When the pandemic hit the U.S. with a vengeance, most companies made on-the-fly decisions to shut down the workplace, forcing employees to make the switch to work from home with little to no warning. Ensuring that everyone had the right equipment and the ability to connect to the corporate networks – and do so securely – in a matter of hours was a challenge for IT and security teams. It was, safe to say, a situation no CIO or CISO wants to repeat.
Now some companies are bringing employees back to the worksite. This, thankfully, can be done methodically and with careful planning, yielding a worksite that is not going to look like the one the employee left back in March. But it isn’t just preparing offices for the staff’s return; IT and security teams have to be prepared for three different workforce scenarios:
- workers who return onsite full time;
- a hybrid model of workers who will split their work week onsite and remote;
- employees who will continue to work remotely through the rest of the calendar year and beyond.
The challenge is to figure out how to keep productivity high among all three groups of workers and maintain a sharp focus on cybersecurity as people continue to be distracted and more susceptible to making mistakes as attacks are on the rise.
Ninety percent of organizations experienced a spike in cyberattacks during the pandemic. Hackers have taken advantage of the fact that security infrastructures have exposed weaknesses during COVID-19 and workers are multitasking in new ways, meaning they aren’t paying as close attention as they normally would, which increases the potential of being phished. In fact, COVID-19 itself has been used in phishing scams since the pandemic began, growing from 5,000 in February to more than 200,000 by May. Hackers understand our need to find things that take our minds off the stress of working at home: more than 80 percent of those cute puppy pictures are scams.
For the workers who will remain remote for an indefinite period, the priority for executives is not only keeping people productive from home, but keeping corporate and customer data safe because it is more vulnerable than ever. User distraction is just one part of that. Another element is that the home network is never going to be as safe as the corporate network. CIOs and CISOs are tasked with coming up with solutions to harden the perimeter. Yes, workers use VPNs and remote logins, and while that’s a start, there is no silver bullet available that will make the home network as secure as the network that sits behind the corporate firewall.
However, these workers were also sent home with little security preparation. According to the Wall Street Journal, “Forty-five percent of people working remotely said their companies provided no special training on securing devices at home, according to a survey from International Business Machines Corp. Forty-two percent said they handle personal identifiable information such as Social Security Numbers or financial data in their job.” If workers are going to remain at home, CISOs need to offer security awareness training sooner rather than later to prevent potential data breaches and other incidents.
When it comes time to bring employees back full time, what will that look like? Even if leadership wants to bring everyone back at once, that may not be logistically possible. Some states have regulations in place on how many people can populate a space at one time, so companies may find that they have to bring them back in a staggered time frame. For many organizations that will mean having workers on a schedule that combines days at home with days in the office. While it will be up to the business leadership to determine the logistics, CIOs will be charged with the technology behind scheduling and tracking employees, determining when they are on and when they are off and who shouldn’t be in the office.
This hybrid model will create a number of scenarios that will have to be addressed in real-time. For example, regarding employee health safety, if one member of the marketing team in a particular cohort tests positive, does the entire cohort get tested and stay home? Or just the members of the marketing team in that cohort working in that particular part of the building? Or anyone that was traced to using the same office bathroom? There will be a number of cases like this in offices that will play out in the headlines and social media feeds for the next several months.
On the cybersecurity front, the hybrid model will stress security monitoring and behavioral analytics. Employees will now have two usage baselines, which will complicate the analysis of vulnerabilities and exploits, which is already a difficult task. Security teams that had a good handle on the pre-COVID normal patterns of employees in the office (with some percentage working on the road), and then a new baseline established with all employees out of the office, will have multiple oscillating baselines as various cohorts work in the office or at home on any given day.
As access control and security configurations often vary in remote vs. local usage models, this will present a more difficult environment to completely understand and lock down, potentially creating the need to deploy more intelligent behavioral analytics solutions.
“Back to normal” – the return to the workplace full-time
With a full return to the workplace, CIOs will find they will have to monitor technologies that manage issues like employee movement, as well as the data privacy involved with health tracking apps. Organizations are going to have to track employee health and their movements for contact tracing. TransUnion, for example, has introduced the HealthyAmerica offering a way to providing employees and businesses the ability to securely share COVID-19 testing results while maintaining individual privacy, helping businesses minimize risk and reopen with a greater level confidence.
COVID-19 and its impact on the workplace is creating compliance issues surrounding employee health data and other personal information that CIOs couldn’t have anticipated a year ago. Programs like HealthyAmerica may require CIOs to manage technologies like QR codes to record the testing information, and any time that health information is stored, that adds HIPAA compliance requirements. In this return to work, a significant amount of additional data has to be tracked that requires higher levels of protection and CIOs and CISOs will be responsible for protecting that data.
What CISOs worry about
I polled a number of CISOs and CSOs at major corporations, universities and venues to determine how their priorities were shifting from early in the spring at the start of the pandemic to now. The first few months of the COVID-19 crisis in March, April, and May were spent focusing on making sure their users were productive and data was safe while being accessed at home. Security professionals worried about secure remote access to corporate networks and applications, the dramatic increase in phishing attacks targeting both employees and customers, and advanced behavioral analytics to better track compromised users and assets. Significant effort went into ensuring that Zoom, Teams, WebEx, and other collaboration platforms – now necessary for almost every organization’s business operations –did not create new vulnerabilities.
Now, with many organizations considering a hybrid model for return-to-work, their top priority is finding ways to safely bring people back into the physical space. And many are looking for new products and technologies to assist with this goal.
Enterprise security professionals have let me know that their organizations were investing significantly in non-security products like conference room collaboration systems, to better unite teams working in the office and home as they share projects over Teams and other platforms. Other executives tasked with physical security –key members of their COVID reopening task force –are exploring hoteling software to schedule employees and physical spaces for a safe return to the office, and evaluating people tracking solutions to ensure the compliance with the organization’s safety guidelines and government regulations.
This latter category is seeing a dramatic acceleration in innovation and adoption, as many entities such as universities cannot afford to stay closed, and at the same time cannot manage thousands of students, faculty and support staff without more real-time crowd intelligence.
The bottom line
While we all want a return to a normal work life, we need to ensure that it happens in a way such that we don’t introduce more health risks as well as security risks. CIOs and CISOs will need to employ human ingenuity and technology-based solutions to keep their employees and enterprises productive, healthy, and safe.