Security Think Tank: Returning workers to the office: Is your security posture up to date?
With Covid-19 restrictions easing, offices are welcoming back remote workers this summer, bringing with them their notebooks and mobiles, and creating an endpoint management headache for CISOs. What do security teams need to account for to protect their returning office workers?
Home working for UK office workers began at scale in March 2020, with formal guidance that employees should work from home wherever possible. For many, that was the last time they visited an office. Since then, guidance has varied in response to the changing level of threat, but until recently, very few organisations had returned staff to the office in large numbers.
As the plan for all adults to have been offered a vaccination by July 2021 gets under way, most organisations are starting to make arrangements for staff to return to the office in some capacity. With hybrid working (splitting time between office and home) on the rise, it is clear that the workforce is once again on the brink of significant change.
Much has changed, and that could catch out security teams that are planning to carry forward their pre-pandemic security arrangements. This is because the new ways of working further increase information security risk.
The key changes to take into account from an information security risk perspective are:
- Even more variable working patterns. We have grown accustomed to a far higher level of flexibility and that typically means a greater range of working locations and working hours. A hybrid model will increase complexity further, with some employees based in the office and others working from home, and hackers will undoubtedly exploit this confusion further through phishing-type attacks.
- New ways of using collaborative technology. With a hybrid approach of some people being in the office and some working from home, the way in which we use collaboration technology will change. We will see greater use of such technologies to ensure that those working from home contribute in physical meetings in the office and this can create new challenges in terms of authentication. When all attendees are contributing in a virtual meeting or are all physically present, there tends to be much greater focus on checking who is joining, but in a hybrid environment, people’s guard can lower and it’s just not as easy to verify attendees.
- New colleagues. Most of us will be collaborating with people that we meet for the first time in person. During that period, there is a greater risk that unfamiliar faces in secure workspaces go unchallenged.
Security arrangements revisited
An effective cyber security team will recognise that risks change over time and, as a result, will make changes to the security controls that are in place. Large numbers of staff returning to the office, while others continue to work from home, is a significant change and one that will require a well-coordinated response.
In practical terms, there are a number of areas that can be tackled right now. Security teams should:
- Ensure that monitoring use cases reflect the new normal. Security monitoring capabilities typically require a baseline for normal business activity that is part taught and, in the case of the more sophisticated artificial intelligence (AI) offerings, part learned. As the normal changes again, particularly for hybrid workers, security teams should ensure that their monitoring capabilities are recalibrated accordingly.
- Move data inside the corporate boundary where possible. The corporate boundary can be thought of as the perimeter within which the security team can exercise control. This might be through hands-on access to applications or infrastructure, or more commonly and in the case of the cloud, through supplier-level agreements. Security teams should review the movement of data as well as any third-party services to ensure appropriate arrangements are in place, perhaps moving from free offerings to premium versions if doing so offers a higher level of assurance.
- Update the endpoint inventory. Now is a good time to ensure that endpoints are still in the possession of employees and that no devices have gone missing. Where appropriate, this could include a physical audit. Devices that cannot be found should immediately have their access revoked and be remotely wiped if possible.
- Treat extended home working as a specific risk. Home working in itself is a source of risk and the fact that it will continue at scale for many organisations cannot be ignored. Specific guidance to staff on what secure home working looks like, alongside consideration of risks that only occur in the home environment (such as printing to personal devices), is essential.
- Step up personnel security. During a period of change, it is important to remind staff to be vigilant. Tailgating is still the easiest way for an intruder to enter your premises and a large number of new faces will make this far less obvious.
As we enter what many in the developed world might feel like the home straight, it is clear that organisations are about to enter another period of change. In security terms, change often brings risk and it is important to ensure that those risks are understood, and adequate steps have been taken to mitigate them.