The speed at which both Government and large corporations adapted to the COVID-19 pandemic and made working from home the new normal is truly impressive. This sort of flexibility was business as usual for many small corporations but was often frowned upon by many traditional C-Suite executives.
Now that working from home is the default setting for many organizations the realization that, in many cases, this new normal is actually increasing productivity and could lower costs of doing business is setting in. The long term normal may consist of a type of hybrid model with less office space and more people working remotely. As is often the case with swift decisions to change, support mechanism such as security must rush to catch up.
For example, the COVID-19 pandemic rapidly increased the videoconferencing app Zoom’s user base and stock price only to see previously unforeseen security weaknesses exploited. The scale of issues led to an apology from the founder and CEO of Zoom and a commitment to addressing privacy issues before adding any new features.¹
Security should never be an impediment to progress and our current environment is no different. The technology and equipment exist today to enable employees and contractors working from home to do so in a secure and safe manner. However, we may need to rush to catch up to the new default setting. In many cases all that is needed is to expand the security principles that are already in place at the office to recognize that the business environment has expanded. In threat risk assessments conducted at places of business Presidia’s security professionals examine issues such as:
- What are the assets being protected and the impact to the organization if they are compromised?
- What is the threat to these assets?
- What security measures are already in place?
- What, if any, is the residual risk left to the assets when one considers the threat and existing security measures?
- What recommendations are needed to reduce the risk to an acceptable level?
In the course of dealing with many and varied clients, Presidia has conducted residential security assessments in the past. These assessments had a different focus in that they were often focused on the safety of executives and their families and on sensitive information and assets that may be brought home occasionally.
We have also conducted security assessments of many small offices that were applying to connect to servers containing sensitive corporate, Government or personal information. Our assessments assisted in ensuring that the appropriate security measures were in place at these sites before they were authorized to connect.
The new normal will likely require a hybrid assessment somewhere in between these two examples. Residences will need to be examined recognizing that they will now be an extension of the workplace. We will need to recognize that the volume and sensitivity of the information being dealt with offsite has risen considerably and will likely stay that way.
We must also recognize that it is imperative to move quickly to get proper tools in place that allow us to access and exchange the information we need to work effectively offsite. Pretending that sensitive information is not required in this setting and maintaining a blanket prohibition on existing tools will only lead to employees finding their own workarounds potentially leading to more risk. It is imperative that organizational leaders have a clear understanding of the security risks facing them and make informed decisions based upon that knowledge.
Some security issues to consider are:
- Identifying positions or employees that will need or want to work remotely over the long term.
- Instituting security assessments for residences and smaller satellite offices that will now see a substantially increased volume of work.
- Enabling remote work with the appropriate physical and cyber security tools.
- Expanding our security awareness training to adapt to the new environment.
- Expanding our security monitoring and reporting to the new environment so we can identify issues early and learn from them.
Presidia Security Consulting, a member of the ADGA Group of Companies, has extensive experience conducting security assessments of residences and small satellite offices. We frequently deal with executives and other employees that need special consideration due to the nature of information that they carry or where they need to work. Should you require further information or assistance we can be reached at firstname.lastname@example.org.
The author, Stephen Moore, is Principal and Security Strategy lead at Presidia Security Consulting. He can be reached at email@example.com.