The speed with which both government and large corporations adapted to the COVID-19 pandemic, rethinking procedures and operations to make working from home the new normal, remains an impressive feat. Maybe the level of flexibility demanded was familiar to smaller businesses, but until the pandemic made it necessary it would have been frowned upon by many traditional minded C-Suite executives.
By this point, working from home has become the default setting for many organizations. But even as restrictions are easing, they’re not necessarily rushing back to office life as it was before now that the potential benefits of increased productivity and a lower cost of doing business have become apparent. The new long-term normal may very well take the form of a hybrid model with less office space and more people working remotely part or all of the time. However, as is often the case, when change happens swiftly, support mechanisms such as security will have to rush to catch up.
We saw early in the pandemic rapidly how the videoconferencing app Zoom’s user base and stock price took off only to have previously unforeseen security weaknesses come under closer scrutiny. The scale of the issues led to an apology from the founder and CEO of Zoom, along with a commitment to first address privacy users’ privacy concerns before introducing any new features.
Security should never be an impediment to progress and our current environment is no different. Fortunately, the technology and equipment that enable employees and contractors working from home to do so in a secure and safe manner already exists. We just need to rush to catch up to the new default setting. In many cases all that’s needed is to expand the security principles that are already in place at the office, in recognition of how the business environment has expanded.
In threat risk assessments conducted at places of business, ADGA’s security professionals examine issues such as:
- What are the assets being protected and the impact to the organization if they are compromised?
- What is the threat to these assets?
- What security measures are already in place?
- What, if any, is the residual risk left to the assets when one considers the threat and existing security measures?
- What recommendations are needed to reduce the risk to an acceptable level?
In the course of dealing with many and varied clients pre-pandemic, ADGA has conducted residential security assessments, usually focused on the safety of executives and their families, and any sensitive information or assets that may occasionally be brought home.
We have also conducted security assessments of many small offices that were applying to connect with servers containing sensitive corporate, government, or personal information. Our assessments assisted in ensuring that the appropriate security measures were in place at these sites before they were authorized to connect.
The new normal will likely require a hybrid assessment somewhere in between these two examples. Now that they are effectively an extension of the workplace, the security realities of home offices will need to be thoroughly examined. The volume and sensitivity of the information being dealt with offsite has already risen considerably and is expected to stay that way.
It’s imperative that organizations move quickly to implement the proper tools that will enable employees to access and exchange the information they need to work effectively offsite. Pretending that sensitive information is not required in this setting or maintaining a blanket prohibition on existing tools will only lead to employees finding their own workarounds, potentially leading to even more risk and vulnerability. It is imperative that organizational leaders have a clear understanding of the security risks facing them and make informed decisions based upon that knowledge.
Some security issues to consider are:
- Identifying positions or employees that will need or want to work remotely over the long term
- Instituting security assessments for residences and smaller satellite offices that will now see a substantially increased volume of work
- Enabling remote work with the appropriate physical and cyber security tools
- Expanding our security awareness training to adapt to the new environment
- Expanding our security monitoring and reporting to the new environment so we can identify issues early and learn from them