Six best practices for managing cyber-security upon return to office

Below are six best practices cyber-security and compliance professionals should consider to facilitate a smooth and secure transition to a reimagined office.

1. Protect privacy and security in shared workspaces. Given significant real estate moves, consolidations, and reconfigurations, the offices employees return to this summer are likely to be physically much different than the ones they left in March 2020. In addition to temperature checks and elevator spacing protocols, employees might be settling into new floors or buildings that have been updated to increase the physical distance between workers and offer “hot desking” or “open desking” where employees from various business units sit together. Routine discussions of sensitive information—including HR reviews, internal investigations, highly confidential trading data, material nonpublic information, and earnings projections—will happen, so security teams must consider how best to stagger or separate employees to prevent exposure.
2. Update hardware inventories. The pandemic necessitated quick and nimble action from firms to ensure their remote workforce had all the right hardware to perform their roles effectively—from laptops and phones to webcams and printers. With a return to the office, new hardware like enhanced videoconferencing devices and dedicated terminals must be managed appropriately. Ensuring inventories of physical hardware are updated to include newly deployed office infrastructure as well as the home office kit provided during the last year is essential. An accurate inventory will serve as a baseline against which to manage recently issued, lost, or stolen devices. Inventories also support related IT processes like the application of operating system updates and security patches.
3. Deploy oversight controls for collaboration and chat platforms. From a software perspective, collaboration and chat tools like Zoom, Slack, Cisco Webex, and Microsoft Teams have provided the backbone for business communications during the pandemic. The usage of these platforms will continue to grow as the core connectors of employees in the hybrid work environment. Cyber-security and compliance teams must observe the regulatory capture, retention, and supervision obligations for communications on these platforms, but should also anticipate the potential data leakage risks from information shared through screen shares, Webcams, chat, file shares, and whiteboards. Ensuring technical controls for oversight of these collaboration and dynamic chat applications are consistent in both office and remote environments is essential. Forward-thinking startups have developed platforms leveraging advanced AI techniques to facilitate supervision.
4. Refine cyber-security policies and procedures. Core components of any cyber-security program are the policies and procedures that define a firm’s technical controls and articulate rules of the road for employees. Easy to overlook in the maelstrom of return-to-office planning, compliance and security teams must update policies and procedures to account for the new risks of revamped office spaces and employees shuttling between corporate and home workplaces. Controls related to securing employee and guest Wi-Fi networks, the appropriate use of communications platforms, incident response protocols, and guidelines for submitting requests for hardware or software credentials must be refreshed to align with new operational realities.
5. Revise risk registers to include the threats of a new hybrid work environment. Cyber-security risk assessments and compliance risk control self-assessments must be scrutinized and refreshed to account for the new and novel issues related to the hybrid office. Since these assessments provide the baseline for a firm’s risk posture, a transparent accounting of risks related to shared physical spaces, new third-party vendors, and new hardware and software must be conducted to determine which compensating controls can be deployed and where risk tolerance thresholds should be reexamined. Although organizations might be tempted to rely on ongoing risk exceptions developed during the pandemic, proactive security and compliance teams should conduct comprehensive reviews now—don’t wait for the annual update cycle.
6. Training and phish testing. To ensure employees understand the cyber-security and compliance risks of new hybrid working arrangements, updating training materials, including phish testing, is critical. Quick, targeted trainings focused on issues like protecting sensitive conversations about firm and customer information, the data exposure risks of collaboration tools, and how to report lost or stolen devices will explicitly educate employees on the most important issues. The pandemic introduced a slew of new social engineering and phishing attack strategies, moreover, so upleveling testing in this area, which always requires constant evolution to track the current threat landscape, is a must. Finding creative ways to combat training fatigue will be critical since relaying messages about the new risks of hybrid work will benefit firms and employees alike.

Collectively, cyber-security and compliance teams must begin the return-to-office planning process so that when employees arrive, everyone is prepared. Given that updating risk registers, implementing new technology tools, revising policies, and creating new training requires well-aligned, coordinated efforts, now is the time to define and begin executing on these tasks.

Marc Gilman is general counsel and VP of compliance at software provider Theta Lake. He is also an adjunct professor at Fordham University School of Law. Follow him on Twitter: @marcwiki.