companies must assure they have strong capabilities on this front.
Cultivating an Internal “Speak Up” Culture Will be More Challenging
We can never ignore how important the human element is to effective compliance and ethics. In the hybrid environment, however, it becomes a lot easier for the humans to ignore the fundamentals of ethics and compliance.
This is not to say employees don’t care about ethics and compliance, because most still do. But working remotely can leave more employees feeling less connected to the organization — so when they do see misconduct, they may just report the matter to regulators directly, or not report at all. Compliance officers will need to work diligently and creatively to maintain those bonds of corporate culture and keep a speak up culture strong.
At the same time, internal reports about corporate conduct will be even more important for compliance officers to hear. The types of misconduct or risk that might happen in a hybrid environment will be more varied, and the compliance officer’s ability to observe those activities directly will be more difficult.
Compliance leaders must demonstrate the importance of ethical conduct and make that message cut through all the other signals employees are receiving. Additionally, giving employees practical ways to report misconduct – whether they’re working on premises, remotely, or in a hybrid capacity – will be capabilities compliance officers must make permanent in 2022.
Ransomware and other cybersecurity attacks will become even more pervasive in 2022. The good news is risk and compliance officers now understand the tools they can employ against the threat, such as Zero Trust architecture and a security-aware corporate culture. The race is on to see whether compliance functions can execute on those ideas faster than the attackers can lay siege to your business.