You've seen the memo: We're heading back to the office. Even if we're not returning full-time, more of us are back at least a few days a week.
The challenge we face is many security policies applied pre-COVID were abandoned during lockdowns. When users had to stay at home, they turned to the available tools and devices — often with very little consideration for the security impacts.
The truth is that now is the moment to shift. Bad habits will be entrenched once users get settled into their post-lockdown working practices. So what can you do to sweep away bad practices and ensure you're protected against bad actors? It's no surprise that companies are reasserting security policies and putting best practices back in place now that we're returning to normality.
But what about doing something better than we had before? Now is the time to spring clean your security policies and ensure best practices. Use this opportunity to improve and do something better - don't just revert to what you had before. Here are five practical steps to help you get your security policies dusted down and fit for purpose:
There's a lot that needs to be done by security teams to prevent any security issues resulting from the fact that people were working from home with devices that were sometimes even purchased at a local store, not complying with any policy regulation regarding tooling. And this needs to be changed up to a better security way of working.
To start, get any company data off of devices; it needs to be moved back to the company. The company owns the data and needs to control it rather than have it reside on end user devices.
Any tooling used during COVID times to access the company network, which the company itself does not set up, such as a dedicated VPN solution or Teamviewer software, needs to be removed from those devices. Any other freemium products, collaboration tools, file sharing tools, et cetera, need phasing out, and users need to migrate to the approved company toolset.
File sharing from personal devices to company devices, over email or public file sharing tools, must follow the company policy.
During COVID, many administrators removed restrictions on employee access to resources outside standard office hours. Now, these can be reinstalled when people return to the office.
Some companies have said their employees don't need to go back to the office, and they can now work anytime, which is great. But even if you're organisation adopts a fully-flexible approach to the work day, you need to have the correct security structures. Otherwise, you're going to end up in a mess.
Limitations on working from other locations, which were allowed during the COVID times, need reinstating. Now, this is a lot of work to do for the IT administrator. Restrictions for dual locations are required because you would not allow access from an untrusted environment, an untrusted place.
But solutions can provide a safe working environment for the employee. For instance, solutions can create authentication to be fully independent of the user's location so that you can work from anywhere in the world.
During COVID and working from home, people found workarounds to do their job because they were in unusual circumstances and didn't necessarily have the right toolkit. It wasn't ideal, but the exceptional circumstances meant it happened.
People are coming back to the office with all kinds of equipment they've been using with company data on these devices, with tools they were installing to make their working life easier. Now we're back to normality; these potential security flaws, for instance, people using tools like Teamviewer, need to stop.
Bad actors have not been practising safe distance, and these bad actors have been there all along. Spring cleaning your security policies allows IT admins to rethink and reassess what is in place. Ask yourself: Is it fit for purpose? And can it support the new approaches to work that enable users?
Now with the people coming back to the office, and we are all happy that we finally can have the choice again to go back to the office, we need to do the spring cleanup.
It more or less comes down to if you want to restrict those policies again or do you want to adopt a newer way of working? And bad actors, those actors will always be there in some way. So, malware might be on a device itself, data on the device itself, and company data will be accessible for malware.
If you are still facing an organisation with traditional networking, it may not be secure enough. And for those who are adopting hybrid is working, it's great that you're embracing modern ways of working, but you need to make sure that you have the tools available to support it and keep it secure.
When the users come back to the office, you don't know what they will bring back, what bad security habits they developed.
In the end, it's all about enabling business and enabling users rather than trying to restrict them. Rather than thinking about this as now trying to shut down what users are doing, it's about allowing them to enjoy the flexibility. But in a secure way that you can control and is manageable - not the Wild West of everybody doing what they want.
What if you consider a zero trust approach while doing your spring clean up?
When working through an IT Security spring clean, many companies realise a zero trust approach could prevent them from getting into similar situations in the future. Zero Trust security decreases your attack surface, enhances security and reduces complexity.
We recently put together a new guide that explains why companies turn to zero trust, why the time for action is now and shares our Zero Trust success roadmap. Download your copy of the guide here: