Restarting business with security in mind

As governments start relaxing COVID-related lockdown requirements, staff will begin returning to the office in greater numbers. With health and safety paramount, what changes to working practices should be considered to maintain security and privacy hygiene and effectively manage your security team?

The CISO should ensure they're looped into conversations between Human Resources, Facilities, Legal and IT to guarantee adequate consideration is given to security and privacy in the new 'return to the office' environment. As well as providing input on the risks, the CISO should consider what practical guidance they could offer.

We’ve put together some questions to help you access the changes that need to be made.

• How can the security team operate during the transition period and what processes and behaviors should be retained in the long term?
• How can you enable the business to operate safely during this unusual operational phase? What risks are you willing to temporarily accept during the transition into the new normal?
• As physical distancing requirements ease in the longer term, what are the new physical security and data protection considerations around the office?

The security team has been working remotely for the past few months. How has this effected them?

• The organization may be returning to work, but schools may not be — do staff have children that they can’t leave at home? Do they have caregiving responsibilities for dependents?
• What considerations are in place for team members in vulnerable groups that remain in isolation post-lockdown or re-enter isolation due to contact tracing measures?
• Are there new practices and behaviors the team has adopted while working remotely that should be retained once offices re-open? What efficiencies have the team identified?

Security teams may have gotten used to working remotely, so what does their transition back into the office look like?

• Are they able to sit together in the same part of the office, with access to their previous monitors and equipment, or will space be reconfigured to accommodate newly spaced out business teams?
• Will the team be allowed in the office at the same time? If not, does this limit the team's ability to perform regular security activities?
• Do they still have access to the servers, backup safes and security operations spaces? Will there be a limit on how many people can use enclosed spaces at once?
• Has there been turnover in the team during remote working? Do they need new physical IDs or hardware? Are these in short supply, and could this affect their ability to work at this time?
• Where organizations require workers to prove they have tested negative for COVID-19 before returning to the office — can arrangements be made for the security team to undergo such testing to smoothen the transition?

As well as enabling the security team to work effectively in the new normal, it’s critical to support the business with privacy and security hygiene. How can you help them accommodate physical distancing measures?

• Employees and contractors may be spaced out across meeting rooms, breakout areas and cafeterias that aren’t adequately protected by physical security controls. Previously restricted areas may be used to accommodate workers that don’t ordinarily get access to them. Are you recording the changes made, or else advising on alternatives?
• Revised guidance on external visitors in public office areas may need to be provided, along with secure working guidance for employees in atypical spaces.
• Work with the facilities management team to understand how to provision secured hardware, security cables and privacy screens for employees.
• Could any physical security controls increase the risk of infection? For biometric controls such as fingerprint scanners, are there alternatives? Some doors will have been converted to automatic to avoid physical contact— have relevant security controls been adapted to support this?

There may be many new faces in the office, with some staff turnover during the transition. What affect will this have on the ability to recognize intruders?

• How are access and monitoring being handled for new onsite cleaning staff and contractors that may be brought in to deep clean the office? How is their physical access being managed? Are visitor IDs required? If so, are there enough?
• During post-pandemic deep cleaning efforts, cleaning staff may need to access areas not normally touched, such as server and comms rooms. How are you supervising access to these rooms? Are these contractors being vetted as usual?
• Many employees may still be wearing casual clothing or may be required to wear masks. What new guidance can be provided to teams to help them to recognize intruders, and challenge them politely?

Staff returning to the office may be remiss of good office practices having spent months at home. Remind them of your company’s security and privacy hygiene procedures.

• Are they continuing to wear staff IDs and lanyards? Are they using privacy screens and locking monitors when unattended?
• Are staff keeping desks and office printers clear of confidential data in compliance with clear desk policy?
• Be ready to provide new privacy screens, IDs, lanyards and key fobs and consider if it may be worth increasing the frequency of physical security hygiene reviews (including clear desk reviews) to re-establish the culture.
• Employees may have amassed confidential paperwork while working from home. Remind employees to collect and bring all sensitive data back to the office to be disposed of securely, and ensure confidential waste bins have enough capacity.
• As staff works remotely more often, remind them of the risks of taking data off site, and of policies around removable media, print copies and hardware.

Your organization's working arrangements may have permanently shifted.

• There may be a rush to come back to the office at first, but some employees will have gotten used to working remotely and may choose to work more frequently from home. How do you adapt your longer term controls such as insider threat monitoring?
• It’s critical to enable home working and to revise approaches to communicating security culture — for example, do posters on the wall work, when not all employees will see them?
• How can you evidence the measures you’ve taken during this time? If your organization has an ISO 27001 certification, which assesses physical security and employee security hygiene, how can you demonstrate you’ve been governing risks effectively?

If you have any questions or would like additional advice, please contact us.

Original article by David Ferbrache, Global Head of Cyber Futures, KPMG in the UK.