5 Ways to Ensure Compliance During COVID-19 in South Africa

The manner in which an organisation’s employees collaborate with each other has been transformed since COVID-19 was declared a global pandemic. With a large portion of the global workforce working from home, this has turned out to be the largest, forced experiment in testing the effectiveness of a distributed workforce. While there are many proven benefits an organisation can reap, one must first understand the compliance challenges to determine the extent to which these benefits can be realised.

Ensuring adherence to various regulatory legislation and company policies relating to data security, for example, can become a challenge with a distributed workforce. Many organisations have been caught off guard and are now scrambling to implement measures to enable continued delivery, while mitigating risks of remote work. Despite a few organisations having tested such measures for some time, many are still experiencing some challenges. Some of these challenges and suggested mitigations associated are outlined below. 

1. Ensure increased awareness of compliance requirements

Not only do existing policies that allow work to continue remotely need to be strengthened (e.g. policies on data security, client information confidentiality and management of company infrastructure), but there needs to be increased awareness and adherence to these policies. Driving awareness and change when employers have face-to-face interaction with employees is challenging enough, but doing so virtually is an even bigger challenge.

There is a need to be creative with how compliance requirements are communicated. Facilitating knowledge sharing sessions via video conferences to educate the workforce, or even implementing gamification methods to ensure adherence to risk mitigation measures are just some of the steps that must be taken.

Increase visibility of data security policies across your organisation

2. Treat sensitive information even more securely than before

With employees utilising home network connections – and in some cases, even public networks – to access company resources, weakened security safeguards increases the risk of malicious attacks, such as hackers using unsecured network connections to distribute malware. Having infected software on corporate devices can financially cripple organisations. For smaller firms, this becomes a bigger challenge, as enterprise-grade security safeguards come at a significant, often unmanageable, cost. 

Additionally, when dealing with personal information of stakeholders, most incidents typically take place due to human error. When employees are not located in an office, the tendency not to adhere to data security best practices increases, e.g. using personal email for work-related items. The Protection of Personal Information Act (2013) requires organisations to put in place additional security safeguards to protect the personal information of anyone it deals with. Ensuring measures such, as the following are in place will reduce the risks of leakage or misuse:

• Not disposing of sensitive documents irresponsibly, in home refuse bins, but instead waiting to get back to the office to dispose of them appropriately
• Ensuring only invited participants join on conference calls, to avoid sharing of sensitive information to the unintended recipients 
• With a sharp spike in the use of electronic communications, like emails, it is imperative to ensure emails are sent to the right people. Tools can be developed in-house to warn the sender when a potentially unintended recipient has been included into a mail

3. Put in place stricter measures on the use of collaboration tools, without restricting the usage where not necessary

In large organisations, collaboration tools are typically taken through stringent assessments to ensure they do not put the organisation at risk. However, organisations will struggle to stop the use of similar free-to-use tools. For example, the videoconferencing tool, Zoom, which lacks stringent security safeguards, such as end-to-end encryption, has recently dealt with several security issues as its usage has skyrocketed globally. 

Wherever possible use videoconferencing tools with end-to-end encryption

Instead of trying to stop the use of such tools, organisations should focus on creating awareness of risk mitigating steps that can be taken. For example, advising employees to avoid recording calls, to not share sensitive data and to avoid clicking on or sharing links within these tools. Furthermore, password protecting all conference calls on these tools can be an added measure to stop rogue attendees from joining, which has become a reality recently. 

4. Managing company assets more closely

As part of an IT Asset Management Strategy, using company assets off-site isn’t a new concept, the risk of mismanagement and loss of assets has increased exponentially. Implementing a comprehensive asset register will provide a view of the assets outside the organisation’s premises. With a better view of the size of the risk, an organisation can make a fact-based decision about additional measures required, such as increasing insurance cover. Technological solutions, like geofencing, give organisations more control over additional security measures implemented on a device when it is not within a predefined location boundary. 

Consider geofencing technology to implement additional security measures for off-site delivery

As much as these strengthened measures are necessary during this time, it is likely that a distributed workforce will become more widely accepted after this pandemic. It would be best for organisations to use this challenge as an opportunity to relook at the way it deals with the non-compliance risk of a distributed workforce and implement future-proofed measures to mitigate the risk now.

Use data to understand the effectiveness of controls in place across your business