Skip to content

Share

  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page
PA IN THE MEDIA

Security Think Tank: Returning workers to the office: Is your security posture up to date?

This article was first published in Computer Weekly

With Covid-19 restrictions easing, offices are welcoming back remote workers this summer, bringing with them their notebooks and mobiles, and creating an endpoint management headache for CISOs. What do security teams need to account for to protect their returning office workers?

Home working for UK office workers began at scale in March 2020, with formal guidance that employees should work from home wherever possible. For many, that was the last time they visited an office. Since then, guidance has varied in response to the changing level of threat, but until recently, very few organisations had returned staff to the office in large numbers.

As the plan for all adults to have been offered a vaccination by July 2021 gets under way, most organisations are starting to make arrangements for staff to return to the office in some capacity. With hybrid working (splitting time between office and home) on the rise, it is clear that the workforce is once again on the brink of significant change.

Much has changed, and that could catch out security teams that are planning to carry forward their pre-pandemic security arrangements. This is because the new ways of working further increase information security risk.

The key changes to take into account from an information security risk perspective are:

  • Even more variable working patterns. We have grown accustomed to a far higher level of flexibility and that typically means a greater range of working locations and working hours. A hybrid model will increase complexity further, with some employees based in the office and others working from home, and hackers will undoubtedly exploit this confusion further through phishing-type attacks.
  • New ways of using collaborative technology. With a hybrid approach of some people being in the office and some working from home, the way in which we use collaboration technology will change. We will see greater use of such technologies to ensure that those working from home contribute in physical meetings in the office and this can create new challenges in terms of authentication. When all attendees are contributing in a virtual meeting or are all physically present, there tends to be much greater focus on checking who is joining, but in a hybrid environment, people’s guard can lower and it’s just not as easy to verify attendees.
  • New colleagues. Most of us will be collaborating with people that we meet for the first time in person. During that period, there is a greater risk that unfamiliar faces in secure workspaces go unchallenged.

Security arrangements revisited

An effective cyber security team will recognise that risks change over time and, as a result, will make changes to the security controls that are in place. Large numbers of staff returning to the office, while others continue to work from home, is a significant change and one that will require a well-coordinated response.

In practical terms, there are a number of areas that can be tackled right now. Security teams should:

  • Ensure that monitoring use cases reflect the new normal. Security monitoring capabilities typically require a baseline for normal business activity that is part taught and, in the case of the more sophisticated artificial intelligence (AI) offerings, part learned. As the normal changes again, particularly for hybrid workers, security teams should ensure that their monitoring capabilities are recalibrated accordingly.
  • Move data inside the corporate boundary where possible. The corporate boundary can be thought of as the perimeter within which the security team can exercise control. This might be through hands-on access to applications or infrastructure, or more commonly and in the case of the cloud, through supplier-level agreements. Security teams should review the movement of data as well as any third-party services to ensure appropriate arrangements are in place, perhaps moving from free offerings to premium versions if doing so offers a higher level of assurance.
  • Update the endpoint inventory. Now is a good time to ensure that endpoints are still in the possession of employees and that no devices have gone missing. Where appropriate, this could include a physical audit. Devices that cannot be found should immediately have their access revoked and be remotely wiped if possible.
  • Treat extended home working as a specific risk. Home working in itself is a source of risk and the fact that it will continue at scale for many organisations cannot be ignored. Specific guidance to staff on what secure home working looks like, alongside consideration of risks that only occur in the home environment (such as printing to personal devices), is essential.
  • Step up personnel security. During a period of change, it is important to remind staff to be vigilant. Tailgating is still the easiest way for an intruder to enter your premises and a large number of new faces will make this far less obvious.

As we enter what many in the developed world might feel like the home straight, it is clear that organisations are about to enter another period of change. In security terms, change often brings risk and it is important to ensure that those risks are understood, and adequate steps have been taken to mitigate them.

Helping to protect and grow your organisation in a digital world

Find out more

Contact the author

Contact the cyber security and digital trust team

Adam Stringer

Adam Stringer

Cate Pye

Cate Pye

Elliot Rose

Elliot Rose

Justin Lowe

Justin Lowe

Laura Marsden

Laura Marsden

Sharad Patel

Sharad Patel

Kenneth Studsgaard Pedersen

Kenneth Studsgaard Pedersen

Carl Nightingale

Carl Nightingale

×

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.