Switching to working from home was difficult, but oddly enough, returning to the office may be just as tricky.
Organisations will have to roll back some changes, which could be as complex as when they were deployed in the first place.
They will also need to re-ensure the security of internal services and meet employee needs for software they got accustomed to during lockdown or remote work.
One of the most important pandemic takeaways is the speed of business transformation and the flexibility of IT. And IT security should not prohibit but offer options and support this flexibility.
A smart and safe return to office work in any form can help companies stay on top of this trend, making the most of their business processes.
There are many things to consider, so to help prioritize, here are 5 cybersecurity tips to keep in mind before your organisation returns to the office, or workplace:
- Keep cybersecurity workarounds introduced when working from home
To maintain the security of corporate endpoints while employees were working from home, companies most likely introduced additional protection measures, such as security checks and centralised patch management of remote computers; setting up or extending a VPN; and dedicated awareness training.
Detection and response agents on endpoints were important to fill the gaps in network perimeter defenses that may not have worked as well due to a lack of actual perimeter.
These practices should be the same for hybrid working models too – when the workforce flows from home to office or travels on business trips.
VPN, EDR, and intrusion detection systems on endpoints will ensure employees can work safely, wherever they want to do their tasks.
- Carefully plan resources and time for enabling security controls that were disabled for remote working
To allow employees to remotely connect to the corporate network, especially from personal devices, organisations may decide to weaken or disable some cybersecurity controls – such as Network Admission Control (NAC).
NAC checks computers for compliance with corporate security requirements before granting access to the corporate network. If a computer is not authorised, has outdated anti-malware software, or other inconsistencies.
NAC will not grant access until these problems are resolved.
When employees return to the office and connect to the corporate network, NAC should be turned on to protect the internal systems in case the machines pose any risks. But since computers have been remote for about 18-months, they could have missed some updates.
This means that enabling NAC for dozens or even hundreds of such machines can cause many errors. As a result, switching the service on could turn into a step-by-step, fine-tuning process for small groups of staff.
Organisations need to anticipate such issues and have a plan which includes resources, deadlines, bug fixes, and maybe even help from IT integrators.
- Ensure updates of internal systems
Don’t forget to check internal critical services. If there are unpatched servers, it’s better that the IT security team knows about them before opening the building’s doors.
When we were all sitting at office desktops, our computers were constantly connected to the corporate network and were under 24/7 protection and policy control. Accordingly, the risks of an exploit penetrating the network from a PC and compromising a vulnerable server were lower.
Now, imagine that everyone returned to the office together and connected their laptops to the corporate network and there is an unpatched domain controller that manages all users’ accounts.
If among the hundreds of devices there are compromised ones and cybercriminals reveal the vulnerable controller, they can get access to employee account data and passwords.
- Be ready for savings but also for costs
Bringing employees back to the office will save employers some money. For example, internet security firm Kaspersky increased the number of VPN tunnels from 1,000 to 5,000-8,000 to enable most of its staff to work from home. It is likely that the company will cut this cost when its team returns to the office as it won’t need so many VPN licenses.
Similarly, companies can reduce the number of subscription-based cloud solutions, such as Slack or Microsoft Teams.
There will be no need for so many cloud licenses and some services can be brought back on-premises. The same strategy can apply to electronic signature apps.
However, the freed-up budgets can be spent on organising digital workstations, so employees could split their week working from the office and anywhere else.
When all workspaces are in the cloud and staff can access them from any device it is much easier to deploy, manage, fix, and protect virtual desktops rather than remote computers.
- Save the tools and settings that employees have been working with
When working remotely, employees mastered new communication and collaboration tools – chats, video conferencing, planning tools, CRMs.
Moving forward they will want to continue using the apps because they have become familiar and convenient. As one of our studies has shown, thanks to the experience of the pandemic, 74% of people want more flexible and comfortable working conditions.
Banning employees’ use of these innovations may not be wise. It could provoke the growth of shadow IT when staff members use apps on their own initiative and without IT approval.
Companies should be prepared to either approve new services or suggest alternatives and explain to staff why it is important to choose safer options. There are special solutions that help organisations manage access to cloud services – dedicated cloud discovery features in a security solution or cloud access security brokers – that enforce security policies for clouds.
IT security should be a business enabler, not a barrier. Ignoring this behaviour change can impact an employee’s view of the company. Allowing flexible working and services that are convenient for workers can make the company more attractive in their eyes, as well as to future potential candidates.
By Amir Kanaan, Managing Director, Middle East, Turkey and Africa, Kaspersky.