Back-to-office security: what you need to know
As the Covid pandemic eases across the world, employers are giving consideration to the return of their workforce to the office. As a recent report from Accenture illustrates, the dominant thought at the current time is that some form of hybrid setup will become the norm, with employees sometimes working from home, sometimes from the office, and sometimes from third places, such as cafes or co-working spaces. Each of these options provides a number of cybersecurity considerations for employers and employees alike to consider.
Let's start with so-called third spaces, which as a recent study from the Business School (formerly Cass) illustrates, are places that are increasingly valued by employees as somewhere that gives them the ability to work close to home but not be as isolated as if they were working at home alone.
If you're in a cafe or other public space, working on the public WiFi often provided is the first security risk you're presenting yourself with. It's tempting to think that if the network requires a password that this will secure you, but even this won't protect you from other people on the same network. Using your phone's data plan is a good way around this, and if you couple it with a VPN then you can be relatively confident in your security.
While we might expect better from a paid third place, such as a WeWork, this should not be taken for granted. For instance, recent news broke about hacks at a WeWork as a result of the open WiFi network used on the site.
Sadly, we can't take for granted that the situation will be any more secure at a WeWork than in your local cafe, so many of the same rules apply.
There are also some basic cyber-hygiene practices you can develop, such as disabling any automatic connections to available networks, using firewalls and network monitoring software on your device/s, ensuring you use two-step authentication on all business-critical applications, ensuring your passwords are robust, and never leaving your device unattended.
Back to the office
And what about if you’re heading back to the office? Here, it’s important that cybersecurity managers adapt to the new realities of work. For instance, it’s important that hardware inventories are updated to account for the wide range of new devices people will have been using to work with during the pandemic, whether that’s their personal laptops and smartphones or even webcams and printers.
Given the rise in video conferencing, it’s quite likely that workplaces will have invested more in dedicated conferencing tools. An updated inventory will be vital to keep track of the devices in use across the organization and ensure they’re kept secure.
Managers might also want to consider introducing specific controls for the new wave of chat and collaboration platforms, such as Slack, Zoom, and Microsoft Teams that have come to the fore during the pandemic.
If a hybrid workplace is the new normal then these tools will continue to be hugely valuable, and it’s important that security teams develop robust oversight controls for these tools that are consistent regardless of whether participants are using them on-site or remotely.
Security teams should also consider updating their cyber risk register to properly account for the new threat landscape posed by a remote or hybrid work environment. The risk register provides a vital baseline that determines how the organization will respond to the cybersecurity challenges it faces and needs to outline the risk tolerance thresholds that will be adopted on-site, in dedicated third spaces, public third spaces, and at home.
Digital hygiene skills
There are, of course, also things that individuals can do to ensure they’re secure as they return to the workplace. For instance, phishing has been one of the most common forms of attack during the pandemic as hackers sought to capitalize on the fear and uncertainty caused by the virus to get victims to download various malicious files and attachments. Hopefully, organizations will have trained staff on good digital hygiene, but if not, reminders about things such as not sending passwords to other people, clicking on attachments from unknown sources or links from unexpected emails, can do wonders in reducing the risk of phishing.
If employees are returning to on-premise devices, it’s also important that they practice good password hygiene.
After all, it’s quite possible that they have forgotten the passwords used on these devices after such a long time away. If passwords are being reset it’s vital that employees are reminded of the best practice in generating secure passwords, whether it’s the creation of the password itself, not having it visibly on display at their workstation, or sending it to colleagues.
There will also be an inevitable transition between personal devices and work devices that may require files to be transferred between the two. Encouraging employees to zip files up and place them on an encrypted USB drive is perhaps the best approach to take and is preferable to having employees email files to themselves.
Lastly, as employees may have spent eighteen months working from home, they may have forgotten habits around things such as clean desk policies. Insider threats are a major source of cybercrime and clean desk policies are an effective way of ensuring that sensitive documents or devices don’t fall into the wrong hands. It’s important to remind employees of their responsibilities as they return to work.
Regardless of whether the workforce will be fully on-site or a hybrid of on-site and remote work, organizations should be preparing for the transition as we speak to ensure that it not only goes smoothly from an operational perspective but also that cybersecurity isn’t compromised.