IT security’s “back to the office” plan

A cybersecurity checklist for returning to the workplace.

Sooner or later, most organizations will have to think about postpandemic work routines. Although many companies, still staggering from pandemic effects, have yet to make their final decisions about handling new workplace realities, even a partial return to the office requires certain measures from IT and IT security teams.

Switching to working from home was difficult, but oddly enough, returning to the office may be just as tricky. Organizations will have to roll back some changes, which can entail as much work as deploying them did. They will also need to recheck internal service security and meet employee needs for the software they got used to during lockdown. To help stressed IT security managers prioritize, we put together some cybersecurity action items for businesses.

1. Keep work-from-home cybersecurity workarounds

To maintain the security of corporate endpoints while employees were working from home, many companies introduced additional protection measures such as security checks and centralized patch management of remote computers, adding or expanding VPN access, and offering dedicated awareness training. Detection and response agents on endpoints played important roles identifying and closing network perimeter gaps.

Whether your workforce is returning from home to office or simply travels a bunch, using VPN, EDR, and intrusion detection systems on endpoints will ensure their safe return to on-site work.

2. Restore any security controls you disabled for remote workers

To allow remote employees to connect to the corporate network, especially from personal devices, some organizations weakened or disabled cybersecurity controls such as Network Admission Control (NAC). NAC checks computers for compliance with corporate security requirements such as up-to-date malware protection before granting access to the corporate network.

When employees return to the office and connect to the corporate network, NAC should be turned on to protect the internal systems in case the machines pose any risks. But since computers have been remote for about 18 months, they could have missed some updates. This means that enabling NAC for dozens or even hundreds of such machines can cause many errors. As a result, switching the service on could turn into a step-by-step, fine-tuning process for small groups of staff.

Organizations need to anticipate such issues and have a plan that includes resources, deadlines, bug fixes, and maybe even help from IT integrators.

3. Update internal systems

Don’t forget to check internal critical services. If there are any unpatched servers in the building, the IT security team needs to know about them before letting anyone in.

When we were all sitting at office desktops, our computers were constantly connected to the corporate network and were under 24/7 protection and policy control. Accordingly, the risks of an exploit penetrating the network from a PC and compromising a vulnerable server were lower.

With everyone returning to the office and connecting their laptops to the corporate network at once, just one unpatched domain controller can provide broad access to, for example, employee account data and passwords.  A vigilant IT security team should detect the problem in time and head off serious trouble, but that still leaves the extra work of reorganizing the network and changing all passwords.

4. Get ready to save — and also to pay

Bringing employees back to the office will save employers some money. For example, at Kaspersky we increased the number of VPN tunnels from 1,000 to more than 5,000 to enable most of our staff to work from home. It is likely that we will cut this cost as our team returns to the office.

Similarly, companies can reduce the number of subscription-based cloud solutions such as Slack or Microsoft Teams. With staff in the office, companies will not need as many cloud licenses, and they may be able to bring some services back as local resources. The same strategy applies to electronic signature apps, necessary during lockdown but replaceable (or scalable) with a return to traditional document signature processes.

Consider spending those freed-up budgets on organizing digital workstations such that employees can split their weeks between the office and elsewhere. The concept is not new, but the pandemic has made it more common, as Gartner notes. From virtual desktop infrastructure (VDI) to desktop as a service (DaaS), remote-work technologies can essentially move workspaces to the cloud, making them accessible from any connected device — and virtual desktops are much easier to deploy, manage, fix, and protect than remote computers.

5. Save the tools and settings employees were using remotely

Working remotely, employees mastered new communication and collaboration tools — for chats, videoconferencing, planning, CRM, and more. If those tools worked at all well, employees will want to continue using them. Thanks to their pandemic experience, 74% of our survey respondents said they want more flexible and comfortable working conditions.

Banning such innovations may not be wise. It could provoke the growth of a sort-of shadow IT, staff members using apps without IT approval. Companies should be prepared either to approve new services or to suggest, and defend, alternatives. Dedicated solutions can help organizations manage access to cloud services — using dedicated cloud discovery features in a security solution or cloud access security brokers — and enforce associated security policies.

IT security should be a business enabler, not a barrier. Ignoring a massive behavioral change can damage an employee’s view of the company, whereas allowing flexible working and services that are convenient for workers can do just the opposite. That applies to future candidates and staff as well. We saw that happen with Apple, where some employees wrote an open letter asking Tim Cook and executives to “consider remote and location-flexible work decisions to be as autonomous for a team to decide as hiring decisions are.”

The pandemic and global transitions to remote work represented force majeure challenges for companies and their IT departments. Despite the difficulties, this experience is invaluable and provides a crucial lesson for the future.

One of the pandemic’s most important takeaways is how quickly businesses can change. Having learned so much from the experience, IT security should offer options and support ongoing flexibility. A smart and safe return to office work in any form can help companies stay on top of this trend and make the most of their business processes.