As some companies are considering reopening, the traditional office setup is required again as employees cease working from home. How will IT handle it? What will the office look like post-COVID?
When COVID-19 became a global epidemic, employees of companies and organizations, through no fault of their own, were forced to work from home. While considering security issues, IT put all the tools in place to allow work to continue on the unspoken understanding that they'd be held responsible in the event of a data breach. Unfair but right – the CIO always gets fired after a data breach, regardless of the actual cause, be it PICNIC, hacking, or meteor strike. However, as reported by TechRepublic, some companies are asking for trouble, with Morphisec's 2020 WFH Employee Cybersecurity Thread Index indicating that more than half of WFH workers are using their personal computers for work while being unsure of their security status.
Currently, IT must consider how they will handle a return to the actual normal, where WFH is no longer necessary, and employees are office-based. How will IT achieve this? Is a simple reversal to their previous infrastructure setup the answer? Will companies embrace a hybrid model where employees commute to the office one or two days a week and work from home the rest of the time? It depends on the company, its activities, and management attitudes, i.e., there is no one-size-fits-all solution.
As IT Pros, The First Step Is To Define What You Can Ignore
IT, for the most part, and I include myself among them, doesn't care about possible HR or Finance issues relating to payment, counseling requirements, or any other COVID-related issue that does not affect IT or technical goals. Sure, employees may not like returning to the office or the long commute, meetings, micromanagement, etc. But IT's role is purely focused on making sure that all employees have the tools to perform their jobs (along with security and a long list of other tasks). We are also not interested in employee lockdown experiences, and we don't care that many of the tech giants such as Google, Facebook, Apple and Twitter have already announced that WFH will continue into 2021 or even 'forever'. Many companies that are not in purely technical fields will not have this choice.
In terms of the onsite IT infrastructure, hardware will not need replacement or upgrades. Servers, desktops, and portables (such as laptops, tablets, and even smartphones) will remain unchanged apart from some permission reconfiguration if employees are permitted or denied the ability to telecommute on a part-time basis. In my opinion, a form of 'agile' IT is best as it allows the company to maximize productivity, regardless of employee location. Why not have the best of both worlds? Otherwise, all the excellent work carried out to enable WFH has been wasted. What happens during the next emergency?
While IT has an ill-deserved reputation for not playing well with other departments, in this instance, they must work with facilities to ensure that the post-virus office environment complies with any active requirements from health authorities in your area. While the location of hand sanitizers, masks, etc. are unrelated to IT (unless there's 'smart sanitizer' available now?), the office layout will almost certainly change to meet social distancing guidelines. This could mean larger cubicles, partitions, or even new individual offices with breathtaking views.
It's possible that some rewiring, ducting, and cabling will be needed. May you need to add a workstation for temperature checks?
Once the new layouts are in place, it's time for IT to connect everything once more before the employees return to work… we can't wait. Remember to sanitize all IT equipment using recommended methods such as sandblasting or even alcohol-based wipes.
It's time to greet the returning employees by commandeering their mobile devices and auditing (or sanitizing if you prefer) them for a checklist of issues. Note that its best to bring back employees in batches, especially if a large workforce is involved. Also, consider who really needs to return to the office.
Then, assuming all devices are company-owned or at least subject to a BYOD policy, IT must exercise due diligence and audit all devices BEFORE they are connected directly to the company network. Failing to do so means any malware is inside all firewalls when connected, perfect conditions for a data breach or ransomware attack.
The audit checklist will for a variety of potential problems and will include but is not limited to:
1. Device Scan
This involves, yes, you guessed it, a complete scan of the device using authorized security software. Remember to run all updates before starting the scan. Depending on scan results, you may need to remove viruses, trojans, or malware.
2. Software Audit
Doubling as a way to eliminate shadow IT, at least temporarily, a software review allows IT to remove the junk installed at home, whether it's unauthorized software, games, or collaboration tools with known security flaws. Bear in mind that any tools that transfer files without an auditable trail must be removed, i.e., e-discovery and privacy laws have heavy penalties if a data breach occurs. Management must inform IT of their plans for the future, whether WFH will continue on a full-time or part-time basis. In addition, the company must confirm their list of approved tools for collaboration and remote access.
3. Updates and Patches
As part of regular maintenance, patches and security updates are installed companywide, but when working from home, users are rarely as diligent (or lack the permissions) to perform these tasks. Bring the OS and other authorized software up to date according to company policies, where any updates are tested before installing on all devices.
4. An Audit Trail?
All companies are subject to regulations, and nowhere is this more important than when sharing company data. Just because employees are working from home does not eliminate company responsibility when it comes to personally identifiable information (PII) or data breaches. Retain control of your data in all work environments by using an MFT solution with VPN access for remote parties.
While there are other issues, they lie outside the scope of this post (WFH tips, for example). Suffice to say; all remote employees should receive security alerts/tips and allow admin access to ensure security software and all patches and updates are installed as needed.
In conclusion, COVID-19 has changed how we work forever, and in a short time. Some have found WFH more productive, while others crave the social aspect of the office. It remains to be seen what companies will take from the experience. Fingers crossed it will lead to a flexible working environment for all. On the plus side, the experience has allowed companies to test and make their business continuity plans more effective for future disruptions. Odds on a zombie apocalypse? Anyone?