This week’s blog features an article from our partners at Sophos: “3 Ways Businesses Can Leverage Returning to the Office for Overdue Security Upgrades” by Chester Wisniewski.
It has been a long, trying and bizarre year of working from home and Zoom fatigue. But with the growing pace of vaccinations, we’re about to turn the corner on another encouraging COVID milestone: returning to the office.
At long last, we’re finally about to return to a piece of that “normal life” most of us have been craving for the past year. And that is certainly something to celebrate and look forward to. At the same time, it will require thoughtful preparation and forward thinking – and not just because of the virus, but because of the state of workplace cybersecurity.
Last year, businesses around the world had to make a very abrupt, unplanned decision to shift most if not all of their workforce to remote work. While working from home has been a perk at many companies for years, the scale and speed of this transition to across-the-board remote working took everyone by surprise. Most companies didn’t have a pandemic contingency plan around wide scale office shutdowns and much of the IT and security infrastructure around this new status quo had to be invented on the fly.
Issues like whether there would enough VPN capacity to support all employees remotely, if software updates could still be applied to workplace machines on home Wi-Fi networks, and whether every employee had a work laptop to bring home in the first place, went from being questions that hadn’t been asked before to suddenly business-critical matters.
While many organizations were able to quickly piece together a remote workforce IT strategy, few understandably ended up following ideal approaches to zero trust networking or secure access service edge for minimizing security risks.
So as we return to the office and begin to reintegrate devices that had previously been out of reach of management tools, here are a few measures that IT teams can adopt to ensure that a “return to normalcy” doesn’t also mean compromising on security – and to the contrary, how to leverage it for maximizing some overdue security updates.
Deploy a quarantine local area network for updating and cleaning employee devices
Many businesses were unable to continue regular (and forced) installation of updates for their employees’ work devices while they were remote. Consequently, there may be a significant number of laptops and other connected devices that will be re-added to the company Wi-Fi without having been updated in weeks or even months. As we emerge out of quarantine, ironically, a different kind of quarantine may be a crucial measure here.
Many employees have likely shared their work devices with their children or families at some point over the past year, perhaps for virtual learning. But more users on one device opens up more potential for vulnerability exposure, depending on the sites they visited or programs they downloaded. Couple that with the fact that many employees may not have been vigilant about updating the latest application updates or operating system patches, and these devices may be returning to the company network with significantly varied levels of inherent security risk.
Restricting devices to a specific local area network (LAN) where they can be safely updated away from everyone else ensures that when devices are all joining the larger corporate network, they’re doing so on an equal playing field of protection. Think of it like a vaccine rollout, but for your work computers.
Conduct an audit of the software your employees have been using
Workers have been asked to do a lot this past year, and all on their own – from managing their day job at home without the office resources they’re used to, to simultaneously wrangling kids’ childcare or remote schooling. Employees have had to do what they can to get by, right down to the kind of software or tools they’ve installed themselves on their work devices to make their jobs easier in a time of crisis. This includes applications like Slack, Google Docs, Facebook Messenger, Dropbox, and WhatsApp.
On the one hand, you’ve got to admire their ingenuity! But at the same time, company-owned devices coming back onto the corporate network loaded up with applications that had not been sanctioned by IT can open the door for security risk.
As employees return to the office, businesses need to roll out an IT audit program to determine what tools employees used or downloaded on their own. This not only helps give IT better visibility into where to protect and control sensitive data on company devices, but also doubles as a useful learning opportunity for identifying gaps in your remote work strategy.
Weed out personal cloud services and removable media
Remote workers who have gone the past year without corporate VPN access may have had to get by with personal clouds or removable media, like USB storage, for sharing company files. But as these devices become reintegrated into the corporate network, those practices need to be weeded out ASAP. Files shared over personal cloud services or removable media storage are difficult to encrypt, do not lend themselves to overall IT visibility, and, frankly, are just too easy to lose.
As part of the reintegration effort, companies need to make a concerted effort to raise awareness among employees about the organization’s officially sanctioned tools and cloud services – e.g., corporate cloud logins and services that the company has accounts with. IT teams need to help migrate data and files from personal storage to corporate-owned storage, and ensure along the way that employees have all the right access privileges to those services.
While returning to the office after a year of remote working might be a bit of a shock to the system – just as the original shift to working from home last March was – businesses can make this process of returning employee devices to corporate networks an overall net good. This is an altogether excellent opportunity for businesses and IT team leaders to roll out new policies that not just do a better job of securing and modernizing employee devices, but make bigger changes to remote working strategies that can facilitate even greater levels of security and access.
“Back to normal” doesn’t have to mean “business as usual.” This is a golden opportunity for organizations to carry the ball forward.