By William Thackray
Hybrid working has quietly fragmented data governance in financial services — here’s why the compliance risks are harder to spot than a cyberattack.
Hybrid working has become the default model across much of the UK’s financial services sector. For firms managing sensitive client data, regulatory obligations, and audit trails, it has raised a set of operational challenges that extend far beyond productivity gains or employee satisfaction. What initially appeared to be a flexible, modern way of working has introduced risk in ways that are increasingly difficult to detect until something goes wrong. Data is no longer contained within a single environment or system, it flows across devices, networks, and applications, many of which aren’t even withing the company’s control. And in a sector governed by strict oversight and accountability, this is an incident waiting to happen.
Expanding regulatory pressure
With the Financial Services Authority (FCA), General Data Protection Regulation (GDPR), and other industry-specific regulators, financial services firms have a dense framework of regulatory obligations to deal with. All of which work under the assumption that the business can demonstrate control over its data. Who can access it, where it is stored, and how it is used. Hybrid working complicates this. With employees accessing systems from personal devices, connecting through unsecured networks, or relying on unofficial tools to maintain productivity, companies face a continuously changing threat to governance. And with new requirements to maintain full audit trails, enforce least-privilege access, and ensure that sensitive data is protected regardless of where work takes place, the pressure is mounting, making the growth of shadow IT an even more pressing problem.
The rise of shadow IT
The use of shadow IT – tools and systems adopted by employees without formal approval – has grown in correlation with hybrid working. Employees find practical solutions to annoying sticking points in the form of file-sharing platforms, messaging apps, or personal cloud storage accounts, helping them to work more effectively. But while useful in the moment, it introduces significant compliance risks. Whether through a lack of encryption or a failure to log access. While unmanaged tools, such as laptops, tablets, and phones, open up further unsecured entry points, leaving the company at risk.
The risk of information drift
But the risk isn’t just from blatant cyber-attacks, information drift can be equally damaging. When data is copied, shared, downloaded, and re-uploaded across multiple platforms, fragmentation occurs. In a traditional office-based model, you have data governance frameworks that control and standardise data management and movement. In hybrid working, you will find documents that exist in multiple versions across different platforms, which makes it impossible to know which is current and accurate, dramatically impacting both productivity and efficiency. But more than that, it causes auditing difficulties, because companies cannot demonstrate that data controls exist and are consistently applied.
Confidentiality risks
Client confidentiality is another area that hybrid working can potentially compromise. If you don’t know where your staff are working, you don’t know who is seeing your data. Unsecured Wi-Fi, shared devices, or devices momentarily left unattended can mean that client data falls into the wrong hands. And this risk increases with each new hybrid worker and each new device added to the network.
If you are not actively managing your endpoints and access controls, you’re not only exposing your business to risk, but you’re openly flouting regulatory compliance.
So, what can you do, if you want to keep the benefits of hybrid working without further exposing your company to risk?
How to build security resilience in a hybrid workplace
The next step now for financial services firms is not to pull away from hybrid working, but to adapt new governance models that match the current reality. This means taking data-focussed approach to compliance and security.
First, you need to gain full insight into your data ecosystem. This means identifying where sensitive data is stored, how it moves, and who has access to it. That ways, you know what you need to prioritise in term of protection, and where you need to enforce greater controls.
Second, is access management. Least-privilege principles have become the gold standard of access management, along with continuous monitoring. This ensures that users only have access to the data they need, when they need it.
Thirdly, endpoint management has to extend beyond company devices. If that means providing dedicated work phones and tablets that can be managed and monitored, it’s a sound investment to prevent staff finding their own solutions and increasing inhouse visibility.
Policy, culture, and accountability
This isn’t a problem that can be solved by technology alone. To protect your company, governance, culture, and accountability must all be addressed. Employees need to understand not only what is expected of them, but why it matters. And for that to happen, you need to provide guidance on the use of approved tools, secure data handling, and the risks of shadow IT. Training should be ongoing and tailored to the realities of hybrid work. And accountability must be clarified. This means assigning ownership for data governance, monitoring compliance, and responding to incidents. Providing clear lines of responsibility, so everyone knows where they stand.
Hybrid working is becoming the norm. For financial services firms, this means that compliance strategies must change accordingly. The risks introduced are not temporary, and you can’t afford to treat them as such. It’s time to recognise that structural, operational, and procedural change is needed. And to understand that if you fail to make those changes, the exposure could be greater than you can afford. But it won’t necessarily come in a big act of drama, but rather a gradual accumulation of problems that only become visible when it is too late.
About the Author
William Thackray is Operations Director at AGT Computer Services, a North West IT support provider that keeps businesses running smoothly, and their stress levels firmly in check. He’s spent years helping businesses get more out of Microsoft 365, and build IT setups that actually work the way they should.
Source link
#Hybrid #Work #Data #Risks #Financial #Services #European #Financial #Review
