After a year of home usage, office laptops need to be quarantined and sanitized, according to a cybersecurity scientist.
Last year, businesses worldwide made abrupt, unplanned shifts to remote-working, thereby contending with issues such as whether there would enough VPN capacity to support all employees remotely; if software updates could still be applied to workplace machines on home Wi-Fi networks, and whether every employee had a work laptop to bring home in the first place.
While many organizations were able to quickly piece together a remote workforce IT strategy, few understandably ended up following ideal approaches to zero trust networking or secure access service edge for minimizing security risks.
As some countries take tentative steps toward allowing businesses to resume more office operations, they will begin to reintegrate devices that had previously been out of reach of management tools. What are some measures that IT teams can adopt to ensure that a ‘return to (near) normalcy’ exercise does not also mean compromising on security? How can organizations make the most of this opportunity and make up for some overdue security updates? Here are three ways to do so, contributed by Chester Wisniewski, Principal Research Scientist, Sophos.
- Deploy a quarantine local area network for updating and cleaning employee devices
Many businesses have been unable to continue regular (and forced) installation of updates for their employees’ work devices. Consequently, there may be a significant number of laptops and other connected devices that will be re-added to the company Wi-Fi without having been updated in weeks or even months. This is where a different kind of ‘quarantine’ may be a crucial measure here.
Restrict these devices to a specific local area network (LAN) where they can be safely updated away from everyone else, to ensure that when devices are all joining the larger corporate network, they are on an equal field of protection. Think of it like a vaccine rollout, but for your work computers.
- Audit the software your employees have been using
Employees have had to do what they can to get by, right down to the kind of software or tools they have installed themselves on their work devices to make their jobs easier in a time of crisis.
On the one hand, you have got to admire their ingenuity! But at the same time, company-owned devices coming back onto the corporate network loaded up with applications that had not been sanctioned by IT can open the door for security risk.
As employees return to the office more regularly, roll out an IT audit program to determine what tools employees used or downloaded on their own. This not only helps give IT better visibility into where to protect and control sensitive data on company devices, but also doubles as a useful learning opportunity for identifying gaps in your remote work strategy.
- Weed out personal cloud services and removable media
Remote workers who have gone the past year without corporate VPN access may have had to get by with personal cloud services or removable media (USB storage) for sharing company files. But as these devices become reintegrated into the corporate network, make sure to weed out these practices ASAP. Files shared over personal cloud services or removable media storage are difficult to encrypt, do not lend themselves to overall IT visibility, and are just too easy to ‘lose’.
As part of the reintegration effort, companies need to make a concerted effort to raise awareness among employees about the organization’s officially sanctioned tools and cloud services—for example, corporate cloud logins and services that the company has accounts with. IT teams need to help migrate data and files from personal storage to corporate-owned storage, and ensure along the way that employees have all the right access privileges to those services.
According to Wisniewski: “While returning to the office after a year of remote-working might be a bit of a shock to the system, businesses can make this process an overall net good. This is an altogether excellent opportunity for businesses and IT team leaders to roll out new policies that not just do a better job of securing and modernizing employee devices, but make bigger changes to remote working strategies that can facilitate even greater levels of security and access. ‘Back to normal’ doesn’t have to mean ‘business as usual’: this is a golden opportunity for organizations to carry the ball forward.”