Mitigating the risks of returning to work
The need to enable remote work at the start of lockdown created many challenges for companies. Now, as employees return to the office, there is an equal need to carefully reintegrate them safely.
The announcement of South Africa’s almost immediate lockdown at the end of March, in order to help reduce the spread of COVID-19, and the sudden need for multitudes of employees to be able to work from home, caught many IT departments by surprise and inevitably created a number of security concerns.
This ranged from basic concerns like ‘do we have enough VPN capacity?’ and ‘did everyone bring their laptop home?’ to larger fears like ‘can we manage software updates with machines on home WiFi networks?’ While this certainly wasn't something most had prepared for, the majority of businesses and their IT departments managed to enable at least some level of remote working.
“However, as stage three of lockdown comes into effect, we find that we are now approaching what could be considered phase two of the ‘work from home’ challenge – namely, the move to reintegrate some of the workforce back into the office,” says Pieter Nel, Regional Head for SADC at Sophos.
“In a perfect world, most of us would be using Zero Trust Networking (ZTN) or Secure Access Service Edge (SASE) for accessing our applications, making the transition in and out of the office an effortless endeavour, but very few of us are there yet. Remember that if we still have a perimeter, we will need to be cautious about how we reintegrate devices and data that have been outside the reach of management tools while these users were working from home.”
One potential challenge Nel identifies is that many organisations lost the ability to install or enforce updates for the duration of the stay-at-home order. To overcome this, businesses should consider implementing a slightly restricted quarantine LAN to isolate these devices, while IT catches up on procedures for checking the security on these devices, before properly reintegrating them with the corporate LAN environment.
“This is in fact very easy to do, by using the guest WiFi function of your wireless network. This allows productivity to continue, with the added safety of being able to quickly block or disconnect misbehaving devices.”
“Checking the integrity of company-owned devices will also be critical, especially as some users allow their children or families to use their device, which may have been the primary device in the household, for homework and other activities. In addition to ensuring operating system and application updates are installed, it would also be prudent to do a full system scan using an endpoint security product,” Nel continues.
We all know that shadow IT is a problem at the best of times, and in a crisis like this, you have to admire the ingenuity of employees doing what they can to ensure the job gets done. Of course, says Nel, a good practice on return is to consider an IT amnesty programme. Ask users to share what tools they needed to use while away that weren't accessible or provided by IT.
“The business can then use this as an opportunity to learn where the gaps in its remote work strategy are, and can be sure to get sensitive data identified and brought back in where it can be protected and controlled.”
For users without VPN access to company file shares, the use of personal cloud services and removable media will likely have been utilised, adds Nel. Therefore, the organisation must work toward the elimination of these devices as a whole, as they are difficult to encrypt and easy to lose. Instead, the business should ensure every returning employee knows about the company’s own cloud storage service, and should help staff move any documents stored on personal devices or clouds over to the officially sanctioned tools.
“In the end, this should not be viewed as a chore, or even a challenge, but rather as an excellent opportunity to implement new policies, to embrace more secure and modern tools that enable remote work, and as a chance to cut down on work travel, as everyone is now more accustomed to online meetings. The one thing they must not do is consider the resumption of normal operations as merely business as usual. It is imperative to understand and mitigate the risks of allowing employees back into the office without undertaking a proper and secure reintegration process first,” Nel concludes.