With the ever-changing status of the COVID-19 pandemic, some companies and employers are now starting the process of returning to the office. In my last blog I focused on cyber security concerns and considerations as a result of a much larger remote workforce, remote education, and ultimately, our everyday way of life being online. We now need to look at the other side of this unprecedented situation with the challenges of returning to in-person or hybrid work.
As terrible as the pandemic has been, it forced businesses and technology to innovate and develop new concepts and ways to operate, or even continue to exist. One of the main concepts that came out of all this was a “Work from anywhere” principle that has drastically changed how companies run day to day. With no ties to a physical office, there has been a surge in people relocating to where they want to live, instead of where they would traditionally have to live in relation to a physical office. Outside of this new remote working arrangement, many businesses are also considering and implementing a sort of hybrid model where a mix of remote and in-office arrangements may be permanent. There is no substitute for in-person interaction for many business scenarios, but the industry learned that there are a lot of other areas that can easily be productive in telework environments.
So what should businesses do as they transition to either full-time onsite or a more hybrid model? Every company and business needs to perform a risk assessment of return to work employees and assets.
One of the first and foremost things companies and businesses need to do is bolster communication. Companies and employers need to make sure to communicate new policy changes to employees, suppliers and their customers. This includes education programs that re-emphasize cyber security responsibilities and practice. You need to be certain that all business execution, especially pertaining to security, is ingrained in your workforce. Even simple things like password changes and backing up data make a difference. Two factor authentication is another tool that can help support the security of your company and business when implemented correctly. Employers need to ensure that employees know how to use these mechanisms correctly and within company policy. Other more complex changes like implementing Data Loss Prevention (DLP) systems, software to deploy DMZs, VPN, and web portals should be explained in an accessible manner to the workforce. Explain why changes are in place and why/how employees should use them. This also includes collaboration services like video conferencing, wikis and messaging/project management systems that have been critical during this time.
The next thing companies need to do is verify they are in full control of all company assets. For example, many businesses issued company laptops, computers, phones, etc. to enable their remote employees to keep operations running. All of this equipment needs to be tracked, inventoried and accounted for as there is a very strong chance that it contains critical and sensitive company data. For employees coming back to the office full-time, perhaps this mobile work equipment should be returned and/or repurposed for in office use only.
If these assets will continue to be used in the same capacity as they have the last year, companies need to verify and ensure that the cyber security posture of these systems are solid given the added risk of not always physically being under their control. Rather than managing remotely, which I highly advise against, have employees bring in company equipment for updates, patching, or even re-imaging on a regular and frequent cadence. Make sure all IT assets and systems are up-to-date patched and scanned before bringing back into the company infrastructure and interfacing with business systems. Another important element to consider is encryption of mobile company assets. Laptops, tablets and smartphones especially are a threat for loss and threat. How much business data and information could be on these devices and what would be the impact to your company if this data made its way to your competitors or even the public? Encrypting these devices leaves this data unreadable to anyone without the key to decrypt them.
These systems should be scanned for configuration compliance as well. For example, remote work systems often allow the employee to connect into the actual company intranet through VPN but that means that these systems first connect to a public or private home network. Businesses need to analyze these systems as soon as possible. Did your employees install programs not approved by your IT department? Even programs installed on an individual user’s home directory could pose a threat.
Another popular technique used during the pandemic was allowing and implementing BYOD (Bring Your Own Device). It is highly recommended that businesses either stop the BYOD practice or implement protection mechanisms if they have not already. For example, when my kids were in remote school, we had a mix of school issued and personal Chromebooks. Both types worked exactly the same way as school access and work was managed by the district through school district account/email address. Once the year ended, the school reclaimed the district computer asserts and disabled the school accounts. Our personal Chromebooks were still usable for personal use, but district access had remotely been disabled. This is just an example of one way companies and corporations could manage BYOD situations. There are many others that support multiple types of systems however, the best solution is to provide company managed devices with appropriate protections.
There are also considerations for employees themselves as they return to the office, many of which relate to the items discussed above. Cyber security in this new age of remote work puts more on the employee too.
First and foremost is the question: Did you have to use your personal equipment for work? If so, you should clean up the company data, sanitize, and migrate to company owned assets, systems and infrastructure as soon as you can (if you can). The main reason is liability concerns. Most home offices and networks do not implement the same security rigor and investment as corporations. It is highly recommended to replace personal equipment with company assets as soon as possible. However, if you are in the category of people who are in the hybrid remote or even permanently remote working situation, you need to evaluate the security posture of your own equipment and systems. Update the security of your home network if you have not already. This means everything from Anti-Virus software on your computing devices to the security and hardening of your home network from your router to even your Internet of Things (IoT) devices like smart TVs, speakers, home automation, etc. All of these things pose possible risks to your personal network and devices and the company you work for when using your home network.
If you’re in need of assistance to create and implement new security protocols or an evaluation on your existing cyber security, aJuxt can help. Let us bolster your network with our network of security professionals.
Written by Seth Hellbusch || Site Security Specialist