Unlocking from Lockdown - Personnel and People Security implications
This week Boris Johnson hopes to start the UK down the “one-way road to freedom” with a phased unlocking of the UK economy and with it, a gradual return to some form of normality.
This will take time and there are still elements of uncertainty with dates to the various stages (being “lead by the data”). Many businesses and organisations are now considering what ‘business as usual’ (BAU) over the few months may look like, for example with hybrid models of both working remotely and, in the workplace, or with limited to full returns of customers to sporting and music venues.
The easing of lockdown and move towards BAU provides sites and organisations with incredible opportunities to review and establish secure new ways of working and also reinvigorate and embed good security practices and messaging.
Remote working as business as usual
Working remotely, if not handled appropriately, can result in unintentional causing harm caused by staff. For example, an environment that may not be ideal for working on sensitive material and following security policies that were not designed for a remote working (e.g. shared rooms, proximity to personal devices). In addition, normal line manager relationships and employee oversight are not easily replicated when working remotely.
As your organisation or site moves towards remote as a new BAU, it is timely opportunity to:
- Conduct a fresh risk assessment for the new BAU workplace, specifically identifying any posts that would carry heightened security risks that may require additional security measures in place.
- Refresh remote working policies including consideration of those roles that should not be remote working roles, prohibited locations for working (e.g. outside UK) and communicate these polices across the whole workforce.
- Ensure adequate provision of IT & technical support for remote workers, including ensuring that devices have adequate encryption and security software to reduce the threat of electronic attack or theft of information.
- Provide security awareness training and campaigns including on how and where to use both corporate and personal IT, knowing how to report any security concerns at an early stage [e.g. approaches online]. The emphasis should be on obtaining support rather than on disciplinary action.
- Involve employees in not only identifying potential vulnerabilities but also co-creating solutions with the organisation – i.e. being consultative on policy and process development, with end user testing and evaluation before implementing
- Provide support to Line Managers/Supervisors in managing remotely. Managers have a duty of care and continued engagement with team members is vital for early detection of concerns
Returning to the workplace
Some employees may have had a long absence from the workplace and may naturally have concerns about their return, which if not handled well could lead to disaffection (a known key risk factor in insider acts).
As organisations look to bring staff back into the workplace one of the key areas to help with this transition is a ‘return to workplace’ conversation. Organisations should provide line managers with advice and guidance on conducting a return to the workplace conversation that will support the organisation’s personnel security regime and may wish to consider a ‘Back to Work Pack’ for all staff.
In addition, senior management and internal communications have a key role to play in helping maintain, enhance or re-establish organisational trust between the organisation and staff in this critical transition period. This period, if not handled well, can result in undue stress and uncertainty and with it potential for disaffection in employees. For example, if employees do not know what to expect of the organisation over the next few months, their position in this and the potential impact on their roles or jobs. Guidance is available to help organisations engender and communicate to build and maintain organisational trust.
Returning to the workplace or BAU operation provides a unique opportunity to reinvigorate key security behaviours and messaging. This includes building in security deterrence messaging within information about reopening and reminding staff and, if applicable, public visitors to be vigilant for and report suspicious activity. CPNI have a range of off-the-shelf security behaviour campaigns available to assist.
Finally, face coverings are likely to continue to be in use for some time which can pose issues particularly for security personnel. Guidance is available on how to communicate effectively with face coverings.
When is normal the new normal?
It is clear from the rhetoric of both the Government and its Scientific Advisories that even with the roadmap outlined, there may be a few bumps along it, and getting back to ‘full’ pre-pandemic normality may still be some way off. To this end it is vital that organisations Personnel Security Risk Register is kept under frequent review as the situation continues to evolve and change and ‘Build Back Better’, securely.