All feelings aside, the reality is that states are beginning to allow businesses to phase their employees back into the office despite the looming pandemic. With business owners pressuring local government to let them reopen and hospitals feeling like they can feasibly accommodate the increased volume, we’ll likely begin to see offices reopen at a growing rate in the coming weeks.
Given the fact that many of the employees coming back to offices have been working remotely for the better portion of two to three months now, integrating them back into an office setting is certainly going to take a concerted effort—particularly as it relates to information security measures.
Business leaders and heads of security programs within organizations have an obligation to reintroduce their employees to the office environment in a way that minimizes any security risks that may go along with it. So, as you consider transitioning your workers back to an office setting, here are some best practices for handling the return with minimal hiccups.
Consider a Staggered Return
Many organizations have a small IT and security department. It’s important to consider their bandwidth when deciding to return to the office. As you continue to read, you’ll see that there will be a number of things that we recommend you consider doing as each employee returns back to the office. If you bring everyone back all at once, this has the potential to completely overwhelm your IT staff.
There’s no one right way to do this, but consider only returning a few employees at a time—whether that’s department by department, or a couple people from each department.
This staggered approach will allow your IT staff to adequately vet and implement what they need to without feeling completely overloaded or like they need to rush through it. Not only will this salvage their sanity, but it will also minimize the chances of a mistake.
Trust, but Verify
It bears mentioning that it’s critically important to trust your employees. And not only is it critical to trust them, but it’s critical they know you trust them.
You’re going to need an understanding of what your employees home setup was like, what security measures they had in place at home, how they used their work devices while out of the office, what they stored where, and more. The intent is not to grill your staff, but rather to get a holistic picture of what security measures you need to or don’t need to take as your employees return.
So, trust that your employees handled the work-from-home security situation as best they could, but verify their efforts in a few ways.
Consider Your Capabilities
First and foremost, you need to know what your business can handle from a bandwidth and expertise standpoint. You may need to make the decision to accept certain risks because it would be virtually impossible to control them.
Everything you do to assimilate your employees back into the office has to have your business’s capabilities in mind, which often lends itself to focusing on more basic solutions.
Start with a Screening Process
I’d consider sitting down and having a conversation with your employees. Sometimes we do things without thinking about them, and a simple conversation might jog their memory around some of the things they did or didn’t do. You may not uncover anything, but (done the right way) it doesn’t hurt anything to ask. Plus, it’s always good to get your employees thinking about security measures.
Some important things to uncover would be:
- Suspicious Activity: Since they’ve been working from home, have they seen anything suspicious in their phone calls, emails, or on their device?
- Usage: They might not admit to this, but it could cause you to take added precautions. Has anyone besides them used their work device in any way? Particularly, children don’t always have the same grasp of acceptable use and are more likely to do something risky.
- Downloading: Ensure that you understand where sensitive information might be stored outside of your employees’ work devices. It’s important to understand that sensitive information might exist outside the confines of a work device (like on a thumb drive, for example) and to manage it accordingly.
- Security Measures: Figure out what security measures your employees took at home to secure their network. It’s likely your employees have been connecting directly to their personal Wi-Fi, so we need to know how secure those networks are.
- Additional Connections: Have they connected directly into networks besides their own? Public wireless like at airports, coffee shops, etc. are usually considerably less secure than an employee’s home network.
- Conduct an Assessment: A free tool from one of our partners (S2ME) exists to provide a score to a person’s personal security measures. Consider having all your employees take this assessment before returning to the office and create different procedures based on certain score thresholds.
Conduct Scanning
Not to stoke fear, but one of the more nerve-wracking elements to our employees working remotely for so long is that if an attacker was able to gain access and be smart about it, they’d likely lay dormant on that device until the employee returns to work. This would allow them to remain undetected until they can fry bigger fish—your corporate network.
Because of this, we recommend you scan for indicators of compromise (IoCs) as your employees return. This exercise allows your team to gather information about a planned attack, helping identify threats and giving them the chance to deny attackers ongoing access.
Start Over?
I’ll admit this feels a bit drastic, but it honestly might be the right move for some organizations.
Businesses often utilize the cloud so heavily that everything from files, to account passwords, to applications, and much more lives entirely on the internet. If this is true of your business, being able to re-access the things you need might be as simple as a quick login or a re-download of the program or file you want to use.
And if that’s the case, maybe don’t even risk trying to vet everything before allowing a return. If your business is almost entirely cloud-based, it might be worth it to just completely wipe all the machines before your employees use their devices on your corporate network.
This won’t be right for every business, but it’s an effective way to check the compromise at the door if it exists.
Adjust Plans
There’s a phrase in the information security industry that states you should, “never let a good security incident go to waste.”
It’s kind of cheeky, but the phrase gets at a very important lesson: every bad situation is a good learning opportunity. When things like network compromises happen, a natural disaster strikes your area, or a global pandemic forces millions of people to suddenly work remotely, we get a real-time look at the effectiveness of our response plans as businesses.
It’s important that we use this time of returning back to the office to review and adjust those plans based on our experiences with the security aspects of the pandemic.
Dust Off Your Incident Response Plan
Regardless of whether you had to use your incident response plan or not, we know that attacks have increased during the pandemic. Plus, we already touched on the fact that there’s a chance that an attack might be lying in wait now until your employees connect to a corporate network. These are as good of reasons as any to consider taking a look at your incident response program.
If you did experience malicious activity during the pandemic, did you handle it properly? How could it have been handled better or differently? What went well that you should try to emulate in the event it happens again?
Additionally, think about what has changed about the way you conduct your business. These changes may need to be reflected in how you handle an incoming incident, and your plan should be adjusted accordingly.
Review Your Disaster Recovery Plan
Disaster recovery plans (DRPs) effectively help your business recover their IT infrastructure during events like natural disasters, electrical fires, broken water pipes, failed air conditioning units, etc. Anything unexpected that could cause prolonged downtime could be considered under a DRP.
This may not be perfectly applicable to the current situation, because it’s unlikely that something physically impacted your technological capabilities, but some elements like emergency communication, SLA discussions, and determining downtime tolerance are all relevant to what we’re dealing with now.
We recommend you review your DRP and consider what changes could be made moving forward that would have helped in the current situation.
You Went Through a Business Continuity Plan
With a business continuity plan (BCP), there is some overlap with your DRP, but BCPs are focused on the entirety of the business—not just your IT infrastructure. Your BCP outlines the steps needed to ensure key products and services remain available to customers, while a DRP provides specifics to recover technology after a disaster.
Basically, a BCP outlines how to keep business doors open in times of crisis. Whether we realize it or not, we all tested our business continuity plans during the pandemic. In order to stay in business, every one of us had to adjust how our businesses operated under the current environment.
There are undoubtedly lessons that could be gleaned from this situation and the plan you had surrounding it. If you think you handled the situation perfectly, you didn’t examine it thoroughly enough.
When creating a BCP:
- Conduct a business impact analysis first (if you haven’t). A business impact analysis (BIA) looks at the operations of an organization, its resources, and what happens to the other resources when one goes down.
- A BIA helps look at the cost-to-impact ratio of key areas of your business, so you know where to focus your attention and prioritize.
- Determine who will be involved in the business continuity process, including key stakeholders.
- Determine proactive and reactive measures against crises, disasters, or (in this case) global pandemics.
- Decide what the long-term recovery efforts will look like in the event something does happen.
- Train team members and test the plan.
Because we literally are living through this exercise right now, take solid notes about what continues to work and what needs to be rethought. That way, when the next thing comes along, you can look back as a business and say, “that went well (or poorly) during Coronavirus, so let’s do it that way again (or avoid it).”
Run Through an Asset Inventory Exercise
Along with understanding your employees’ environment and auditing your plans comes asset management. Asset management is a fundamental security measure, and the pandemic has exacerbated that.
It starts with an inventory.
We touched on it already, but with the fluidity of the remote working situation of your staff, it can be harder to understand what data exists in your organization and where it exists in your environment. But we need to be able to understand what exists in order to secure it.
It may not have been possible to do this before sending people home, but as they return, we have a golden opportunity to take an inventory of what hardware, software, and data exists and where. This will make it much easier to secure everything we can.
Be Prepared to Reverse Course
Yep.
Ultimately, the course of the virus is going to dictate the decisions we make as businesses, as a government, and as individuals. Since the intent of isolation was to allow hospitals to create the infrastructure necessary to house the patient numbers expected, local governments feel it important to return to some semblance of normalcy in the near future. But, if things take a sudden, drastic turn, it’s possible that isolation may once again become a requirement.
If it happens again, we luckily have a chance to be prepared. Just like we discussed with adjusting your plans based on what you learned, do the same with how you handled sending everyone home.
Recognize some of the hurdles you dealt with and what went smoothly so you can fix and emulate them respectively in the event we do need to reverse course.
We can hope for the best but need to prepare for the worst.
It’s Not All About Work
Finally, be a human. These last few months have been stressful, chaotic, and challenging. Returning to a sense of normalcy will likely require significantly more than just allowing people to come back to the office and get in a routine.
So, be a human. Recognize the challenges of transitioning back, and provide some leniency.
Be sure to communicate, too. Check in with your staff. Ask how things are going, not just as a token, but actually listen when they answer.
Physically, it’ll be important to know how your employees are feeling. More than ever, the physical health and wellbeing of the office and its staff will be vitally important. Not only does keeping tabs on your employees’ health prove that you’re concerned for them, but any indications of the virus in your office environment will certainly warrant a response.
And please don’t stop there. Check in mentally, too. There is a hidden complexity to handling isolation, health concerns, the halting of hobbies, and more. The comradery of an office setting will likely never feel more important than it will when people return, and being able to confide in coworkers and leadership about personal life and mental state could go a long way for your staff.
Summing it Up
Since employees returning to a more traditional office setting will increase in the coming weeks, we need to be prepared to handle their return as security and business leaders.
Staggering the returns, verifying your employees’ security measures while remote without showing distrust, using the pandemic as a learning experience to improve business-wide plans, conducting an asset inventory, being prepared to send staff back home, and simply being a human will all be helpful endeavors in smoothing the transition process.
Setting these preparations in motion now where you can will limit the security risk of assimilating your employees back into your office environment and network when you do decide to phase them back.
If your team needs assistance putting these security measures in place before or during your office re-open, reach out to us at frsecure.com. We’re always happy to help.
