Now what? Cybersecurity concerns arise as workers return to the office

After rushing to send employees and equipment home and quickly establishing new ways of working remotely on the fly, the return to work offers the opportunity for a more measured approach by CIOs and IT teams. The reality is, not everyone will return to work in their offices, meaning distributed teams will be a reality for quite some time to come. 

For those returning to corporate offices, there will be an understandable amount of anxiety about personal health, proper social distancing, and for IT teams, the health of the corporate network and devices. Change will seem overwhelming requiring employers to over communicate about new polices, restrictions, and requirements for a healthy workplace. 

Even as a cybersecurity company, Secure Cyber Defense has had to work through our own transition plans and policies as we return to our offices. With network security a top priority for ourselves and our clients, we’ve had to walk through every detail of what “back to work” looks like to be able to provide guidance and reassure IT teams trying to figure out their own transition plans. Through our brainstorming with our partner Fortinet, and following NIST and CISA guidance, we’ve come up with the following guidelines and considerations for CIOs and IT teams putting together their own “back to work” transition plans to ensure network security. Here are some of the IT and network security guidelines we see as vital for every company starting to move employees back into their corporate offices:

Hardware and Software Considerations

  • Use a phased approach for returning to work by hosting device clean-up/patching days. Rather than overwhelming IT teams set up rolling dates for employees to bring their devices into the office to be checked for updates and potential threats. These rolling dates will also serve as a way to communicate new policies and procedures, so employees are prepared when they return to the office. 
  • Sanitize work computers and devices with appropriate cleaners to ensure they are virus free. Develop a designating “staging area” at the office entrance where employees can sanitize devices they are bringing from home.
  • Inventory all devices. In the rush to move to remote work, company equipment such as extra monitors, web cams, wireless keyboard and secure routers may not have been properly inventoried. Be sure to involve employees in tracking down all company equipment and devices.
  • Mandate password changes. In the event an employee was the victim of a phishing scam, mandate password changes for all devices and access to company networks. This also includes your third-party suppliers. 
  • Update all stranded machines at the office with the latest security patches. Some employees may not have had the opportunity to take their office computer home, meaning the equipment left behind may not have been scanned, updated or patched. Take time to inventory all stranded computers and devices and prioritize their updates. 
  • Do not allow personal devices to be used in the office, transfer all data to a company managed device. Personal devices, not part of your managed network of devices cannot be brought back on the corporate network as a precaution for possible malware that could be used by cybercriminals to access corporate networks.
  • Scan all computers and mobile devices for unauthorized apps and software. Employees had to take matters into their own hands to find productive ways to work remotely. Some of the approaches employees used involved adding apps and programs to their computers and mobile devices. To ensure network security, these apps and programs must be validated by corporate IT or removed before allowing access to corporate networks. 
  • Run endpoint detection scans on all returning devices not utilizing corporate cybersecurity software protection during remote working time. Endpoint devices are often the focus of cybercriminals so it is very important for IT teams conduct endpoint scans of all corporate and personal employee devices that will be brought back on to the corporate network. 
  • Provide updated security guidelines for all third-party suppliers regarding supported and non-supported computers, laptops and devices that can access your corporate systems. Just like your own employees, third-party suppliers who regularly access networks and corporate data systems should adhere to the return to work mandates you are putting into place.
  • Use of USB and personal storage devices should not be allowed on corporate computers and systems, files should be transferred to a corporate computer then scanned for evidence of malware. The security of USBs and personal storage devices have been called into question in the past, so allowing them to be used on corporate computers must not be allowed. 

Employee Input

  • Plan for a mix of remote an in-office employees and ways in which they will communicate and collaborate on projects. Working remotely has taught a number of lessons on how to effectively communicate with remote teams. For the foreseeable future, teams will need to take the lessons they learned to formalize ways to collaborate with remote colleagues. 
  • Review successful implementation processes for remote workers. No one knows if there will be another mandated shelter in place requirement. Because of the uncertain future, IT teams have the opportunity to formalize new remote working plans and procedures. Understanding the needs of remote workers will allow IT teams to develop the equipment and support needs for various levels of employees. 

We understand there wasn’t a blueprint for moving so many people to remote work, just like there isn’t a blueprint for moving large numbers of employees back. Our goal is to provide guidance to help IT teams, employers and employees make a sensible and comfortable transition back to their offices. The team at Secure Cyber Defense stands ready to help