Jim Guckin

I have been having some discussions with some friends, about some of their organizations making the switch from remote work, to either hybrid or full return to office life. In those discussions, I’ve noticed a pattern that not all information technology or information security units are fully thinking through that process…or maybe not focusing on it as a whole. So it got me thinking, and I figured I’d add some criteria you should consider as users come back into the office on a part or full-time basis.

In fact, with so many people returning to the office and potentially accessing sensitive information on your organization’s network, it’s more important than ever to ensure that proper security measures are in place. Either fully remote or fully in-the-office work can be thought of as a “fortress” approach to security, with the primary point of access being through the employee’s personal or organizational computer. In contrast, returning to the office increases the attack surface, with multiple devices and network access points potentially vulnerable to cyber threats. It is essential for all employees to take responsibility for maintaining the security of the company’s network, to ensure that the “castle” is protected against potential cyber attacks. This includes implementing best practices such as using strong passwords, regular software updates and being vigilant against phishing attempts.

Think about your organization, how many employees were hired and have never been to the office, or even longtime employees who might have forgotten about all the security measures in place in an office environment. So if your organization is making the consideration, why don’t you think about some of the areas below?

1. Accidental Insider Threats
   As information security practitioners we tend to always be aware of insider threats, but not all insider threats are purposeful or malicious…. Sometimes it’s just an accident.  Sometimes an employee might accidentally overshare a document, because now they are using more locked down tools.  Now they should have been using them all along, but human nature generally takes the easiest way.
   
2. Asset Management
   I am not just talking in this case about hardware inventory, I’m also talking about software inventory.  Knowing what equipment should be on your network is necessary that most organizations should know at least.  Yet, software is another vulnerability on your network.  Some organizations aren’t as strict with making sure only approved software is installed…in that case make sure all software is up to date to minimize network threats.
   
3. Least Privilege
   At this point, you should already have thought about this…but if not, now is the time.  It’s called many different things (least privilege, zero trust or limited access), they all mean the same basic security theory.  While users were at home, there may have been VPN restricting them to certain profiles that only gave them some network access, but in the office that may not be there.
   
4. MFA
   While you may have implemented this during the pandemic, does not mean that it stops when people come into the office.  If you have relaxed password policies when everyone was working from home, time to rotate those passwords and make sure MFA is enforced for all users, even in the office. If you keep it a habit they’re more likely to keep it up.
   
5. Physical Operational Security
   When your users were home, we didn’t need to worry as much that someone would stumble across sensitive data, but now we’re back in the office you may need to remind people to not keep documents on their desk that you may not others to see.  Make sure they follow the clean desk doctrine and keep their physical badges on them and not allow others to use them.
   
6. Clean Up Data
   When people were working from home, they may have made their own locations for documents, like a personal SharePoint or home drive. Depending on your backup structure, you may not take the same level of precautions to recover that data.  Just like we mentioned with assets, any data that is important should be transferred to the appropriate location where it’s properly cared for…and maybe save space by deduplicating data.

As I am writing this, I know it’s not an exhaustive list, there are probably things that I have forgotten. If you think there is something missing from this list, please let me know in the comments below and maybe together we can grow this list to help people think about what happens when you bring employees back into the office and keep everything as safe as possible.