Nothing is more enjoyable than standing on the side of a helicopter while flying fast and aggressively. To this day, the work I accomplished during my time in the Marines is some of the most rewarding in my career. It takes discipline and calculated risk to jump into a helicopter whirling around thousands of parts made by the lowest bidder. You stay focused, understand the risk and, if possible, enjoy the heck out of the ride. Moving into the cybersecurity field after my time in the Marine Corps isn’t much different. To be effective in your mission (really the company’s mission) you must take risks. You must understand the risks, communicate the risks, and decide as a crew how to mitigate what risk you can, accept the remaining risks, then hold on. (Although, I will admit the exhilaration of military flight will likely exceed the exhilaration of endpoint and network security.)
After spending more than a decade working in cybersecurity in the credit card industry, I got the opportunity for a change of pace working in an industry that’s not as regulated, and the firm I’m working with really encourages me to focus on security that matters. The debate around the value of PCI may never end, but one thing we all can agree on is that strict compliance never equates to good cybersecurity. One of the gaps in nearly every compliance framework is the ability to be malleable in your security posture. If your security posture changed when the world shifted to a work-from-home situation, you can’t simply restart the controls you dropped or changed. It would be too jarring for your staff, who have been through enough change in the last 18 months. I tend to focus a lot on people, and now more than ever, you have an opportunity to gain support for your efforts by including the human condition in your upcoming difficult work.
Return to the office
As employees begin to return to the office, companies will face unprecedented cybersecurity risks. Laptops have been on a number of untrusted and potentially hostile networks in people’s homes, and parents who took on the role of employee/parent/babysitter/teacher perhaps had to download unauthorized software, apps and games onto their computers in order to keep their home life moving.
At the same time, many companies were forced to change their security practices last year as they attempted to create a plan for remote work with only a few days’ notice. IT teams moved fast, and permissions were modified to ensure everyone who needed remote access to various systems had it. As time went on, systems may not have been patched because it couldn’t be done remotely or because IT teams were so wrapped up in solving remote work issues that they didn’t have time for regular maintenance.
Now, these laptops with unauthorized applications and outdated systems are reentering your internal networks with perhaps little or no network separation. And while your wilted security posture posed a risk when people were working from home, that risk is exponentially higher when all the devices on your network are connected to one another. So the next three to six months will put companies large and small at a higher risk of breach.
To bring everyone back to the office safely, companies need to create a plan for securing their networks and increasing their security posture. Because software can be installed at the user level and you may have a significant amount of patching to do, you’ll likely need to move in stages. But if you have a plan day one, you’ll be well-positioned for success.
Though there are a number of considerations for creating your “return to office cybersecurity clean-up plan”, it should, at a minimum, include the following.
Patch and update all software
Many cyberattacks today occur when vulnerabilities are found and exploited in programs like Microsoft Office and Chrome. And once a breached laptop is on your network and connected to other devices in your office, hackers can very quickly move through your environment.
Many IT departments lost the ability to install upgrades and patch systems when their employees began working remotely. It’s also likely that companies haven’t installed the necessary upgrades over the last 18 months as these updates can change system interfaces and people were experiencing enough change as it was.
Even with a more proactive stance, the nature of remote work makes it more difficult for IT to keep a close watch on how systems are operating. Emails with instructions on how to upgrade systems or help desk requests may have gotten buried, lost or forgotten. And when things did break and employees were able to connect with IT, conversations via email or over the phone may not have been as effective as when IT could walk over to an employee’s desk and resolve the issue in person.
All of this means your systems likely have a lot of holes or bad practices that need to be fixed one at a time. While patching won’t stop an attacker in every instance, missing patches only makes things easier for them, so it’s well worth the investment.
Install antivirus software on all devices
Much like applications that haven’t been maintained, it’s possible that the antivirus software on employees’ computers hasn’t been updated since they were last in the office. That could be because their home network was blocking updates, or your antivirus software doesn’t work outside of your network. Before COVID, did you have a process to check and correct your security tools? Now’s the time to run that process because it may have been difficult for IT to stay on top of updates and fix bugs over the last 18 months much like with your other systems. So, it’s a good idea to check the status of your antivirus software and make sure it’s running and up to date on all devices.
That being said, antivirus software doesn’t provide the protection that it once did. As systems became more interconnected and the threat landscape became more complex, antivirus software has become the lowest common denominator for security. Today, companies really need endpoint detection and response (EDR) capabilities to identify and remove threats that have gotten through. As you update your antivirus software and analyze the state of your security, this is a great time to consider upgrading to a more robust option like EDR. These solutions typically have better (although not great) detection capabilities, and they enable a swift response when threats are found. Of course, your best option is to partner with an MSSP to manage your security for you.
Run scans and remove unauthorized software
Because people needed to quickly adjust to remote work and schooling, many company laptops have been used for work, schooling and entertainment. School applications and games may have been downloaded onto parents’ computers as they scrambled to adjust to kids being home 24x7. Early on, there were also many stories about companies that had to allow personal laptops access to corporate data because they didn’t have, and then couldn’t acquire, mobile computers fast enough. With so many programs now on your company laptops or personal computers being used as corporate systems, you need to aggressively search for and remove any unauthorized software and hardware.
These unauthorized programs can cause a variety of risks to your organization. For starters, if employees downloaded unlicensed software onto your systems, you may be liable for the illegal downloads. Even worse, you can’t control the damage of those attacks unless you patch holes in every app. And IT can’t patch applications they don’t know about or patch systems they don’t have their administrative tools on.
Beyond cyberattacks and legal entanglements, having unauthorized applications on a laptop can cause computers to run slowly or cause conflicts with other applications, which means IT is going to have their hands full with requests to run diagnostic tests and improve speeds. It could also mean that your IT desk is supporting systems you don’t even own or wouldn’t normally support.
To save time, money and frustration, it’s best to run in-depth scans of laptops as they come into the office and remove any unnecessary and unauthorized programs. Better yet, start this process before the laptops or computers are brought back into your buildings.
Consider investing in Zero Trust network access
Cybersecurity is changing at a rapid pace and the COVID-19 pandemic revealed many vulnerabilities that are probably here to stay. At the start of the pandemic, some companies moved to a Zero Trust security model, which is based on a strict identity and hardware verification (and authorization) to create a more secure environment. It essentially sets a minimum standard of security or verification of not only the person, but the hardware they are using. Additionally, it will limit their access to only the computers and interfaces they require to do their work.
Setting up a Zero Trust model takes time, and you’ll need to enlist the help of cybersecurity experts to implement it. It’s not something you can “turn on” before heading back to the office, but now is a good time to get the ball rolling.
While Zero Trust might sound like a big endeavor that’s only necessary for large corporations, even small businesses can benefit from it and may even need it to avoid a devastating attack. That’s because hackers don’t discriminate, and advanced security measures are no longer reserved for Fortune 500 companies protecting large amounts of valuable data. Hackers are using the same techniques to infiltrate organizations large and small. Long gone are the days of being able to hide on the Internet because you were a smaller organization. And with the rise of ransomware attacks on small businesses, the damage can be equally catastrophic whether you’re a large bank or a small retail shop.
Zero Trust is a modern defense architecture that protects your people and your business from very real threats. If you haven’t adopted Zero Trust yet, now is the time to take action.
Open the lines of communication with your staff
Your employees are ultimately your biggest vulnerability when it comes to network security. Not because they are ignorant, but because all humans are fallible (especially when the world around them has changed nearly every aspect of their life). Everyone is coming off a stressful year and heading back to the office, which comes with its own anxieties. So it’s important to reeducate your employees on security best practices in a frictionless way. Lives will be busy and stressful managing education, daycare, and “normal” life again. Ignoring these stressors when re-educating your staff will result in failed efforts, or worse yet cause, friction with IT or Information Security.
Some people will still need to use their laptops occasionally for their child’s schoolwork and many have grown accustomed to using their company laptop for personal use. So find ways to articulate security risks in a way that removes blame from the employees and gets them to buy into your secure practices. Rather than saying “here are the rules, follow them,” listen to their problems and work with them to find solutions that allow them to do their jobs in a safe way. Open the lines of communication and position IT as a resource, not the strict enforcer of an endless list of rules. Now is the best time to humanize your security team and be seen as a resource instead of a restriction.
Get a partner to do the work for you
Updating systems for the return to office and shifting to a Zero Trust architecture are not small tasks. And at small or mid-sized businesses, IT is often forced to take on security tasks that should ideally be handled by a cybersecurity professional. If you haven’t yet engaged with an MSSP, now is the time to do it. Not only will your security partner help you prepare for your return to the office, but they can actively hunt for threats and monitor your system in the coming months when you’re most vulnerable.
Malware can lie dormant for months, so an initial sweep might not catch everything lurking on employees’ devices. Having a partner that continuously monitors your equipment long-term increases the odds that an attack from a dormant attacker will be caught and taken care of in a timely manner.
Security experts can also more accurately assess your specific risks and recommend tools or processes relevant to your needs. With more than 3,500 security vendors, your IT team doesn’t have the time to vet each one and build a tech stack that provides adequate coverage. Security providers like SolCyber, on the other hand, are immersed in the technology every day, and can provide better recommendations to ensure you get the minimum effective dose, so you’re not overpaying for security you don’t need. So, if there’s ever been a time to dedicate resources to increasing your security posture, the return to office is it.
Scot Hutton is a retired Marine and current IT executive that puts people first. He leads the information security program for a 20+ billion-dollar real estate firm. He specializes in creating a better human experience and safe working environments with security controls that don’t limit human potential by focusing on “Security that Matters.”
- Should I make my employees return to the office to improve cybersecurity? As a general rule, making your employees return to the office won’t necessarily improve cybersecurity. While there are cybersecurity risks that come with remote work, good planning, education, technology, and processes can definitely help mitigate these risks.
- Will a return to the office reduce my company’s risk of a data breach? To an extent, returning to the office might reduce your company's risk of a data breach -- because activity is kept in a localized area. However, it's important to keep in mind that data breaches can (and do) happen even when everyone is in the office and if employees bring work devices home, the risk remains the same.
- Are employees more or less at risk for cyber attacks if they return to the office? Cybersecurity-wise, there might be risk mitigation measures you want to put in place to ensure any potential bad security habits employees have acquired working remotely are now addressed.
- How can I make a return to the office more cyber secure? Some of the things you can do to make returning to the office more cyber secure include:
- Ensuring you're accounting for all devices connected to your network and access your cloud environments
- Conducting cybersecurity awareness trainings for employees
- Scanning and updating work devices (such as laptops, computers, etc.)
- Testing and updating your security infrastructure
- Make sure you meet all security compliance standards
- How can I make employees using personal devices more secure if they return to the office? Establishing a clear BYOD (Bring Your Own Device) policy is key to making sure employees using personal devices keep the business data secure. Some of the essential things you should do when you create a BYOD policy include (but are not limited to):
- Getting employer buy-in
- Getting stakeholder buy-in
- Establishing which apps and tools can be accessed from the devices
- Establishing minimum security control for devices
- Getting SSL certifications for device authentication