Best strategies for dealing with furloughed user mailboxes in Office 365
IT departments the world over have been relied upon heavily to keep their companies operational during the coronavirus lockdown: setting up secure remote working facilities, commissioning laptops, delivering Office 365 and Teams support and training, and more.
Now the subject of furloughing staff has reared its head, and again, IT teams will be helping their company tread the challenging path of ensuring business security and continuity, while dealing with this sensitive situation during unprecedented and challenging times.
So, what exactly is furloughing?
For many, this may be the first time they've come across the term, but hopefully this dictionary entry explains it:
Afurlough (/ˈfɜːrloʊ/; from Dutch: verlof, "leave of absence") is a temporary leave of employees due to special needs of a company or employer, which may be due to economic conditions at the specific employer or in the economy as a whole.
A key aspect of furloughing is organisations that cannot maintain their workforce because of the impact of the coronavirus can apply for a government grant that covers a percentage of their employees' wages.
In this article we are not providing advice on the legalities of furloughing.?That's one for your legal and human resources department.
We do, however, want to share with you what we consider to be best practice in IT terms: setting out what's possible, pointing out potential pitfalls and indeed highlighting some opportunities for making the best of this situation.
So let's kick off with the foremost question we are encountering from IT teams needing to support this activity:
Should furloughed staff have their accounts disabled, or can we still allow them to check their e-mail intermittently?
Your HR department may take the stance that staff need to have some way to receive updates from the company and therefore want staff to maintain e-mail access.
Enabling staff to continue to use company devices to stay in touch with friends and relatives while on lockdown may also be your company's stance.? And, in any event, arranging for staff members to return company-owned devices is currently not practicable.
Is this OK? Well, no.
We have already seen examples of furloughed staff that still have access to company e-mail for external communications -?even though they have an out of office message to the contrary.??This should not be happening.
The nature of furloughing is such that users?should not do any work?for your company during the furlough period, and that means not even checking e-mail or taking calls.
Therefore, where possible, when a staff member is furloughed, you should:
* Immediately block their accounts from signing in on Office 365. If you are in a hybrid environment, you should reset their on-premises AD user password to avoid Azure AD sync delays.*
* Set up an out of office message with a short explanation and alternative contacts (your HR department should advise on the most appropriate content here).? You might also set up an auto-forward.
* Block access (eg, change passwords) to any other shadow IT or systems (eg, VPN) they use to do their job.
* Re-route calls (if this capability is in your domain)
* If possible (eg, using MDM and InTune) decommission work-related devices, including laptops and phones.
*A tip here is to add the relevant users into one or more groups and apply a Conditional Access Policy that reflects the controls you want to put in place.
This may seem a hard-line approach given the circumstances, but here are some facts:
* The government requires ?evidence?that a furloughed member of staff is not working, If furloughed staff still have access to their systems, well-meaning individuals may find themselves responding to requests and by doing so could inadvertently compromise your company's ability to make a claim. Being able to prove that a staff member has been properly furloughed is a good deal easier if you can demonstrate that you have closed their account.
* As a company you have a responsibility to protect the security of PII and other confidential information. For example, if you have ISO 27001 certification as a supplier, you will have needed to put in place a series of technical measures, business controls and management processes.?This includes disabling staff accounts where a user has been granted extended absence.
* Cyber crime has increased due to the coronavirus outbreak. And sadly, phishing attempts linked with furlough payments are taking place.? It goes without saying that furloughed staff will be at heightened risk of being caught out by such scams, which in turn could compromise your corporate security and finances.
* Video conferencing apps such as Zoom and Houseparty have become a top download for connecting people socially, but are reported to have vulnerabilities and suspect data privacy policies that could be used to hack logon details, etc.
How can we keep the flow of information if we've closed down users' access?
During the furlough period, it is important to have a mechanism for keeping staff informed of any changes in furlough status or instructions relating to making claims.
This ideally should be done using a personal e-mail address.
The other communications we recommend should be added into this mix include:
* Reminders of their obligation with respect to your acceptable usage policy relating to use of e-mail and the Internet on company technology, along with the importance of protecting PII.?This will be doubly important if it is not possible to decommission or wipe their devices remotely.
* Content on the importance of staying safe, avoiding phishing attacks and malware.
Additionally, communicating anything that contributes to the mental well-being of individuals, especially given the stressful nature of the current situation, is a great idea.
To provide a platform for supporting effective communications, aside from sending e-mails to personal accounts, don't forget you also have the option to use?Teams Guest accounts.
To support this approach, the Cloud Essentials team is offering its customers an at cost service that enables them to:
E-mail the affected staff members with a link to a secure SharePoint form that includes:
* Communicating key information regarding the furlough situation.
* Getting acceptance of terms and conditions relating to ceasing access to their regular account and accessing Teams as a guest.
* Collection of personal e-mail addresses (with checks to ensure the e-mail address is valid for accessing Teams; eg, Gmail, Yahoo, etc).
* Taking staff members through an authentication process (which also links their personal e-mail address with their business e-mail).
The latter step is important as it enables department managers and HR to keep accurate track of activities at a later date.
This brings me onto another interesting aspect of the rules relating to furloughing and the opportunities around keeping staff supported and motivated during this period.
Can a furloughed employee do training?
Yes - as long as this does not involve providing services or generating revenue for your company.
In fact, companies that use this time to invest in staff training (and perhaps acquiring new skills that will be more relevant in a post-coronavirus world), have the potential to 'hit the ground running' when they return.
For example, the Microsoft-recommended LMS365 solution is a learning management platform designed specifically to work with Teams (including Teams Guests accounts) and is a great way to keep staff engaged and make them feel connected and supported.? There are also cyber safety and mental health benefits to be gained.
Can we reduce our Office 365 licence costs while furloughed staff are not using their accounts?
The idea with furloughing is that it is a temporary arrangement, and workers will one day be able to return to their jobs.
You've probably purchased licences through a partner or as a volume licence purchase, and as such won't be able to remove the licence from your subscription until your commitment is completed anyway.
Even if you can change your licensing on the fly, in all honesty, the hassle factor of trying to save licence fees using inactive mailboxes or shared mailboxes as a mechanism to preserve (and then later restore) a user's data during this period will not be worth it.
We have always acknowledged that IT teams find themselves caught up in very sensitive legal and HR issues.
For example, we speak with many IT staff members who tell us they are being asked to help search and retrieve content that is of a privileged or sensitive nature in response to eDiscovery requests -?largely because the platforms being used to store data have overly complex eDiscovery facilities.
Thankfully, Microsoft is shifting the problem by providing services like the Compliance Centre, that is enabling non-technical staff to implement controls.
But, for the time being, we need IT teams to support the furloughing process: acting in an advisory capacity based on their expertise in over-arching issues such as security, perhaps automating the process and using facilities like Teams Guest accounts to make things easier, and in some respects being prepared to tear up the rule book given the extraordinary circumstances surrounding this situation.? We wish you all the best.