Zooming Back Into the Office–Securely

As work arrangements focus on the return to office plan CISOs can improve cybersecurity, while supporting flexible work.

There are many things people wish to have had the foresight to do in early March 2020, and “buy Zoom stock” would certainly be among them. Indeed, the video meeting provider's stock [NASDAQ: ZM] shot up over 450% at one point.

This week Zoom announced that they are requiring people to go back into the office full time. And while remote work has certainly become a way of life, it appears that hybrid work and/or going back to the office full time will be just as commonplace. With that in mind, we wanted to take a moment to explore the evolution of flexible work trends over the past few years, and share some ideas around what could happen next within your organization.

Previously in these pages, we’ve discussed various work arrangements and cyber best practices as the unplanned (and at the time seemingly indefinite) shift to remote work was forced on IT and Security leaders across the globe. This pendulum swinging back to office work has been slowly building momentum, and now seems more inevitable by the day.

As organizations push for the majority of employees to return to the office, flexible working arrangements and virtual work will absolutely remain a reality. What this means to cyber culture and awareness is an increasing, not decreasing, need to refashion engagement and delivery.Improvements in measuring, understanding, and lowering human cyber risk must be carefully considered across all of these diverging workspaces.

With Zoom going back to the office and the overall trend now fully established, we wanted to jot down some quick reminders about how to bring remote workers back into the office securely. What follows is a consolidated commentary from some of the cybersecurity leaders we've been in touch with over the past few years:

1. Quarantine. One way in which some CISOs have discussed handling devices coming back inside the office firewall is by initially keeping them on a separate network until they have passed planned tests and checks. This presupposes that devices inside the firewall are not in a strict zero trust environment, and offer broader access to more sensitive information with less restriction while on the network. (Side note: think about some behavior-based approaches as a more secure cybersafe stance.) 
2. Personal Cybersecurity Still Reigns. In the words of Winston Churchill, “never let a good crisis go to waste.” Okay, that might be extreme but the potential for opportunity from crisis is certainly clear here. Many organizations were successful in reminding staffers about their personal cybersecurity habits, including things like good passwords, how they handle PII (Personally Identifiable Information) be it their own or their clients, and where and how they store data and with what kinds of protections. These are lessons that should stick with staffers and offer a chance to reinforce their importance, regardless of where they happen to be sitting when they plug in their laptops. 
3. Be Circumspect. Many cyber risks still happen on the way to and from the office. For example, think about the nosy “shoulder surfer” behind you on the commuter train. Lessons learned helped staffers think about a 360-degree view of cybersecurity, and to protect phones, laptops, tablets, etc. Whether those are corporate or personal devices, not only do they have the bits of data hackers need, but also sometimes the token-based authentication within the device that can give them needed access to breach systems. Employees should be encouraged to think in this fashion as we go back in the office and will improve our overall security posture all around.
4. Multi-Factor Authentication. Okay we know it, employees generally don't love extra friction in their login process. That said, the occasion of coming back into the office and exactly how that happens is a perfect time to implement MFA. While organizations had been enticing workers to come back, it's more of a mandate now, and it could be the right time to enact some new rules which will help the overall organization become more cyber-aware
5. Be the Culture Warrior. As we've always said, and is often touted by cyber thought leaders, creating a culture of cybersecurity awareness is the absolute best defense. There is nothing that an organization can do to better equip themselves to avoid breaches, data leakage and embarrassment than to really spend time, energy and money on building cyber-aware humans.

The return to office plan will present a range of challenges, but also opportunities with the onset of more flexible work and hybrid schedules. Risk is ever present anytime there is a fundamental change to “the way things are done,” and people are going to adapt, for better and for worse! Using culture-based approaches, as well as designing audiences in a more situation based/jobs-to-be-done method, can make the design and delivery of security reminders, messages, and content more impactful and long-lasting. It’s our view that working diligently to help employees proactively prepare for change, as well as utilizing positive psycho-cultural approaches can have the greatest impact on improving overall cybersecurity posture.