How to ensure cybersecurity as staff return from home (with dodgy devices)

Businesses survived the cybersecurity risks of the pandemic. Worse is to come.

By guest author Chris Stokel-Walker. He is a Freelance technology and culture journalist and author of YouTubers: How YouTube Shook Up TV and Created a Generation of Stars, his work has been published in The New York Times, The Guardian and Wired.

When the world changed, so did the way we do business. In an instant, workplaces shifted from offices to kitchen worktops, front rooms and spare bedrooms. It was a cybersecurity nightmare that some businesses struggled to handle: in 2020,  reported a breach or attack.

The proportion of businesses reporting a cyberattack has dropped seven percentage points in the past year, according to data gathered by the UK Department for Digital, Culture, Media and Sport. But as the world of work begins to get back on an even keel and businesses adapt to a hybrid world of working from home and in offices, there are more new challenges to face.

How to handle the return to work

“From a managerial perspective there may be issues with how the return to work will be handled,” says Abigail McAlpine, a cybersecurity researcher at Sheffield Hallam University. “How organisations handle the human aspects of security coming back to a centralised workspace is equally as important as the technical.”

McAlpine suggests businesses engage their employees in a crash course around cybersecurity as they begin to return to the office – even if it’s only as part of a hybrid working arrangement. “A lot of things that may seem basic may have felt unnecessary to individuals working alone and secure at home, such as locking computer screens when leaving the desk, or password-protecting their devices,” she says. While such things may be common sense to some people, if individuals need reminding of it then it’s not that commonly held.

It isn’t just reinstating good cybersecurity habits that businesses might need to do. In the rush to ensure business continuity when the pandemic first struck, many workers made do with whatever devices they could get their hands on – including shared tablets, phones and laptops that are passed around a family – and which now hold the keys to a business kingdom. “Anyone in a position of authority should encourage a conversation about the potential security issues with a bring your own device (BYOD) policy,” says McAlpine.

At SoPost, Grubin issues employees with a company laptop or computer. “It’s supposed to be for business purposes only, but I’m sure people may watch Netflix on it,” he admits. But additional security is bolstered through a remote device management programme called Jamf, which allows machines to be set up remotely and security patches installed by the company’s IT department. “Security is important but when people are busy in their role, notifications to update things may not be a priority,” says Grubin. “Jamf allows us to see the status of every device, so we know exactly what everyone is running.”

Starting small to resecure cybersecurity

The idea of understanding an entire organisation’s cybersecurity needs may seem daunting when businesses are struggling to navigate the return to offices. Yet businesses are conscious of the risks involved. Four in 10 businesses told web-hosting company IONOS that they have a cybersecurity skills gap. “Security departments will need to prepare a proactive security plan with specific policies to make sure their staff can continue to use these devices in the office,” warns Davis. “It’s better to have an extra layer of security than suffer the consequences of a breach.” But there needn’t be a significant undertaking – employee education can go a long way.

“Half an hour of discussion around potential issues, gathering employees’ insights, opinions, and questions allows for better opportunities to understand the risks facing an organisation both short term and long term,” says McAlpine. The great working reset is an opportunity to create a security-conscious culture within an organisation. McAlpine suggests appointing security ambassadors to lead the rethinking of cybersecurity issues and to smooth the transition to the new world of work. Above all, she advises putting issues front and centre in every employee’s mind. “Security is an element of every employee’s role, not just those in IT,” she says.

Yet it’s also vital for organisations to acknowledge the changing way of work. Employees won’t always be in the office and under the watchful eye of colleagues and their IT department. As hybrid working takes hold, the movement of devices into and out of offices is inevitable. So a new contract with employees is important that takes into account the realities of working life nowadays, while keeping things as secure as possible.

Forewarned is forearmed

“Remote and hybrid working look set to become the norm for millions and businesses need to ensure that information security and privacy management systems are overhauled to reflect the changes to the threat landscape,” says Steve Lamb, principal consultant at Bridewell Consulting. It’s unrealistic not to expect employees to use their home computers or networks to dip into key work documents and files. But instead of barring them outright, it’s important to try to secure how those devices connect to a work network. 

“Organisations will need to prevent employees from connecting to business networks and using personal machines that don’t have basic security controls,” says Lamb. Likewise, it’s better to allow employees to access internal networks – where security checks and encryption are likely to be stronger – than to save files locally on poorly secured storage, warns McAlpine. Loss or misallocation of data is more likely when saving things off work networks. Companies without appropriate BYOD policies will find it harder to track documentation when it is stored or shared to different devices.

Aside from official policies, a large part of managing risk involves managing people. “It’s a lot of education, and talking around things,” says Grubin, who ensures employees undergo security training and general rules around sharing information. It’s a model that keeps his company safe – and could help keep yours safe, too.

This feature was first published by Raconteur.