Taking aim at workplace tech

There's no doubt that constant technological advances are changing the profession and the way we do business. But are all these transformations at the office a blessing or a blight?

Last July, an employee at Manning Elliott, a Vancouver-based accounting firm, innocently clicked on an email link. It didn’t seem like a big deal at the time; billions of people all over the world are clicking links in their email right this second. But this link, it turns out, wasn’t so harmless. In fact, within minutes, the organization’s entire network completely shut down. “We couldn’t access our clients’ files,” says Paul Leedham, a partner at the firm. “We couldn’t do anything.”

One seemingly innocent click had unleashed ransomware that encrypted all of Manning Elliott’s documents, essentially holding them hostage. In some cases, hackers request money before releasing the files, but Manning Elliott chose to re-establish files from its backup server.

It took the firm’s IT department three days to go through the files, recover data and overwrite the system. “It was crippling,” Leedham says. “We thought our backup plan was sufficient. It wasn’t.”

Cybersecurity is just one of many tech-related troubles facing firms at a time when our dependence on all things automated is only increasing. The promise was that technology would make our work lives easier — we’d be faster, more efficient, effortlessly productive and pad our bottom lines with savings. The reality, though, is that while technology is most definitely changing the way we do business, it isn’t always for the better.

Not only does the constant threat of being targeted by cybercriminals take up valuable time and resources, but there are also the day-to-day issues of lost productivity, such as when employees are led astray by digital distractions. Last October, TeamLease, a human resource service company in India, released its World of Work Report and found that employees spend an average of 2.35 hours accessing social media at work each day. Meanwhile, a single inappropriate tweet can instantly tarnish the reputation it took a company years to build. Take restaurant Chipotle’s Twitter catastrophe in 2015: hackers took control of its account, changed the Mexican-grill chain’s avatar to a swastika and sent a slew of hateful tweets — including racist messages and anti-American-government rhetoric — to hundreds of thousands of followers. “We apologize for the very offensive messages sent out from our account earlier tonight. We were unfortunately hijacked temporarily,” the company’s official fewer-than-140-characters apology tweet read.

Even email, designed to streamline communications, isn’t everything we’d hoped it would be. Research from the University of California found office workers get interrupted about every 11 minutes by both human and digital distractions. One of the biggest culprits is email. Whenever a message pops up, people feel compelled to stop what they’re doing to respond and, once they are interrupted, the study, presented at the Conference on Human Factors in Computing Systems in 2008, found it can take up to 25 minutes for them to get back on task.

But perhaps the biggest problem with technology at the office is the pace at which it changes. “It’s crazy, and getting crazier,” says Susan Hodkinson, chief operating officer of Crowe Soberman, a national accounting and advisory firm in Toronto. “Every year we do a debrief on how we’ll do things the next year, but the pace of change is so rapid that we don’t even know the full range of technology-related issues we’ll be facing. A heck of a lot of stuff can happen in 12 months.”

Still, she says, the secret to success at work in the digital age is learning how to adapt and evolve. “As accountants, we like stability. But we need to keep up with efficiencies driven by technology; we can’t be left behind.” What’s more, it’s important to understand how technology can help — and how it can hinder — your business. Here’s what you need to know to navigate some of the biggest technological challenges firms are facing now, and what we’re in for in the years to come.

DIGITAL DISTRACTIONS

Whether it’s due to concerns over privacy, or simply to avoid the inevitability of time frittered away on Facebook, it’s not uncommon for firms to monitor their employees’ computer use — some even ban access to social media. “These days it’s tough to balance privacy with security, but it’s imperative,” says Kimberly Connors, EY Canada’s IT Advisory Leader. “I think our expectations of privacy have shifted considerably, and now the best approach is to assume anything touching the Internet could leak and proceed from there.”

Last year, Pew Research Center, a fact tank based in Washington, DC, released a report that found 77% of workers use social media regardless of whether or not their employers have a policy in place — 34% use it to take a mental break from their jobs and 27% use it to connect with friends and family. (The TeamLease report found Facebook is the social media platform employees access most.)

Until about three years ago, employees at Grant Thornton couldn’t access social media from their work computers, but that didn’t stop them from logging on with their own devices. The firm eventually decided to allow access. “People want to be connected and to know what’s going on in the outside world,” Florio says. “I haven’t noticed my team not getting its work done since we stopped blocking access.” He adds that preventing staff from using Facebook, Twitter, LinkedIn, Instagram, etc., could create an environment of mistrust. “People don’t like to feel that something is being withheld, especially something everyone else in the free world has access to.”

At GGFL, a tax planning and accounting firm in Ottawa, social media use is both watched and encouraged. “We have the ability to monitor everything, not just social media,” says Margot Sunter, the firm’s chief operating officer. “Though we don’t have great concerns, it’s true that with today’s technology Big Brother is watching. We try not to remind everyone technology has built in ways to trace their activities. We wouldn’t use it to measure performance or to invoke punishment. If we have concerns, we’ll pay more attention.” Still, she says, the key is educating employees about social media use. “We encourage staff to use social media and spend time teaching them how to engage with it so we can get the message out about the work we do,” she says. “We’ve got voices that can greatly amplify our message and we encourage them to do that.”

Encouraging social media to help with branding is a tool not enough firms are taking advantage of, says Lindsay Smith, a technology expert in Vancouver. (The Pew report found 24% of employees use social media to support professional connections.) “It’s important for organizations to embrace social media as a way to interact with key stakeholders,” she says. “It’s not just about putting a logo out there; it’s about showcasing the personality of the company.” Social media is another place to have a conversation; you just have to make sure employees are aligned with the business voice and message. Smith recommends teaching your team how to be articulate on social media. “Something will make sense in your mind when you’re typing, but if 10 people were to see your post, each one might read it differently. It’s important to think through how others might read it and ask yourself how it could be perceived.”

Although the majority of social media blunders can be prevented with a sound policy, the problem with many policies is that they focus on the punitive, says Hodkinson. “It should be less about what the consequences will be if you do something wrong and more about how to be a good social media citizen.” You can fire someone after a misguided tweet, but once it’s out there, it’s out there. “People need to understand the implications of what they do on social media,” she says. As a rule, Crowe Soberman doesn’t monitor social media or block access, and the only time the firm had an issue with personal media access was during the World Cup, when everyone’s Internet suddenly slowed down. “We did have to intervene a little that time,” Hodkinson admits. “It was just like, ‘OK, guys; we don’t have enough bandwidth for 100 people to be streaming the game on their computers.’” Yes, the Internet can be a time waster, but it’s also a stress reliever, she says. “Running around trying to catch people doing something wrong will get you a whole different level of behaviour, but if you treat people like the sensible professionals they are, they will act that way.”

TRACKING TEAMS

Monitoring social media use is one thing, but some organizations are taking employee surveillance to a new level. Some businesses are now using sentiment-analysis so ware to gauge their employees’ emotional states at work, trying to determine whether anyone’s disgruntled or thinking about resigning. Donna Flynn, vice-president of Workspace Futures at Steelcase in Michigan, says that eventually spaces will be able to support workers physically and provide feedback to employers. They’ll be able to track how spaces are being used, and better adapt the physical space: lighting brighter or dimmer, background music on or off, signal a break for teams co-creating, etc. “Technology is increasingly becoming embedded in the physical workplace,” Flynn says. “Office spaces themselves will soon be able to provide employee information directly to organizations.”

Steelcase did a study to determine how employees might feel about personal data privacy and tracking — and discovered a surprising degree of trust. “The majority of people trust their employers, and think it would be OK for team members to track them, as long as it helps them achieve their goals at work or improves their relationships with their colleagues and managers,” she says. The secret, she says, lies in transparency and ensuring employees know why the data is being collected and how it will be used.

CYBERATTACKS

When the so-called “cyber apocalypse” hit more than 100 companies in May, there was a lot of hand-wringing over how easily organizations, from hospitals to major corporations, had allowed their security to be breached. The “WannaCry” ransomware virus spread through email, looking for holes in software security. It forced emergency room closures and cancelled surgeries, and it could have been prevented if the right protective measures had been in place.

After the breach at Manning Elliott, the firm made significant changes. “We strengthened our business continuity and streamlined our backup system, making it every 12 hours from every one to three days, so we can get up and running faster if something happens,” Leedham says. The firm also hired outside consultants to fortify its defences. Although it has yet to execute it, the company put a phishing program in place to gauge what team members will do in the event they’re targeted, helping Manning Elliott establish its susceptibility to future breaches. (Phishing is when you receive an email that appears to be from a familiar individual or business, but isn’t.) “These links often look legitimate and it’s really hard to tell,” says Leedham. The company is now routinely reminding all its staff to be more skeptical and to question the validity of emails before opening them.

David Florio, business risk partner with Grant Thornton in Toronto, leads a team that helps clients understand the cybersecurity risks their businesses face, as well as how to minimize them. He recommends conducting regular vulnerability scans and hacking tests, as well as instituting formal security awareness programs. “A lot of firms don’t do this,” he says. “But everyone at the firm should know to check with IT before they open an attachment or click on a link that doesn’t seem quite right.”

In February, EY’s Global Information Security Survey found that 61% of Canadian companies that responded have had recent cybersecurity breaches, and 60% said that control or process failures led to the most significant incidents. (Employees opening malicious phishing emails accounted for 43% of the breaches.)

Florio recently performed a test for a client in which his team was able to penetrate the firm’s network, access its email server, track passwords and send an email to 100 people in the organization. The email appeared to come from the chief executive officer, and asked that employees open an attachment and follow the instructions provided. “It was something the CEO would never ask,” Florio says. Still, 58% of employees opened the attachment and followed the instructions. “We got a ping every time,” Florio says. “It just shows why security awareness training is so important. People need to know what’s expected of them in order to maintain a human  firewall against potential security issues.”

Ray Vankrimpen is a partner at Richter in Risk, Performance and Technology Advisory Services in Toronto. He too has heard it all before. Sure, spam filtering helps to a point, but he says education is an important part of creating a culture of security awareness. “A common mistake people make with respect to security is that they assume it’s just a technology problem. Partners and staff should know that cyber threats are a business problem and that people play a key role in reducing them.”

One way to establish what Vankrimpen calls “basic cybersecurity hygiene” is to give people access only to the systems and data they need to do their jobs, and to restrict user installation of applications (called whitelisting). Firms should also ensure that the operating system is patched with current updates and that so ware applications are updated as well.

But what happens if your firm is attacked by a malware virus and the defences don’t hold? Florio tells his clients not to pay the ransom. “There’s no guarantee you’ll get your files back, even if you do send the money,” he says. Instead, it’s better to involve the authorities, determine where the breach originated and address the problem. “If your system is backed up on a daily basis — and you’ve tested your data retrieval system so you know it works — then at worst you’ll only be a day behind.”