With the COVID-19 vaccine rollout, employees may soon accomplish what was for a year impossible for many: Returning to the office. That return will often include laptops that have been off-network for a year, translating to 365 days of pent-up alerts ready to flood security teams all at once.
Combine those issues with problems tied to workspaces and equipment left unattended for months on end, rapidly changing personnel, and the need to acclimate employees back into an office environment. Security is at an inflection point.
Ideally, “organizations had crisis management programs activated a year ago,” said Andrew Turner, senior vice president in Booz Allen’s cybersecurity services, bringing together human resources, security teams, technology, and executive management. “Those teams have likely been meeting throughout the year.”
The question is, how prepared are they to return to normal?
The best time to start planning was “six months ago”
Organizations’ preparedness to reopen offices will be as varied as organizations’ security postures. Ideally, say a bevy of experts, these conversations have already begun. Turner said they should have kicked off at least six months ago.
“It will be interesting to know if security people are even in the conversations about how to bring people back to work. My guess is they’re probably not,” said Helen Patton, advisory CISO with Cisco’s Duo Security. “I suspect that security people, as is historically the case, will be stuck in react mode.”
Small to midsized businesses struggle with a lack of resources, while even larger firms may have been waylaid by any of a dozen crises going on simultaneously across the world. As such, many companies may not have a return to work plan in the works.
“There is an opportunity for security leaders to put up their hands and say, ‘I need to be part of these conversations. I need to not be the receiver of the decision. I need to be part of the planning group that says how we are going to do this,’” said Patton.
The fallout of “make it happen”
The pandemic caused extremely sudden shifts in how organizations ran. Overnight, companies went from having no at-home workforce to having an entire staff work remotely.
“Most CISOs, most organizations, were [focused on], ‘we’ve got to get people remote,’” said Turner. “Companies were literally chartering flights and shipping laptops to India, to other areas around the world. It was ‘we’ve got to give people a desktop a laptop, a monitor, a printer, and we’ve got to get them to the home as quickly as possible.’ A lot of what you heard from businesses would be: ‘Just get it done. Make it happen,’” said Turner.
In the chaos, a lot of best practices went by the wayside. Many organizations lost the ability to manage the computers and office environments of at-home workers. Network administrators had to add a bevy of exceptions to allow workers to log in immediately. Turner notes that, in some cases, strict lockdowns in India or the Philippines meant outsourced workers went entirely offline, meaning new locations had to be opened.
Reopening the office will cause a lot of the security issues that rear their heads. Security teams will have to look at the sprawl of exceptions, identity management, and even accounts accumulated during the work-from-home era, and determine which need sewing up. They will also have to consider how to manage an entire office of computers reconnecting to the network for the first time in a year or longer. At a time when the security operations center needs to be on the lookout for signs of compromise, there will be a vast flood of other alerts tied to outdated machines.
Indeed, many experts suggest a tiered approach to the office return to manage the workflow.
“I don’t believe I’ve talked to any CISO that says, on day one, 100% of the people will go back to the office,” said Rick McElroy, principal security strategist at VMWare Carbon Black.
Enterprises that relied on users to handle aspects of their own security might do well to nudge their users to update and scan before returning to the office, added Patton.
“You want to be able to say: ‘Hey, like with COVID, part of coming back to the office is making sure that you’re not going to infect everybody with a computer virus,’” she said. “We don’t want you coming back in and sneezing on everybody, and we don’t want you coming back and ‘ransomware-ing’ everybody as well. So before you come back, take your temperature and patch your damn device.”
New tech, new people
There is a lot of speculation that the COVID experience will normalize working from home. That causes two problems, said Patton. The first is that the ad hoc, spackle-and-duct-tape systems set up for remote work may not provide adequate security in the long-haul, even if it held up during 2020. (“People always overestimate their capabilities,” she said.)
A second, more nuanced problem relates to technology. What is often used for in-person interactions, may not be appropriate for a hybrid office, or vice versa. Home workers may not see a screen projector in a conference room, for example. And when technologies fall short, Patton said, workers often find creative workarounds to the carefully vetted, meticulously secured systems the office has in place.
Finally, when people show up once a month or once a year to the office, said Gabby DeMercurio, a penetration tester for Coalfire, a key advantage to preventing physical breaches on networks is lost: the ability to recognize coworkers.
“If you get these people that are always working from home, but come in onesies and twosies every month, you’re going to see all these ‘strangers’ walking around the office,” she said. “That’s going to [contribute] to people becoming numb to seeing others they don’t recognize,” she said, suggesting doubling down on training employees to be alert for people who may not belong.
Of course, old technology and long-time employees also pose new problems. VMWare’ Carbon Black’s McElroy highlighted insider threats as an increased risk after a period of economic uncertainty.
“Anytime there’s a population of folks who have significant financial distress, that increase is just exponential,” he said. “My fear is the economy will take a while to recover, and you have a large group of people who are going to seek other avenues for income. That’s not just a cybercrime problem. That’s a crime problem in general.”
The technology left behind in the office while employees were home also poses its own threat, including systems tied to access. There may have been a physical compromise (DeMercurio recommends taking a quick sweep for key loggers, for example) but more risky still is that the technology expired.
“Security teams should reassess all of their physical security controls and validate that they are working as expected,” said Rick Holland, chief information security officer at Digital Shadows. “This assessment should include wireless access points, camera systems, alarm systems, badge systems, and any biometric controls. Make sure that the software for any of these controls is also patched and up to date.”
The case for optimism
The workload for security staff during and after returning to offices will not be small, and several experts warned of burnout. But McElroy highlighted a few reasons to be encouraged.
The past year demonstrated to many executive suites just how important a functioning security team is to an organization, finally putting them at a level in the corporate hierarchy where “they should have been 10 years ago.”
Lockdown also made organizations better prepared to handle the next disaster, he added, whether it’s a pandemic or a natural disaster.
“It’s a pretty resilient sector,” he said. “It’s a pretty resilient group.”