Security worries about returning to the office are overblown, says Leigh Clark, pictured, Cyber Security Consultant, at the app protection company Airnow Cybersecurity.
There’s a light at the end of the tunnel. Despite repeated lockdowns and surges, with the increase in vaccinations, a day will soon come where employees return to offices and some level of normalcy. Now, it’s unknown exactly what that will look like, or whether any two companies will even approach the post-vaccine working world the same. If you believe some industry pundits, however, whenever that happens it seems like you should expect a full-blown security Armageddon to occur. Credentials being stolen, malware being uploaded, children crying in the streets, dogs and cats living together, you get the idea – the end times.
I believe that these concerns are overblown. In fact, the opposite will happen. If we all take a step back from the ledge and recognize the great work that has been done to secure remote employees over the past year, you’ll see things are in good shape – and that the looming transition won’t be as insecure as expected. By recognizing what you’ve already done and how that will work in your company’s advantage, you’ll be able to give yourself a true guide to what you should actually spend your critical time and effort shoring up.
Infrastructure
Because of the pandemic, lockdowns, and remote work, most companies’ infrastructure is actually now more secure. There was an immediate race to enable employees to work remotely – which meant that the entire company was now logging on from home and using their home networks to conduct business. Companies couldn’t control the security of those networks, and frankly, there was little time to worry about security as many were just attempting to adapt and keep the lights on.
Over 2020, however, security teams learned to spend their time securing what they could. Making workers’ laptops and devices as secure as possible was a typical starting point. Ensuring the latest security updates were pushed out and installed (and in many cases scheduling time to take over machines to ensure they were completed), was the easiest way to protect your company. As a part of this, many also took the step to remind and/or re-train employees about the proper protocols for emails and links, helping to remind them to not open emails from unknown senders or click on unfamiliar links. Malware and ransomware continues to be a problem, pandemic or not.
At the same time, recognizing that employees were logging in from their own networks, security teams across industries focused on securing the company’s resources – deciding, for example, what could be shared/saved in the cloud for employees to access, and what needed to remain under lock and key on the corporate servers. What public cloud and conferencing services could be used, and what types of work still needed employees to access the company VPN.
One of the beneficial results of the remote work situation was companies quickly learned that not all traffic needed to be routed through the company. In most cases (when there weren’t regulatory requirements to deal with), video conferencing could be undertaken outside of the company’s servers. Having employees connect to customers and each other over the public internet was not a security risk as these discussions rarely had any need to be securely locked down. This acknowledgement and acceptance of a new security norm will fit well with the return of employees to corporate offices. Why tie up bandwidth you don’t need to waste?
Transition To hybrid
Many workplace thought leaders have taken another look at the way the world has been working and concluded that the public health crisis will force a change to a more hybrid model. Many employees simply will never come back into the office. Many will split time between remote and in-person. In addition, one of the underlying messages all agree on is that companies need to be prepared for future outbreaks or other public health crises that could cause a repeat of 2020.
2020, however, will have trained companies’ security teams so well that any future change will be easy to handle. With higher levels of security in place due to the change in work – and less concern about a period of remote work needing to happen (as companies and employees have already proved they can handle it), companies will be able to spend less on security preparations and reinvest that time and money in other critical areas.
What to attend to
Even though you and your team should feel good about the work you’ve already done to secure your remote workers – and how that will indeed pay off in the long run – there are some tasks you should make sure are on your “return to the office checklist.”
– Employee devices – Employees will be plugging in to the corporate network for the first time in a long time. Despite you and your team’s best efforts, there will likely still be a few who did not follow the appropriate security procedures and have ignored your update instructions. A few may not be technologically savvy and have not known how. What this means is that a quick check of every device before they log in again may be in your best interest. Again, most should be set given your prior efforts, but all it takes is one outlier for a nasty piece of malware to get into your network.
– Email protocols – Even though it might seem like overkill to you, use the event of employees returning to the office as a reason to remind once again of the proper protocols for opening emails and clicking on links. Having worked from home for so long, some employees may have gotten into bad habits and have let their vigilance slide. This is the opportunity to put a stop to that. Many of the worst breaches have started because of human error – in fact, recent research shows that 92% of malware was delivered by email last year.
– Use Of public cloud – Set firm rules over use of public cloud technologies. What documents can be shared and uploaded to public drives – and which cannot? What video conferencing tools can be used? There was a lot of leeway given to employees early on in the pandemic and lockdowns. Now is the time to reel this in as needed. Again, remember that not every document or every piece of traffic needs to be locked down – but it’s your responsibility to delineate which ones do, so that there are firm guidelines. Be clear and consistent. Critical company and client information should be protected, and there should be no question as to what counts as critical.
– Replace old gear – Review employee devices and laptops, as well as your own hardware. Replacements were off the table for many companies in 2020. This is an opportunity to update anything that’s outdated and may be a security risk, budgets allowing.
When it comes down to it, if you’ve been doing your job as a security professional the past 12 months you shouldn’t need to worry that suddenly the world will come crashing down when there are employees working in a physical office again. In fact the hard work and trial by fire you just completed will serve you and your company well as the future ways we work continue to evolve.
