Organizations need to safely return devices and transition people back into the workplace post-COVID-19. What does that mean?
As of this writing, all 50 states have allowed some sort of re-opening efforts. For some, the stay-at-home orders have been totally lifted, and for the rest, it is expected changes will happen within the next few weeks. While some organizations continue to encourage employees to work from home, others are requiring their employees to return to the workplace. This return requires its own unique security planning.
The Transition from Work to Home to Work
For most companies, the shift to respond to COVID-19 was fast, unplanned and reactive by necessity. Security and IT teams by and large did a commendable job at making the adjustment and, so far, there have been no major or high-profile security incidents related to remote work (this, of course, could change). In response to the WFH shift, many organizations have now designed an effective model to support employees working from home, driven by IT and security operations, said David Faraone, director at the Crypsis Group.
“However,” he noted, “as organizations transition their workforces back to the office, cybersecurity and privacy controls should be reevaluated with a discerning eye, especially at the device or endpoint level.”
Returning to work reintroduces devices into the corporate network that have lived outside the perimeter for months, and one of the biggest security concerns is who else had access to devices at home. As Hank Schless, senior manager, security solutions at Lookout, pointed out, family members might have used the phone, tablet or laptop for personal use and unknowingly infected it with malware. “Since all of these devices have the same access to corporate data and infrastructure, there is equal concern if they are compromised,” he said. “It’s important for security and IT teams to have visibility into devices and be able to block access to corporate data if anything malicious is found on the device.”
Plan for the Device Return
The need to set up remote work happened swiftly and with little warning. Now, companies know there will be a return to the workplace and can plan for it. Organizations without a plan are going to experience as painful a transition back into the office as they had transitioning out, said Barbara Rembiesa, president and CEO of the International Association of Information Technology Asset Managers (IAITAM).
Risks are high when associated with device assets and the data they contain. Combined with the heightened probability of personal information being stored on these devices—WFH often means employees and others use the device for personal reasons regardless of internal policy—and you have a greater threat of a serious security incident.
“In essence, security risks exist when data moves,” she said. “The massive influx of devices, end users and data inherently pose security risks.”
To mitigate that risk, you want to have a plan in place on how to safely return people and devices back into the workplace. In a formal release, IAITAM suggested taking the following steps:
- Identify all new device assets now. Knowing what an organization has in its environment is the first step in any asset management program. If things moved rapidly or even chaotically within the company or agency to transition to work from home, now is an opportunity to double back and ensure that the details are gathered.
- Track all device assets. While work-from-home orders implied “home,” not every worker stayed home. Some chose to be with family, while others decided to visit friends or travel. This means the device has also made the trip. However, not every organization planned or accounted for that aspect in terms of security, possible use of the devices by third parties, etc.
- Ensure remote users understand the transition process. Organizations need to have a re-entry plan for these remote assets. Ensuring that users know how remote assets will be collected and processed will go a long way to streamlining the transition back into the office.
- Plan for how to deal with excess hardware. Redundancy in assets was necessary when working from home, but after coming back into the office, that employee will no longer need a laptop for home and a computer at work. Will those assets be stored for future remote work? Will they be resold? Donated to charity? These devices will need to be properly wiped clean to prevent potential data breaches by future users.
When and how employees return to the workplace requires strategic planning. Employee health and well-being should be the No. 1 driver. But when that return does happen, organizations should also have a plan in place for their cybersecurity and privacy safeguards and scale their needs as required to support that ramp-up plan.