Reassessing Corporate Security’s Role in a Hybridized “Work" Ecosystem

As we enter the third year of COVID, it continues to be clear that remote work is here to stay; employees and employers however are still grappling with the effects—positive and negative—borne from the pandemic.[i][ii][iii]

Many C-Suites (Chief Financial Officers in particular) are evaluating the Return on Investment (ROI) of their corporate security function. The sector-by-sector disparity of where corporate security falls on the org chart and the varied scope of responsibilities arguably influences the outcome of such analysis. Is the security department a strategic risk advisor or is it merely viewed as an OPEX line in the facilities budget? Legacy postures designed to keep these fixed workforces and buildings safe are now seen by many as anachronisms.

As businesses reevaluate budgets and review headcount to prepare for a hybridized future, it is important to recognize that corporate security will continue to have a critical role to play in Enterprise Risk Management (ERM). Security departments in the near-term future will be more exposed to a diverse set of challenges that require both proactive postures and responsive capabilities. It is our assessment that corporate security departments will have a more prominent and hands-on role to play within four areas: cyber, travel, investigations, and assessments.

Cyber

It is no surprise that cyber will continue to dominate company expenditures and concerns. COVID and the nature of remote work has accelerated cyber-attacks against organizations[iv][v] and the need for tools and resources that can identify and prevent malicious behavior against company infrastructure, employees, systems, and third parties. The damage related to cybercrime was projected to hit six trillion dollars in 2021, according to some sources.[vi]

Remote workforce models bring a multitude of cyber-related risk challenges with respect to Bring Your Own Device (BYOD) policies, encryption and remote access, theft of company computers from public areas, and untrusted/unsecured Wi-Fi networks. Criminals will likely take advantage of the dispersed workforce model to push out more frequent scams to employee inboxes, such as phishing schemes; ransomware attacks against companies and businesses will also increase. Compromised credentials may take longer to reach thresholds that trigger internal responses, which could exacerbate the level of damage, both reputational and physical.

Additional concerns revolve around company employees working on or viewing sensitive company documents, Intellectual Property (IP), and policies within the confines of their homes or in public settings like coffee shops or communal workplaces. Previously, accessing and discussing sensitive information was largely done within secure offices or campus environments. How can companies track and have visibility to sensitive material that can be potentially exposed to guests and non-approved personnel as it is being viewed or discussed at home or in public unsecured settings? Does the responsibility fall on the employee, company, or the owners of shared workspaces to set up and adhere to rules or make accommodations? Companies will almost certainly need to update corporate policies to define how “public space” is classified or what areas are deemed acceptable for accessing and working on a wide range of sensitive matters.

It is likely that more invasive and draconian measures (e.g., real-time monitoring of employee network activity) will be implemented by companies to ensure their IP is being handled appropriately off site. Google is one such company that can and does delve into employee monitoring to help mitigate the accessibility and disclosure of sensitive company information.[vii]

This tactic will no doubt raise invasion of privacy concerns and may sow seeds of distrust, which could reshape corporate culture and/or lead to resignations or lawsuits from employees. Finding the right balance between trust and verification will be an ongoing challenge for businesses, particularly as companies and economies become more reliant on contractors and gig workers. Will this increased reliance on gig workers and contractors increase the insider threat risk? We’ll leave that topic for a future research brief we’re compiling.  

Travel

COVID has changed the nature of travel—possibly forever. During the early months of the pandemic, business and personal travel came to a virtual standstill. Customer-facing meetings changed to video calls, site visits moved to remote visits, conferences were postponed, events were canceled, and employees opted for local vacations instead of long-distance trips for personal time off.

Remote working has also changed the way companies and employees do business. Travel budgets will almost certainly be slimmed in the near term[viii], but business travel will not disappear completely.

In November, much of Europe opened for travel and vaccinated persons from more than 30 countries were allowed to enter the US.[ix] The fast-spreading Omicron variant has led to the implementation of additional testing and entry requirements but will unlikely lead to full-blown lockdowns and border closures on a global scale. These measures were too detrimental to economies.

As governments weigh restrictions in response to new variants in the future, companies must engage with security departments and other partners to develop or revise policies and response/outreach capabilities as they pertain to travel and security. Remote employee safety and incident response for remote personnel and leadership stuck in disaster/conflict areas are two examples that will require careful planning, coordination, and outreach between departments. Scrutiny of travel safety, analysis of geopolitical tensions and localized conflicts, and the availability of remote medical care related to pandemic support would be prudent for all companies.

While not exclusively travel-related, new or re-emerging geopolitical challenges—including Russia’s military buildup on the border with Ukraine—must also be analyzed, as provocations and miscalculations on this front and others have the potential to escalate and spill over into larger crisis that can lead to disruptions beyond the travel space.

Corporate security departments must also be prepared for potential surges in travel security-related requests from both internal travel departments and company employees as corporate travel restrictions are lifted and eased. Prioritizing and responding to these requests for information and assistance will demand a great deal of manpower hours in additional research, documentation, and messaging.

Investigations

Apart from possibly cyber, it is our assessment that the investigations department will be affected most by COVID-related inquiries into anomalous behaviors and suspicious events. With COVID, any violations or alleged violations—accidental or deliberate—of company COVID policies could result in fines or lawsuits against the company from health officials or from employees. These violations require some investigative due diligence.

Additionally, contact tracing-related investigations into the origin of positive employee cases will be handled in some capacity by internal investigations teams. Given the fluidity of COVID and local regulations, investigators must understand and stay attuned to COVID laws and scrutinize all alleged transgressions.

Dual employment and the insider threat have some overlap with respect to COVID and remote work. Numerous articles have surfaced in previous months identifying a COVID trend of remote workers changing jobs more often[x][xi] or holding two jobs, oftentimes with rival companies.[xii] Apart from going against many companies’ policies, there is the more pressing concern of using acquired IP from one job to advance the other.

The volume and velocity of other investigations that we assess will almost certainly pick up include reporting of theft of company property from areas not secured or monitored by the company; supply chain investigations; leaks of company information, expense, fraud, and finance-related investigations; investigations into threats and bullying of employees; company COVID vaccine mandates and employee responses and backlash; and inappropriate comments or video over company-issued platforms.[xiii] A robust investigations program can help minimize the financial, reputational, and emotional damage and fallout from such instances.

As discussed earlier, corporate security departments and specifically investigators and security systems personnel may also be called to assist more in sensitive practices such as employee monitoring on the cyber and productivity fronts. These practices have the potential to cross or blur the ethical line of how far companies can go to safeguard and preserve their assets.

Assessments

While remote working will drive many companies to consolidate and close offices, there will still be a need to have central hubs for co-working and expansion projects in cities and countries where there are large concentrations of employees, clients, suppliers, and talent.[xiv][xv] Video conferencing and remote viewings of factories and warehouses are effective—to an extent; there is no substitute for in-person assessments to gauge local conditions and follow-up on self-reporting, particularly when there are new clients, sites and/or risks involved.

New office and expansion projects must be evaluated by internal security to ensure the surrounding environment and office building(s) are safe and secure. These services can be outsourced; however, full-time in-house security management should have eyes-on sites to assist in final recommendations, signoffs, and next steps.

In most of these areas, efforts to keep employees safe do not always fall squarely on security. The department often plays a significant and leading role; however, enhanced collaboration with Travel, Legal, and HR departments (among others) is required to quickly react to requests for privileged personnel information and to share resources and access. These partnerships must operate seamlessly in remote settings and in austere environments with reduced infrastructure due to manmade or natural disasters. 

People are seen by both themselves and their companies as essential. If employees do not feel safe within their physical or remote work environments, then they will almost certainly move on to new opportunities. In today’s hot job market with the high rate of employee burnout and a desire for change[xvi], companies cannot afford to lose qualified tenured personnel.

Ultimately, the onus of ERM lies with a company’s C-Suite and its board of directors. We find that corporate security leaders who were strategically positioned pre-pandemic were promptly engaged by C-Suite leaders at the outset of COVID to help integrate and align future company plans with the required security and safety risk mitigation postures and resources.

Security leaders who’d allowed their function’s utility to devolve to managing “gates and guards” may now find their value as a department under tremendous scrutiny by C-Suite leadership. Corporate security leaders who find themselves in this position should endeavor to strategically engage (or re-engage) C-Suite leaders to assess their current functional preparedness for leading security through the evolving workplace business model and advocating for changes that are necessary to support the company’s near-future state.

One cannot overstate how the COVID pandemic put in motion a highly volatile set of dynamics that transcend society at large: people, geographies, work, and workplaces. The one certainty is that these massive disruptive shifts with how work is defined and executed has also redefined corporate security’s role within this evolving ecosystem. It is impossible to contemplate every variable that can or will likely affect corporate security’s function across all industries. However, we believe there has never been a better time than the present for corporate security leaders, C-Suite, and board of directors to redefine corporate security’s role intelligently and strategically in ERM so that it can effectively evolve to support the workforce of the future.   

Sources:

[i] Kim Parker, Juliana Menasce Horowitz, and Rachel Minkin, “How the Coronavirus Outbreak Has – and Hasn’t – Changed the Way Americans Work”, Pew Research, December 9, 2020.

[ii] Shep Hyken, “The Impact Of The Remote Workforce”, Forbes, February 28, 2021.

[iii] Krystin Arneson, “How companies around the world are shifting the way they work”, BBC, September 15, 2021.

[iv] Dan Patterson, “Cybercrime is thriving during the pandemic, driven by surge in phishing and ransomware”, CBS News, May 19, 2021. 

[v] Joseph Kovar, “Accenture Hit By Ransomware Attack, Latest Victim of ‘Cyber-Pandemic’”, CRN, August 11, 2021.

[vi] Steve Morgan, “Cybercrime To Cost The World $10.5 Trillion Annually By 2025”, Cybersecurity Ventures, November 13, 2020.

[vii] Sarah Krouse, “How Google Spies on Its Employees”, The Information, September 23, 2021.

[viii] Alexander Michael Pearson, Tara Patel, William Wilkes, “’Forever Changed’: CEOs Are Dooming Business Travel – Maybe for Good”, Bloomberg, August 31, 2021.

[ix] No Author, “As Rules Ease, Travelers Head to US for Emotional Reunions”, U.S. News & World Report, November 8, 2021.

[x] Jonnelle Marte, “U.S. workers are changing jobs more often and demanding better wages – NY Fed survey”, Reuters, September 7, 2021.

[xi] Caroline Castrillon, “Why Millions Of Employees Plan To Switch Jobs Post-Pandemic”, Forbes, May 16, 2021.

[xii] Rachel Feintzeig, “These People Who Work From Home Have a Secret: They Have Two Jobs”, The Wall Street Journal, August 13, 2021.

[xiii] David Matthews, Leonard Greene, “Writer Jeffrey Toobin suspended from New Yorker after exposing himself during Zoom call: report”, NY Daily News, October 19, 2020.

[xiv] Konrad Putzier, “Google to Buy New York City Office Building for $2.1 Billion”, The Wall Street Journal, September 21, 2021.

[xv] Gregory Barber, “If Work Is Going Remote, Why Is Big Tech Still Building?”, Wired, February 16, 2021.

[xvi] Te-Ping, Ray Smith, “American Workers Are Burned Out, and Bosses Are Struggling to Respond”, The Wall Street Journal,December 21, 2021.