How to Avoid Return-to-Work Security Risks
After a forced retreat to semi-permanent work-from-home status, many executives are now considering calling back their workers into the office. There are no doubt health risks that have to be taken into account when mapping out what this return-to-work process looks like.
However, there’s a bigger liability hiding in the shadows, nearly invisible to the return-to-work plans at the forefront of most executives’ minds. It’s the silent killer that has the potential to take your company down for good.
This disaster waiting to happen? Not addressing security issues.
It became common knowledge that cybersecurity needed to be prioritized during the lockdown, especially with phishing scams on the rise and problems with popular video sharing app Zoom plaguing users.
But what many executives don’t realize is returning to full-time office life presents major security issues. But this is dangerous without making appropriate updates, upgrades, and policy changes.
Companies must step up to the challenges of the time, setting up processes and procedures that cover both work-from-home scenarios and working-from-the-office norms. After all, company hardware has been off-network and personal hardware may be storing company (and client) data. And there’s a good chance this will continue, with the new norm most likely trending towards a mix of work-from-home and work-from-the-office.
To help you understand the number of security implications for moving your workforce from home back to the office, we’re covering critical areas you need to know to address every angle of risk. This will help you maintain safety in the areas you can’t see and highly impact your business success.
The Return-to-Work Security Checklist
There are three areas you need to consider when addressing the risks of returning your team to a physical office location. Once these areas are implemented in full, there should be nothing standing in your way to return to a normal way of operating, albeit slowly.
1 – Policies & Procedures
During the rush to move all employees to work-from-home status, perhaps you taped together a plan for operations, bypassing existing measures in order to maintain productivity.
If this sounds familiar, you’re not alone.
But the quick fixes and Band-Aids employed in the fast-paced move to a work-from-home setup now must be reevaluated in light of returning to work. Even if you eventually created remote work policies and procedures, they won’t cover the new cybersecurity issues you’ll face for returning to work.
Either way, now is your opportunity to kill two birds with one stone: Combine work-from-home and return-to-work guidance into one policy and procedures standard.
The return-to-work portion should include:
- Creating a cadence to aggregate and analyze return-to-work information.
- Performing a risk assessment and a gap analysis for each facility.
- Executing a safety plan based on risk assessment and mitigation.
- Establishing communication protocols.
- Evaluating cyber hardening policies.
- Incorporating business continuity planning and compliance issues.
In addition to these, your policies and procedures should cover two other critical areas: password resets and new employee onboarding and training.
The reality is, your employees may have fallen into unknowingly bad cybersecurity habits during their work-from-home stints. This includes the possibility they’ve shared their laptops and passwords with family and friends. They may have re-used the same passwords when downloading software or setting up devices at home, too.
You must make it clear in your policies and procedures that passwords for all company devices and software must be reset before returning to a physical work location.
If you’ve hired and trained new employees during the work-from-home exodus, you must provide training about how office life works when it comes to cybersecurity. This will be different in most ways from how you’ve trained them to work from home. Include company security policies pertinent to working in the office in your policies and procedures. And make sure you emphasize this portion to new hires entering your physical location for the first time.
2 – Rogue Devices and Software
Hardware and software can be a security blindspot when returning to work. It will be essential to update operating systems and software, as well as complete an inventory of personal and corporate devices being brought back into the workplace.
Steps you should take to do this include:
- Run a scan on your network to identify new, unknown devices.
- Train employees to avoid using personal devices at the office when possible.
- Enforce device control to block unauthorized USB and other peripheral devices.
- Revoke unnecessary software licenses and transition staff back to using resources provided on-site.
By taking these actions, you’ll ensure the safety of your company information, employee information, and client information when returning to work.
There’s a good possibility that your team has inadvertently welcomed viruses and other software risks onto their work and personal devices while working from home. There was no way to prevent this from happening, but there is a way you can stop these malicious bugs from infecting the rest of your software and devices.
Create a thoughtful plan for testing machines, identifying patch requirements, and updating the devices before an employee sets foot in the office. This will significantly decrease the risk of infecting your entire network and other devices with a virus from just one.
3 – Facilities & Team
You may be overwhelmed with the changes that have to be made and the monitoring that has to be done before an employee sets foot back into your physical office location again. Thus, this third step in lowering security risks: Determining which facilities and teams will come back to work first.
Making sure all cybersecurity risks are handled individually is easier when there are a slow trickle of returning workers. Allowing all employees to come back at the same time will likely overwhelm your IT department, increasing the risk of a cybersecurity breach or an accidentally harmful action by an employee who hasn’t received policies and procedures training yet.
Limiting what facilities and team members return to work first will ease the burden and decrease liability for security issues. You should plan accordingly.
Conclusion: A Roadmap for Managing Rapid Change
There’s no doubt change has been – and will continue to be – rapid and substantial in 2020 when it comes to work environments. One thing remains the same, though: Maintaining the security of information online and keeping everyone involved safe from cybersecurity threats.
Your best course of action in order to remain in control when environments change rapidly is having a plan in place. Use the lessons from the beginning of this year to inform the creation of a roadmap for work-from-home and work-from-the-office. The latter is most likely here to stay, so you’ll need a plan for it that works now and is scalable for the future.
Note: A privacy roadmap is a living document, not to be created at one point in time and used for the entire future of your company. Seismic shifts have taken place in the last 12 months in regards to privacy legislation, team working environments, and technology. When change is the only constant, you need a privacy plan that is scalable and flexible.
Having a plan can help your business manage future crises in the least amount of time, effort, and expense… and with the least amount of pain.
Most importantly, invite your employees into the plan. Give them clear, transparent communication about the information you have, the information you don’t, and what you’ll do as a company to lower cybersecurity risks for them.
Red Clover Advisors has been a strategic partner in creating work-from-home and workplace policies and procedures for companies across the country. We help you create a comprehensive plan covering cybersecurity, privacy regulations, and data protection unique to your company and team. To get started with your own roadmap, reach out to set up a free consultation with our experts today.
Disclaimer: Red Clover Advisors does not provide legal advice. The information within this article is meant to offer sound business advice. Businesses should seek final legal direction from counsel before publishing any policies and procedures.