Potential Cybersecurity Dangers of Returning to the Office in 2021

As we finish up 2020 and look forward to a better 2021, many companies are planning for their workforces to return to the office. While no one can predict, exactly, when the pandemic will begin to wane, with several vaccines being approved for release, it is assumed that most employees who were sent home at the beginning of the pandemic will be able to return full time sometime next year. IT and HR departments have been in full swing, making plans for these returns after having employees working from their homes for most of the year. Furthermore, cybersecurity experts will be glad to have their flocks back inside their protective cocoon of firewalls and other onsite corporate protections.

Generally, having your users concentrated in areas where you can control the network and perimeter is preferable to having to defend every employee's home environment. And having time to plan and get things in place beforehand is much better than the mass migration on the "hurry up" we had to do when COVID-19 first struck and everyone went to work from home almost overnight. But bringing back internal employees after such a long time of being away is not without cybersecurity risks and there are some pitfalls to be considered in your plans for moving back to the office.

While full IT considerations of return to the office are beyond the scope of this article, we thought we'd take a look at the possible cybersecurity and DR/BC issues that might crop up so that you can prepare yourself accordingly.

Are your internal networks and servers ready?

First of all, you will probably want to visit the physical offices first and check on any stale configurations of devices or servers. Routers and switches may be down and have gone unnoticed since the workers were not there to alert you of them and patches may need to be applied. It is probably a good idea to give yourself time to do health checks of all the networks and access before the full wave of employees hit your shores. And once they start coming, a phased-in approach is recommended, both from an IT security and health standpoint so you can deal with any "flare-ups."

Retraining employee behaviors

Just as returning employees will have to get used to coming to work in something besides pajamas or sweatpants, they will also have to re-acquaint themselves with the more restricted nature of office IT. Being able to stream TV shows and surf certain sites from their home network may cause issues at work and you may see a spate of blocked sites and policy violations in your first few weeks back. Your mileage may vary here depending on how restrictive your Acceptable Use Policy is, but it might be a good idea to do a refresher course on what is allowed and what isn't.

And keep in mind that a whole new cohort of employees may have started who never had to work in your office before. They might be new hires right out of college and they might not be familiar with the ways of modern office IT etiquette. Employees at all levels of experience and tenure should get a cybersecurity awareness refresher as part of your return to work process - just to remind them that they are not in their bedroom anymore.

Checking your physical security

You'll also want to take a look at your physical security and make sure the IT aspect is up to snuff for the return of the masses. Access lists may not have been updated with new employees or may have employees that are no longer there, so computer rooms and restricted areas may need adjustments to their access lists. The electronic locks and magnetic releases might literally be a bit rusty from disuse. Just as HR and facilities staff are working to make sure they have the proper disinfection and sanitation protocols in place, make sure you do the same for your physical IT plant.

Hybrid work from home and office environments

Finally, we may have to contend with the idea that some of our employees are never coming back. Having worked from the relative freedom of their homes, some of those workers will have decided they want to do that full-time. And many companies are enabling this, seeing future cost savings in office rentals and expenses. Granted, not every employee will want this - some are eager to get away from kids and spouses - but there is enough desire for this that we are probably going to end up with a hybrid architecture, managing both at-home and in-office environments.

Besides the sheer resource issue, we will end up with distinctly different cybersecurity profiles for these two workforces. And some company's IT departments may be faced with a workforce that never returns. Having made the transition to work from home and seen that it doesn't result in a huge drop in productivity, some companies will decide to go 100% remote and completely forgo an office environment going forward. This means that you will need to make all of your temporary patches and workarounds permanent, despite the fact that when they were put in place when we thought we'd only be doing this for a few months.

So, no matter what your post-pandemic work environment looks like, making it work together securely and efficiently will be one of the great challenges of 2021 and beyond. And as they say in the medical field, one ounce of preparation will be worth a pound of cure.

##

About the Author

Tony Howlett is the Chief Information Security Officer at SecureLink where he is working to make vendor privileged access secure and efficient. Previously, Tony was Chief Technology, Security, and Privacy Officer at Codero where he first learned about the issues and challenges that companies in regulated industries face when trying to provide non-employee third parties, such as IT vendors, with access to their networks and systems. Additionally, Tony is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and holds a B.B.A. in Management Information Systems from the University of Houston.