Internet of Things (IoT): should you be worried when working from home

With many countries once again in lockdown, remote and home working look set to be the norm for many of us for some time to come. In the longer term, developments suggest a transformation in the attitude of many employers to remote and home working - recent surveys of large investment banks, for example, refer to 75% now expecting to allow staff to WFH (at least some of the time) post-COVID. Technology businesses such as Twitter have gone further - with Twitter announcing that it will allow all of its employees to work from home permanently and Spotify introducing a "Work From Anywhere" strategy which allows staff to work from wherever they do their best creating and thinking.

Many businesses have moved quickly during the pandemic to embrace innovative technology solutions to help facilitate expanded home and remote working and to limit the need for in-person interaction in the workplace.  

The Internet of Things (IoT) - interconnected devices on which we increasingly rely in order to manage and live our lives - has a central role to play in these developments. At the same time, concerns around cyber security, increased surveillance, data aggregation and the potential for adverse impact on culture and jobs have led some to see a negative side to the IoT in the evolution of new ways of working.  

As employers focus on the long term impact of COVID and as the prospect of any return to the "old normal" fades, we consider some of the opportunities and challenges offered by the IoT in shaping the market-leading employer, post-COVID.

1. Always listening...?

Cybercrime - and risks of data and IP theft - has been a very real concern throughout COVID, with cyber criminals adopting, and constantly evolving,  a range of methods - from hacking passwords, phishing emails, staff impersonation to malware.

Added to these more "traditional" cyber threats, much has also been made of the risk of breach of confidentiality and illegal activity via IoT devices. Many IoT device users may not appreciate the extent to which IoT devices are "live and listening". More generally, IoT technologies carry security and cybersecurity risks, which go beyond the devices themselves and carry a risk to the wider network or system to which they connect. Many devices are small, low cost and low powered. Limited user interfaces in such devices mean that they are unable to implement common security features or methodologies and are designed to operate over a long period of time, without supervision or updates (which would include software updates to address security concerns).

In many cases, the manufacturer would not be liable for a cybersecurity breach which means there is little incentive for device manufacturers within the IoT industry to incorporate security into device designs. But, authorities are increasingly looking at regulation for consumer IoT devices. In addition, authorities, industry bodies and large technology companies have produced guidance and recommendations on IoT security (including the Code of Practice for consumer IoT security (published by the UK's Department of Digital, Culture, Media & Sport) and the UK's National Cyber Security Centre's guidance for using Smart Devices safely in the home).

Employers are also rightly concerned about confidentiality and security, so it's not surprising that, among wider directions to staff to address these concerns, there have been reports of employers requiring staff to turn off IoT devices that have 'listening' capabilities during work hours, for fear of confidential discussions being overheard. Data authorities are interested too - the UK ICO has recently issued guidance for employers and individuals on working securely from home and security considerations around use of personal devices.

Policing such policies can be hard at a distance though, especially in multi-person households where many different IoT devices are automatically synced-up for day to day convenience. Implementing effective security perimeters will be paramount, with a need for more sophisticated policies and working practices to ensure appropriate security. In addition to policies, employers can consider traditional security measures such as encryption (e.g. through the use of a virtual private network (VPN)) and managing permissions to assist with the risks posed by the IoT.

For IoT developers, this increased scrutiny on security issues will continue to drive the incorporation of security by design from inception and on upgrade of products, in response to market demand.

It is essential to ensure the workforce is invested in the need to protect the organisation from these risks and remain alert, so as not to compromise both their work and home/personal devices.

2. ... Yes please!

The balancing act between individual privacy and regulatory compliance remains an ongoing challenge. Regulated firms in the UK financial services sector were permitted some early breathing space during COVID with regard to expectations around recorded calls. As we enter 2021, however, the FCA has now been clear that, "given the extensive duration" of COVID contingency arrangements, it now expects firms to record all relevant communications (including voice calls) when working outside the office. 

All in-scope firms now need to focus on ensuring that appropriate control environment arrangements are in place for call recording and monitoring. This may in turn extend to arrangements for use where staff are using personal devices and create further opportunities for IoT functionality to assist compliance.

3. Surveillance and data

Remote monitoring and surveillance during COVID continue to give rise to wider concerns.

With reports of employers developing extended surveillance of workplace communications, social media, productivity and at-screen presence and increased use of proximity and other monitoring, the IoT looks set to play an increasing part in monitoring of remote workforces during and post-COVID. 

Many employers will continue to take a sensitive and proportionate approach to monitoring, based on clear and balanced operational and risk impact assessments. In other cases, however, there remains risk of adverse impact on workplace culture and individual wellbeing from enhanced monitoring. Organisations will need to step carefully in assessing the impact and cost-benefit analysis of heightened surveillance of remote workforces via the IoT.

On the plus side, there is also the prospect of using such surveillance data to assess resourcing requirements,  monitor wellbeing and ensure downtime is taken (in some European jurisdictions there is the legal right to disconnect). Sharing such data (personal to the individual employee) can be useful for both employer and employee. More broadly, the IoT has already enabled important innovation as employers have sought to respond to evolving government guidance regarding health & safety and COVID secure working - using IoT-connected devices and applications to monitor attendance and interaction, to check compliance with proximity and social distancing requirements and to coordinate COVID-secure workplace and access arrangements.

In aggregating and using data in this way, IoT users and developers remain subject to data privacy requirements. Ensuring continued compliance with evolving law and guidance across jurisdictions will remain a continuing challenge. 

4. Next generation skills

These changes will also create workforce challenges, as greater workplace automation and innovation lead to changing skill and resource requirements. As we adjust to longer term remote working and the increasingly digital workplace, businesses will need to continue to encourage staff to embrace new tools and systems and to be comfortable settling into life as "life-long learners". The developments in IoT technology will undoubtedly become a factor for employers to consider going forward, including with regard to talent pools and planning.

Alongside this, continued and evolving challenges around security, data privacy compliance, IP protection, culture and ethics will mean organisations will need to create and maintain clear rules, standards and training, which will need to be regularly refreshed and updated.