Return to Work (Part 2)

In my previous post, I highlighted some of the considerations and challenges for IT teams as people return to the office. This time, I want to focus on the specific issues of security and compliance.

Flexible Working

During the pandemic, you may have temporarily relaxed or suspended your normal security provisions to maintain productivity. Flexible working is often introduced at pace and maintained on a fluid and open-ended basis. Also, it has seen files being shared differently and BYOD increasing. This in turn has changed how many organisations think about and enforce data and device security. However, in many cases, the underlying policies themselves have not been adjusted accordingly.

That discrepancy needs addressing. This is because as people return to the office, you gain a clearer picture of what your ‘new normal’ is, or will look like. For example, will people now be formally permitted to access files and systems using their own, non-corporate devices? You may have been fine with BYOD in these exceptional circumstances; is it something you’re happy to see continue in future?

Working from Home Policies

This policy gap is especially important if you’re subject to external audits. For example, if you are ISO-accredited, CE/CE+ certified or PCI compliant. Many audits were delayed or perhaps delivered differently due to the pandemic. However, when they restart, auditors will want to see that your policies have either been updated or reintroduced in full. If they observe practices that violate your own stated policies, the ‘temporary relaxation’ defence is likely to get short shrift at this stage.

To ensure your security, compliance processes and policies are ready to cope with your new normal (whatever that looks like) there are three main areas you need to review and examine:

1 – People

The changing ways people are accessing and interacting with IT services. As I mentioned above, your policies and systems may need to be either:

1. Permanently updated to allow ways of working that have become normalised, having been frowned upon before the pandemic; or
2. Returned to their previous state, which then requires reviews and actions to ensure people understand and comply with them again.

2 – End User Assets

Many assets that once were in the office every day and directly connected to the LAN are now remote for most of their time. This is likely to have increased the mean time between vulnerability scans and implementing configuration policies, leaving them potentially at risk.

As a result, you may need to improve your mechanisms. Both for deploying configuration policies for the OS and applications and for auditing compliance.

3 – Identity and Authentication Services

Users who were previously office-based are now working from home and may continue to do so more often. Make sure the appropriate licenses for features such as conditional access, risk-based logon analysis and MFA are assigned according to your security policy.

New ways of working may have led to the rapid implementation of new software, like Box.com or Teams. Authentication and governance of these new services should be inspected. This is to ensure they comply with security policies and are appropriately integrated – for example into your CASB solution.

What now?

Protecting data and systems is absolutely central to our role as CIOs, and in the return to the office. These issues may already have been discussed and decided at the senior level. If not, it’s up to us to ask the business what it wants. Because if we don’t pose these vital questions, others almost certainly will. If you’d like to find out more about what we’re doing and how it could help your organisation, please get in touch here.