Following more than a year of unprecedented social distancing restrictions across the world, hope is finally on the horizon. The remarkably quick development and rollout of effective COVID-19 vaccines offers a realistic prospect of a full return to normality in the near future.
Immediate thoughts are likely to linger on the resumption of social activities, such as attendance at large-scale events like festivals and sporting events and unhindered access to bars and restaurants. Before long however, attention will turn to working patterns in the post-COVID world, with many office-based staff having operated entirely remotely since March 2020. While it’s feasible some workers will continue with this way of working going forward, the vast majority of staff will return to physical offices, even if only on a hybrid basis.
Once taken for granted, the opportunity to meet, chat and socialize with colleagues in-person again following more than a year of being isolated in kitchens and living rooms – with laptops balanced on various items of furniture – will be an enticing prospect for many office-based staff.
Yet the return to the office will be no simple process. Not only do organizations have to ensure relevant COVID-19 rules and protocols are followed to protect the health of their staff, they need to ensure their business is protected from a security point of view when making the reverse shift.
In the cybersecurity sector, the main focus of the past year has understandably been on the challenges posed by mass remote working. Now, as vaccines pave the road to normality, it is vital to also fully consider the security implications posed by the opposite scenario: staff returning to offices.
Re-Connecting Devices to the Corporate Network
One area organizations must be mindful of in this respect is devices reconnecting to the corporate network following a long absence, during which time they were potentially left exposed on insecure home WiFis. In a study last year by Redscan, a surge in malspam and external scanning attempts to identify weaknesses in remote access tools was observed. As a result, the company predicted an influx of attacks when devices reconnect to corporate networks, with malware potentially lying dormant and ready to move laterally through a network. This is a threat that John Morgan, CEO at Confluera, believes organizations should be taking very seriously. “As employees begin to start returning to the office, you can certainly expect an immediate uptick in support calls as infected devices attempt to connect directly to the corporate network,” he explains.
Many of these threats will not necessarily manifest immediately, making it harder still for security teams to detect and respond to them effectively. “Once an attacker gains access into a corporate device or network, they are in no hurry to navigate from servers to servers looking for their prize,” adds Morgan. “Such actions could alert the attention of IT and security analysts. Instead, they will take small benign-looking steps, lying dormant for weeks or months in between.”
The opportunities for cyber-criminals to infect home-working staff with dormant malware is exacerbated by the increasing use of personal devices over the past year or so. These are typically not subject to the same security controls and standards as corporate devices and are therefore even more vulnerable to infection. “The corporation has much less control over the security standards that can be employed; they can’t control what people are looking at on the internet, at home, how secure their home broadband is and things like that,” highlights Paul McKay, principal analyst at Forrester. “From that perspective, when you are going back to the office do you allow people to come back and plug in some of the devices they’ve been working on which might not even be corporately owned?”
"The corporation has much less control over the security standards that can be employed"
Taking the mantra ‘prevention is the best cure’ is therefore advisable, and there are a number of actions organizations can take to mitigate these types of risks. The first step is to undergo a thorough audit of the devices staff are planning to bring back to the office, in order to find out whether it will be “home owned devices or corporate devices,” says McKay. He adds that organizations should also insist “people have taken steps to ensure the devices are patched and up to date at a basic level.” This is especially pertinent to those personal devices.
Longer term, McKay believes there is likely to be much more demand from employees to use personal devices in the physical workplace, and organizations have to respond in kind. “I think organizations need to completely refresh their BYOD policies,” he says. “If people want to use those devices in preference to a corporate asset that’s fine, but they need to accept some oversights that might insist on certain security controls being deployed and devices being encrypted.”
Dirk Schrader, global vice president, security research at New Net Technologies (NNT) goes even further, believing companies should require staff “to use build-in update mechanism (like Windows Update) to get the systems to the latest stage the day before they come to the office, in addition to running a security check (again using built-in features).” He adds that organizations may want to place incoming devices into a quarantine section of their networks to undertake a system and security check, “checking for deviation from known secure states and restore them where needed.”
Reinforcing Staff Behaviors
As well as carefully analyzing the devices coming back into their environments, organizations should also be mindful of the security impact of staff behaviors in the office. There are specific security behaviors required for the physical workplace, which, while once engrained, as McKay points out are the “sort of things people have forgotten about because they’ve been at home for a long time.” Reinforcing these effectively will be critical.
This starts even before staff set foot in their corporate buildings on the commute to work. “You need to remind people about physical device loss, making sure they keep an eye on their device and also that they don’t sit working on the train – as people get back to commuting you have the issue of folks potentially overlooking your work,” explains McKay.
While they may seem basic, lack of adherence to these kinds of practices can have major security implications, and McKay believes it is likely we will “see increases in lost laptops.”
Christian Toon, CISO at law firm Pinsent Masons, fears that insecure behaviors around the handling of confidential data in an office environment could creep in following such a long absence from the office. This particularly relates to professions such as law, which rely heavily on signatures and printed documents. For example, whilst staff have been at home, Pinsent Masons has a round robin courier picking up everyone’s confidential waste to take it for shredding. Once back in the office, however, they will need to take more personal responsibility for the destruction of these types of sensitive documents. Toon comments: “It’ll be getting people back into those habits as before we left and making sure that they’ve got an opportunity to ask because people will forget about what to do and we can be on hand to nudge them in the right direction.”
"It'll be getting people back into those habits as before we left"
Additionally, in this unique scenario, where entire workforces have not been present in an office for over a year, it is important for organizations to ascertain exactly how their security culture has been affected in the weeks following reopening. “Organizations have to understand what security behaviors we are seeing return to the office – how that can impact security in a positive and negative way and how they can tweak their physical security and cybersecurity measures to mitigate some of the issues,” explains McKay. “I think we are going to find that peoples’ muscle memories will have lapsed as they return to the office, both from a physical security and information security perspective.”
Setting up Physical Workplaces Securely
As well as the security of devices and people returning to offices, organizations must be aware of issues that may arise from preparing these buildings for a sudden influx of staff. This may be further complicated by the need to follow relevant COVID-19 protocols.
Firstly, many organizations will be reliant on third party services to make their workplaces ready for employees. As such, establishing protocols to ensure sensitive information is not accessed or stolen is critical. Toon notes that at Pinsent Masons, “we are having to engage quite widely with cleaners and health and safety professionals to help make our offices COVID-secure and it introduces additional risk because of the amount of third parties who will then have physical access to our premises in preparation for getting us ready to go back to work.” He adds that in regard to security, “the traditional third parties – support staff like cleaners, couriers and waste disposal – are often overlooked because the focus tends to be on the big data center companies or SaaS platform you’re engaging with.”
In addition, adhering to certain COVID-19 policies and controls is likely to raise numerous data protection and privacy issues. There has already been much debate and discussion over requirements for COVID-19 tests and vaccine certification to give people the green light to undertake certain activities going forward, and it’s feasible that some businesses will look to introduce similar steps to facilitate a safe return to the office. However, the collection and use of this kind of data could present difficulties, particularly in Western countries where issues like privacy and intrusion are of high importance, according to McKay. As well as being certain they are following the necessary legal requirements, organizations “need to be transparent with users and be ethical with how they use this data.”
Preparing for a Secure Return
McKay also has concerns about the “proliferation” of apps and Internet of Things (IoT) devices in workplaces as part of efforts to ensure COVID-19 protocols are followed. In particular, he expects to see extensive usage of apps that enable real-time data of people’s movement in workplaces, such as internal desk booking systems and contact tracing apps. McKay notes many of these have been introduced quickly and this raises questions about their security. Therefore, as well as addressing issues around privacy, McKay believes that “understanding the security posture of those products and how they’ve been deployed into your environment is going to be very important,” he adds that once “you’ve introduced all these insecure devices in the environment, you’ve increased your potential attack surface and the data that’s been captured is in some cases quite sensitive.”
Another issue relates to the surge in IoT technology throughout corporate buildings and homes over recent years. Sarb Sembhi, CTO and CISO, notes that with many offices sitting empty since the start of the pandemic, numerous organizations, particularly early stage businesses, have ramped up investment in security and surveillance equipment to help protect their physical space. This includes smart hubs, CCTV and burglar alarms, any of which are IoT, and thereby expanding the attack surface of physical buildings. This could, in turn, have big implications when staff return. “There are so many new devices installed in buildings that didn’t have them before,” outlines Sembhi.
While much has been made of the security dangers posed by the dramatic shift to remote working last year, it is now important that attention turns to understanding, and preparing for, threats associated with returning to the office environment. Organizations should place security considerations at the center of plans to safely allow staff back to the workplace, closely consulting with security teams while doing so. Challenges will range from malware and other potential latent threats on devices reconnecting to the corporate network after a long absence, to physical security considerations, such as the behaviors of staff. Simply put, after more than a year of facing rising cyber-threats, organizations must not take their eye off the security ball now as a return to normality beckons.