Like so many companies, Atos had to respond almost overnight to drastic changes in our workforce configuration due to the pandemic lockdown. Up to 95% of our 100,000+ employees had to suddenly shift to remote, home-based working. Yet compromising security and continuity of operation was simply not an option. Our customers, partners (and our own stakeholders) had too much at stake.
Happily, we have done very well. I would credit this to our employees – but of course there is more to it. Preparation, planning and best practices are the key that positioned us for the crisis that beset us. Without that ongoing effort in crisis management preparation, there would have been much more risk and potential problems.
Firstly, as Head of Group Security and Group Chief Security Officer for Atos group, I am part of a multi-function crisis planning team that includes IT, HR, the divisions and other parts of Atos. We activated our plan, which I will lay out here to share our experience.
Employee communications was a critical first step. Enforcing proper password policies and two-factor authentication is critical. Likewise, having infrastructure to enable traffic encryption and pushing mobile and remote device (laptop) security policies is also key. We made sure all our software and operating systems were properly updated to close any known vulnerabilities. On the employee side, we required use of dedicated Atos workstations, and avoiding the mixing of personal, family and work-related activities. Employees were also counseled on securing their own router and Wi-Fi network, and suggesting rules for managing internet bandwidth among other family members within the home when business interactions were in play.
We saw a marked increase in the amount of phishing email threats incoming – in particular, related to COVID-19 issues like masks, testing or other related topics. Our employees have been regularly trained to detect and avoid these social engineering threats. Given the surge in phishing, we re-doubled our communications to raise caution, and increased our internal use of “test-phishing” emails in order to help our employees recognize phishing emails.
Of course, these security issues are not unique to Atos. Our company is part of the Charter of Trust – an organization made up of heads of security from 17 large companies. We share and exchange experiences and best practices, including, for example, a working group on secure home working during the crisis. The results of this collaborative work are shared among the member organizations, their customers and made available to the general public through the Charter of Trust website.
To ensure business continuity, Atos had already established a resilient and scalable network that allowed flexible bandwidth expansion to accommodate the increase in remote working – in anticipation of some disaster or weather event where a whole country may suddenly need to work from home. Careful monitoring of network utilization, licenses, encryption and so on was necessary to ensure things stayed on track during the massive shift to home-based working.
Further, the cloud-based team communication and collaboration tools that we already had in place were ready to serve us well to connect employees, partners and customers without missing a beat. We used video where appropriate to add face to face communication, and happily, all of our employees already knew how to use these tools on both their workstation and their mobile devices.
Lastly, to gather feedback, make adjustments and identify areas for potential improvement, we have been using short online surveys pushed out to users to understand their experience. I have to say, the results have been quite positive so far, and employee productivity and satisfaction seems to be holding up well.
To summarize all this – beyond anything, effective planning and preparation is critical to maintaining secure and continuous operation in the face of a business emergency such as the current pandemic. Or, as we like to say, being “Always Ready”.