Sooner or later, organisations will start thinking about post-pandemic work routines for their staff. In June, Apple announced that its employees will return to the office for at least several days a week from September. Although for many companies, there is still no final decision about the new realities of working, even a partial return to the office will require certain measures from IT and IT security teams.
Switching to working from home was difficult, but oddly enough, returning to the office may be just as tricky. Organisations will have to roll back some changes, which could be as complex as when they were deployed in the first place. They will also need to re-ensure security of internal services and meet employee needs for software they got used to during lockdown. There are many things to consider, so to help prioritise, we put together some cybersecurity action points for businesses.
1. Keep cybersecurity workarounds introduced when working from home
To maintain the security of corporate endpoints while employees were working from home, companies most likely introduced additional protection measures, such as security checks and centralised patch management of remote computers; setting up or extending a VPN; and dedicated awareness training. Detection and response agents on endpoints were important to fill the gaps in network perimeter defenses that may not have worked as well due to a lack of actual perimeter.
These practices should be the same for hybrid working models too – when the workforce flows from home to office, or travels on business trips. VPN, EDR, and intrusion detection systems on endpoints will ensure employees can work safely, wherever they want to do their tasks.
2. Carefully plan resources and time for enabling security controls that were disabled for remote working
To allow employees to remotely connect to the corporate network, especially from personal devices, organisations may decide to weaken or disable some cybersecurity controls – such as Network Admission Control (NAC). NAC checks computers for compliance with corporate security requirements before granting access to the corporate network. If a computer is not authorised, has outdated anti-malware software, or another inconsistency, NAC will not grant access until these problems are resolved.
-resized.jpg?QNrV_26j)
Amir Kanaan, Kaspersky
When employees return to the office and connect to the corporate network, NAC should be turned on to protect the internal systems in case the machines pose any risks. But since computers have been remote for about 18 months, they could have missed some updates. This means that enabling NAC for dozens or even hundreds of such machines can cause many errors. As a result, switching the service on could turn into a step-by-step, fine-tuning process for small groups of staff.
Organisations need to anticipate such issues and have a plan which includes resources, deadlines, bug fixes, and maybe even help from IT integrators.
3. Ensure updates of internal systems
Don’t forget to check internal critical services. If there are unpatched servers, it’s better that the IT security team knows about them before opening the building’s doors.
When we were all sitting at office desktops, our computers were constantly connected to the corporate network and were under 24/7 protection and policy control. Accordingly, the risks of an exploit penetrating the network from a PC and compromising a vulnerable server were lower.
Now, imagine that everyone returned to the office together and connected their laptops to the corporate network and there is an unpatched domain controller that manages all users’ accounts. If among the hundreds of devices there are compromised ones and cybercriminals reveal the vulnerable controller, they can get access to employee account data and passwords. Hopefully, the IT security team could detect the problem quickly, but then they have a lot of extra work to re-organise the network and change all passwords.
4. Be ready for savings but also for costs
Bringing employees back to the office will save employers some money. For example, at Kaspersky we increased the number of VPN tunnels from 1,000 to 5,000-8,000 to enable most of our staff to work from home. It is likely that we will cut this cost when our team returns to the office as we won’t need so many VPN licenses.
Similarly, companies can reduce the number of subscription-based cloud solutions, such as, Slack or Microsoft Teams. There will be no need for so many cloud licenses and some services can be brought back on-premises. The same strategy can apply to electronic signature apps. They were a necessity during lockdown but they can be scaled back and combined with a traditional document signature process when movement restrictions are lifted.
However, the freed-up budgets can be spent on organising digital workstations, so employees could split their week working from the office and anywhere else. From virtual desktop infrastructure (VDI) to desktop as a service (DaaS), the concept is not new but the pandemic has made it more common, as Gartner noted. When all workspaces are in the cloud and staff can access them from any device it is much easier to deploy, manage, fix, and protect virtual desktops rather than remote computers.
5. Save the tools and settings that employees used to work with
When working remotely, employees mastered new communication and collaboration tools – chats, video conferencing, planning tools, CRMs. Moving forward they will want to continue using the apps, because they have become familiar and convenient. As one of our studies has shown, thanks to the experience of the pandemic, 74% of people want more flexible and comfortable working conditions.
Banning employees’ use of these innovations may not be wise. It could provoke the growth of shadow IT, when staff members use apps on their own initiative and without IT approval. Companies should be prepared to either approve new services or suggest alternatives and explain to staff why it is important to choose safer options. There are special solutions that help organisations manage access to cloud services – dedicated cloud discovery features in a security solution or cloud access security brokers – that enforce security policies for clouds.
IT security should be a business enabler, not a barrier. Ignoring this behavior change can impact an employee’s view of the company. Allowing flexible working and services that are convenient for workers can make the company more attractive in their eyes, as well as to future potential candidates. And vice versa, rejections can lead to disapproval of staff and the public if the company’s stance is shared. We saw this happen with Apple, where some employees wrote an open letter asking Tim Cook and executives to ‘consider remote and location-flexible work decisions to be as autonomous for a team to decide as hiring decisions are’.
 The pandemic and transition to remote working were a challenge laid out by a force majeure. Such things don’t happen often. Despite the difficulties, this experience is invaluable and provides a crucial lesson for the future.
One of the most important pandemic takeaways is the speed of business transformation and the flexibility of IT. And IT security should not prohibit but offer options and support this flexibility. A smart and safe return to office work in any form can help companies stay on top of this trend, making the most of their business processes.
