Returning to the Workplace — Cybersecurity Concerns Post-COVID-19

In a recent meeting of my executive colleagues, one of our members asked what our plans were for the “return.” When would we be returning to work as normal and what would that look like?

There were lots of animated discussions, but it finally coalesced into three paradigms. First, there are companies that will return to a primarily on-site workforce. Second, there are companies that are abandoning their physical offices for an entirely remote workforce. Third are the companies in between. We all agreed that it was this third group that is likely to dominate the business landscape. As my firm, Aldrich Technology, provides technology advisory services to business, we are indeed seeing this trend emerging with our clients.

Office life will find a new normal, but that reality will require flexible and strategic leaders along with new practices and new thinking around technology.

Think of the new work environment. You have colleagues in the office, on the shop floor and working from home. Home for some of those people may be in different time zones and even different countries.

• What new practice will be invented to replace the casual “water cooler” or “break room” chance conversations?
• How will we coordinate tightly with people we may never meet in person?
• How as leaders will we manage people when we can’t see what they are doing? How do we mentor and grow new leaders?

These are big questions, and they require well-reasoned debate and answers. Let’s explore how technology can contribute to this conversation.

The fundamental purpose of technology is three-fold:

• Improve Productivity
• Enable New Capabilities
• Mitigate Risk

Technology is at its core, a medium and means of communication. Technology enables lines of communication that weren’t possible beforehand. With this comes some peril. Misunderstandings in face-to-face conversations occur, but are usually minor. Now move the conversation over to a medium like email or video conferencing and misunderstandings can become monumental. This requires new practices for using technology.

Before we invent new practices, we must examine and understand what we are trying to accomplish so the application of technology has a purpose. Technology for technology’s sake is a waste of time and money for business leaders.

Specific technologies have already started to become obsolete. The desk phone is finally dead in many industries. The demands on mobility increased and that caused other tools to become ubiquitous. The needs of the COVID-19 world pushed many companies to route calls to mobile phones or adopt softphone technology, combining the computer and phone into one managed device. At the same time, virtual meetings and teleconferences are the new business norm to connect people.

Together, those technologies introduced new efficiencies. Cameras, headsets and microphones will become the new standard in business operations. Still, that reality presents a new concern: how secure is your conversation? How secure is your data?

With the nearly instant shift from Work-From-Office (WFO) staff to WFH staff, IT departments in all businesses did whatever had to be done. Security was secondary to enabling the workforce and business. In many companies, IT departments compromised security to get their employees up and running.

Productivity is priority number one. Security is 1.1. Everything else is secondary.

Those security compromises must be addressed in a way that enables people to effectively Work from Anywhere. Further, the security compromises that occurred initially must be addressed in earnest.

Rethink how your services, applications, and systems are accessed from insecure networks (e.g., home networks). While it is unlikely that an organization can take responsibility for individual home networks, the need for a strong security posture still stands. A more enduring approach is to design your systems to support access from various networks. This requires strategic thinking and a sound fundamental understanding of business technology.

For instance, how are you going to protect the corporate data that people downloaded to their home computers after they return to the office? The data is still there and it should be removed.

When you connect your employee’s home network to your corporate network via VPN you’ve now changed the corporate security standard to that of the home network. Is this what you intended?

Before relocating staff or making other staff changes you may want to consider implementing new security measures.

The number, sophistication, and complexity of threats is changing and increasing every year. It is extremely difficult for any internal IT department to stay on top of the current threats. Most security is battling last year’s threats. To turn this around you need to be proactive, to look at how threats are attacking and mitigate the fundamental weaknesses. It’s not enough to just put our fingers in the dike, we must address the root weakness.

Many times, this means that you can’t secure an IT environment that is poorly designed or where people’s practices are inherently vulnerable. Effective security is built from the ground up and when done properly will improve productivity too.

People are both the source of the problem and the source of the solution. All cybersecurity targets human beings and exploits their weak security practices.

People’s personal security practices are inextricably intertwined with corporate security practices. It’s not possible to secure the corporate network and ignore people’s practices.

A continuous program to help people understand, recognize, and appropriately respond to threats is paramount. Can your people recognize and react to an email from the “CEO” asking for payment to a vendor be processed immediately? What is your process for approving payments? What if the “CEO” asked for employee records instead? Would those have been divulged? Sadly, many times they are.

Does your staff readily reach-out to IT for help? When people spot what may be problems is your corporate culture a safe environment for people to immediately loop in IT? Most of the time people report events that are nothing – that has to be OK, because every once in a while, they will report an event that is the real deal.

Updating all operating systems is an effective and simple place to begin. These are frequently outdated and create vulnerabilities. In April 2020, Microsoft released 113 security updates to Windows 10. Most of these apply to Windows 7, but Windows 7 is no longer supported. Given that 26% of the computers in the world still run Windows 7, and most of those are in people’s homes according to Netmarketshare, there are now 113 published new ways that someone could compromise those systems.

When people join your organization, you create user accounts for them. How do you decide who should have access to what? Do you have defined roles, responsibilities, and access?

When people leave your organization do you remove their access and retire their accounts? How do you manage their old data?

Traditional passwords are outdated. The number of characters in your password will drive more security than complexity. We recommend that users pick a 16-character passphrase as the new minimum. A passphrase like “my dog has fleas” is a 16-character passphrase that would currently take over a thousand years to crack and is easy to remember.

Change this passphrase once every six months to maintain effective security practices. Passphrases and their respective policies must be implemented for every account, even the executive staff.

Multi-factor authentication (MFA) or two-factor authentication (2FA) leverages an existing user device, like a smartphone or token, to verify a known quantity, like a passphrase. Once the MFA/2FA is established on that device, it only requires the passphrase to log in. Unrecognized devices will require an authentication process that involves sending a code to a registered device for a human to acknowledge.

Some 2FA schemes use an authentication app on your phone. These are more secure than a SMS message, but they are more cumbersome to use. Remember you have to balance productivity with security. No easy answers.

The number one defense against ransomware is being able to quickly recover without losing too much data. If your data has been ransomed, you need to be able to restore to a point prior to the encryption.

Many Tier 1 firewalls have the ability to filter outbound traffic. Why would you want this when you only care about what’s coming in? Because ransomware typically activates by reaching out to activate. Block the outbound call. This is what is known as a BotNet filter. It’s not foolproof, but it’s a very good step in fighting ransomware.

When an account is compromised, and someone is actively in your data, would you know it? The earlier you can detect a breach, the less damage will result. Monitoring is challenging, but there are a few signs hackers leave behind.

The first is unauthorized elevation of permissions and privileges. This goes back to my comment about administering accounts. You need to have tight controls over this. When someone gains access to your environment through a low-level account one of the first things they will do is elevate their permission level so they can get into more data. You need to know about this event immediately.

The second thing to monitor is unusually large or continuous uploads of data out of your network. If someone is harvesting your data, they are going to copy it off your system. Watch for the change in Internet bound traffic.

Do you have a proper suite of “anti” tools (antivirus, anti-malware, anti-spam, etc.)? While no anti tools are 100% effective, they are a good baseline defense if used properly.

What? Why is insurance in this list as an action? Because your insurance carrier’s risk department can be leveraged to help you identify vulnerabilities and risk. This service should not impact your insurability nor affect your rates. Check with your carrier to confirm.

Don’t make up your own standards. There are a number of organizations that publish best practices and security frameworks. Nations Institute on Standards and Technology (NIST) is the leading source of this information. It is also the basis for most of the other standards. Pay attention to their recommendations as they revise their standards annually in response to real world experience.

Companies of all sizes will need to prepare for a new office landscape after COVID-19 and implementing new cybersecurity measures to support Work from Anywhere should be the first place they start. If you have questions about how to drive productivity and manage a secure Work from Anywhere environment, reach out to your Aldrich Technology Advisor today.