While governments and public healthcare specialists are looking into the timing and manner of reopening the economy, it is clear that at some point in the hopefully not-too-distant future restrictions will be eased and businesses will return to normal operations. However, just as the shift to working from home required organisations to adapt and act differently, so will the return to the office. In this article, we discuss the preparation CISOs should consider making to offset a number of security implications that arise from returning your workforce from home and back to the office.
Making Sure Returning Devices Are Safe To Use
When returning to the office, employees will haul back all the IT equipment they have used at home. Some of this is trivial office equipment like screens, docking stations and cables, but computing devices can be a security blindspot.
Rogue Devices: While unknown connected devices pose a security risk at all times, the return to the office represents an even bigger risk. Whilst at home, such devices may not pose a serious security risk, but if they are introduced to the corporate network, they could become one.
Home Laptops: Some employees working from home may have had to use their own laptops, either because in the rush to vacate offices the IT department might not have had sufficient inventory or just through personal preference. In such cases, they are likely to bring these laptops with them when they return to the office, plug them into the corporate network and continue to work as they had been doing at home. These devices could potentially be infected with malware if they have not been running updated, corporate-grade EDR solutions – install NAC for employees who now find they must work with their own device, and ensure they use company-issued EDR. Employees should transfer their work to their company-issued laptop and take their personal laptop back home.
USBs and NAS: Another practice employees may have adopted while working from home is the use of USB thumb drives and network storage devices. Personal storage devices should be prohibited in the corporate environment and not allowed to connect to company computers and networks.
Inventory: As many employees took equipment home, it is necessary to register and keep an up-to-date inventory of this equipment and its whereabouts. In the first instance, this makes sense to avoid wasting resources: ensure employees return cables and screens that they have borrowed from the workplace. It is possible that some staff took an extra laptop home and that the device is now stranded somewhere, perhaps even connected to the home network and exposed to the world.
Keeping Insecure Software Off Your Network
Even if the devices used at home were company-issued, they can still be a threat if they are not installed with updated software and security systems.
Updated OS and Software: Unpatched and outdated Operating Systems can facilitate data breaches. Some employees may have ignored the update prompt or rescheduled these indefinitely. In addition, some computers and servers left on-premise may have been shut down throughout this period. After restarting these, it is important to install all available software patches and updates.
Updated and Active EDR: An updated EDR solution was vital to securing the laptop at home, and it is of course crucial in securing all devices in the work environment. It’s not unheard of for some employees to disable security software in order to perform certain actions on their devices. Ensure that all your endpoints have an active and up to date EDR Solution.
Unregistered Software: It is possible that some employees have installed software for their own use, perhaps because they were unable to use company resources or simply because it was more convenient than asking for the approval of the IT department. Make sure your EDR solution can inventory software and can report on application risk levels.
Software License Inventory: Working from home may have required certain software licenses that are no longer needed when working at the office. For any software that employees no longer need access to, it’s sensible to cancel these licenses to reduce costs. The same logic applies to cloud resource usage, which may have skyrocketed while people were working from home but which now may no longer be necessary.
Preparing Processes And Procedures
In addition to inspecting devices and ensuring proper software is installed, certain processes and procedures must be implemented in order to facilitate security.
Password Reset: It is possible that employees have shared their laptops and credentials with their family or friends. They may have re-used passwords on new services or devices at home, or lapsed into other insecure habits. It is advisable to reset credentials and ensure 2FA/ MFA for all company devices and software.
New Employees: Some companies have recruited new employees during the COVID-19 outbreak and have onboarded them remotely. Moving into the office will be a new experience for these new hires and they may need an early refresher on training that was not applicable while they were working from home.
Maintain Readiness for WFH: At some point in the future, it could be necessary to transition to work from home again, and there’s always the real possibility in the near-to-mid term future that individual employees could contract the virus and need to self-isolate again.
Therefore, it is prudent to use the lessons learned from the mass transition to work from home in early 2020 and be better prepared to do it again, whether on a small scale or throughout the company. This includes having an up-to-date inventory of all IT equipment, having all company laptops installed with a modern EDR and ensuring that employees have access to company assets via VPN protected by 2fA.
Returning to the office environment might come sooner or later, but come it surely will. In order to reduce the risk and facilitate a quick return to normal operations, CISOs should consider the possibility that employees may bring threats with them when they shift back to the office desk.
Unlike the rushed, unexpected manner in which many organisations sent their employees home with little opportunity for planning or preparation, the return to the office is something that can be planned for in a more organised and orderly fashion. Prepare now to ensure the necessary processes and tools are in place before this happens.
Contributed by David Errel, senior director, SaaS platform, SentinelOne