We don't know when the pandemic will end. But we do know that, at some point, more employees will head back to their offices. From a security perspective, what then? What has to be done to keep employees – and their organizations – safe as they begin to make their way back to the workplace?
Suffice to say, a lot, all with the goal of not losing any of the security gains made during the move away from central offices in the first half of 2020. Perhaps the most important of them all has been the recognition of just how important endpoints are in the overall scheme of things. In addition, the pandemic has increased recognition of the "perimeter" as amorphous and diaphanous rather than the impregnable wall some still see.
On the flip side, cybersecurity teams will have losses to address, specifically around those who lost their jobs during the pandemic.
"Many employees and businesses have shifted their workforce, and unfortunately this also includes workforce reductions," says Heather Paunet, senior vice president of product management at Untangle. "IT departments should conduct a comprehensive employee audit, ensuring those who are still with the company have access to the files and programs they need, while also disabling access for employees who are no longer with the company."
This also extends to employees who have transitioned to other teams within the organization and may need different access permissions, she adds. IT departments need to pay special attention to obtaining physical devices as well. Company-issued devices need to be returned to the IT department, reset, and updated with the latest security parameters until they are put back in use.
In talking with industry experts about what cybersecurity teams should plan on in anticipation of a return to the office, roughly half a dozen points came up multiple times. Several build on and reinforce one another. Here's what they told us.
Next page: Buttoning up employee behaviors
Employee Behavior Will be Relaxed
Addressing laid-back employee behavior will likely begin at a physical level.
"If and when people come back to the office, they will need to get a few things back in order from a security perspective," says James McQuiggan, security awareness advocate at KnowBe4. "At home, they've been relaxed, wearing sweats and being casual. Back in the office, they will have to start using their access badge to gain entry into the building, and they will need to bring that with them every day."
Just as social behavior will have to readjust to office realities, computer use behavior will need to go through a period of re-education and readjustment before office behavior looks anything like it did in mid-December.
Lock Screens Must be Reinforced
At home, where everyone is (generally) trustworthy, we have no trouble stepping away from our computers for a sandwich or bio-break.
"What happens when you get up and leave your computer in the office? Do you lock the workstation, or is it always unlocked, available for anyone to come by and access?" McQuiggan asks. "There could be more workstations left unlocked [at the office] with people stepping away and forgetting they're not at home and that they need to secure their workstations."
When workers were first sent home, the "big fear" was that they wouldn't follow cybersecurity best practices from those safe confines – a basic concept known as risk homeostasis, says Tom Pendergast, chief learning officer at MediaPro. Increased security from home offices may actually be a vulnerability when employees go back to the office.
"So the big effort has been to get employees to manage their home cybersecurity more closely. Ideally, this means employees grew more vigilant about risk," he says. "But we may have to reteach employees which elements of cybersecurity they are responsible for. In other words, we may have to combat reverse risk homeostasis."
Next page: What to do with newly acquired medical data
Collection of Medical Data Will Need Controls
Pendergast sees a new potential cybersecurity issue within plans to bring employees back into offices: what they are doing with the health data employers collect to ensure works don't have COVID-19.
Many companies, he points out, are going to ask employees to self-certify they are healthy, and use data from their existing badging or key-card systems for contact tracing should there be an outbreak. Others are going to ask for more employee data and may even deploy systems to more closely track employee movement and location.
"If that's the case, employers are going to need to put in place some careful controls around how much data they collect, who collects, how it is stored, and with whom it is shared — basically, a data protection mechanism for what is likely a new class of data," Pendergast says.
Given how political pandemic issues have become, he adds, companies should be ready for employees to ask hard questions about this data collection: What are you collecting? What are you doing with the data? Who are you sharing it with?
"If the pandemic makes people more sensitive to data protection practices, that's ultimately a good thing," Pendergast says.
Audit, Then Update, Employees' Devices
One of the big challenges associated with remote workers is remote access to their systems. Systems may have missed out on critical patches and updates because they weren't connected to the internal network.
As a result, "systems coming back online should be audited and updated in accordance with organizational standards," says Joe Dibley, security researcher at Stealthbits Technologies. "[In addition], similar to system patches, companies using internal-only antivirus agents and caching may have old definitions that need to be updated and prioritized accordingly. However unlikely this may be, it is worth noting it is very possible for a company to have had a static in-house caching for AV signatures before being forced to work from home."
Casey Kraus, president of Senserva, points out that employees might inadvertently have turned their endpoint computers into weapons.
"The main thing that companies of all sizes need to be prepared for when employees return to the office is trying to figure out if you are safe from whatever employees have brought into their devices," he says.
Tim Wade, technical director of the CTO team at VectraSecurity, agrees.
"Teams should be prepared for the likelihood that some of the mobile assets now returning back to their corporate networks will do so in a compromised state," he says. "They need to have a plan in place to detect when these devices begin misbehaving, how to measure the blast radius, and how to respond and remediate before damage is done."
Wade is realistic about the resources available to respond.
"For teams already stretched thin, even a modest investment in time spent in a short table-top exercise may pay dividends by uncovering gaps that can be fixed while there is still time," he says.
To fill those gaps, companies need to a plan to help employees maintain their hardware security before reconnecting to the corporate network, Kraus adds.
Next page: Back to cybersecurity school
Review and Re-Education Employees About Cybersecurity
Oliver Münchow, founder of Lucy Security, puts the need for security review bluntly.
"Those bad habits that employees acquired during their work-from-home lives – like watching adult content, being connected to private cloud servers, communicating from unsecured devices – need to be quickly lost."
The cybersecurity review can't be a leisurely process, KnowBe4's McQuiggan points out.
"It will help organizations to have employees review their security awareness programs to reduce any risk of ransomware or other exploitation," he says. "If there are employees who have been furloughed and are returning to their mailbox, they will be quickly reviewing emails and could inadvertently click on links or open attachments that are malicious."
Keep COVID Cybersecurity Improvements
Nate Aiman-Smith, founder and CEO of RunAsACloud.com, offers this piece of advice: "Don't throw away the security improvements you've been forced to make."
"For example, some companies have adopted VDI [virtual desktop infrastructure] or desktop-as-a-service technologies in order to allow remote work," he says. "Now that their staff can come back into the building, they should continue that paradigm and turn their workstations into dumb terminals."
Ali Golshan, CTO and co-founder of StackRox, agrees. "As employees return to the office, it will be critical to maintain the more rigorous security controls put in place to protect systems while employees worked remotely," he says.
But that's not all.
"Organizations should implement additional controls that help them move toward a zero-trust model, as many of these efforts were likely started when remote/work-from-home trends kicked off earlier in the year," he says. "An organization is inherently more secure and flexible if it can apply zero-trust principles successfully from its endpoints all the way to its cloud applications."
Those endpoints have received a great deal of attention in the great move to working from home, and that attention can pay dividends when some employees return to offices.
"Any improvements or new systems that have been put in place as a response to the increase in remote work – most of these focused on securing endpoints and identity, as opposed to networks – will only benefit organizations long-term," says Keith McCammon, CSO and co-founder of Red Canary.
He points out that nothing precludes organizations from taking advantage of the traditional defenses they have in place at their offices, but "an organization that is less reliant on centralized infrastructure and security controls is absolutely safer for it," he explains.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.