Search

Back to the office again!! But make sure the transition is smooth

Prime Minister Boris Johnson announced today (January 19) that, from January 27, his Plan B restrictions that came into effect on December 13 would be scrapped, as the Omicron horizon begins to look a little clearer.


This means that face coverings will no longer be mandatory on public transport and in shops, the need for vaccine certificates for certain venues will end and the guidance to work from home will also be lifted.


The latter point will please those workers who may have been forced to set up remotely in their spare rooms, bedrooms, sheds, lofts or on sofas!


For others, there may be more of a hybrid approach, 2 days in, 2 days at home or similar. But however you return to the office, doing so comes with cyber risks which both employees and employers should be mindful of.


It's imperative that companies address increased cyber threats and create or update security protocols, processes and employee engagement initiatives.


Let’s take a look at some of the measures companies and their staff should consider when returning to the office.



Re-entry to the Office Network


It’s important to create or adapt your protocols and processes for a full return or hybrid scenario. Even if all staff continue with work from home, your policies and procedures will need some level of overhaul.


While many aspects of work life will return to traditional services and solutions, it may be advantageous to rework those services and solutions using the new methods adopted over the past year.


Plus, many organisations are choosing a defined ‘re-entry’ process that might look similar to an onboarding or new employee process. This provides a greater level of rigour and certainty, giving you more confidence in your risk mitigation status.


Good Device Hygiene


It's not unfeasible to assume that a range of new devices, personal computers and mobile phones will have been connected to company data and accounts.


Devices at home may have been left logged in to company accounts. This could pose a risk to data and secure systems.


You should:

  • Ensure your users are logged out of all company systems on home devices

  • Advise them to delete any company data they have downloaded on personal devices

  • Advise them to uninstall any VPN software they have downloaded to access company networks on home computers


Phishing


Phishing remains the number one cyber security risk to look out for and with transitional work environments come opportunities for hackers.


During the pandemic there has been a wave of new phishing emails using fear and curiosity about the virus to get victims to download malicious attachments or give up their personal details (search for Phishing on this site to see some of our previous blogs).


As people are returning to their offices, malicious actors are making use of this opportunity to dupe innocent users.


Employee's should be instructed to:

  • Never send passwords over email

  • Think twice before reacting to an email that tries to create a sense of urgency

  • Never click attachments in unexpected emails before verifying the email with the sender

  • Avoid hitting links in emails that you didn’t expect to receive


Password hygiene in the office


When returning to the office, employees will have to log in to devices which they may not have used for a while. They may also have forgotten some of their passwords.


The switch back from personal to work computers or other devices will also pose multiple challenges. On personal devices, it's often the case that simpler passwords are chosen for simplicity of access.


It’s important to remember that secure passwords are one of the most important keys to protecting devices, systems and data. An insecure password or a password written down for unauthorised users to find can quickly expose the whole company network to infiltration.


Employee's should be instructed to:

  • Ensure all accounts are protected with a strong password or passphrase (Current advice is to pick three random words and combine them together to have a strong but memorable password)

  • Never send passwords over email or text, or write them down on paper notes

  • Use account privileges rather than shared passwords with colleagues to access company accounts wherever possible

File Transfers


There is also the issue of transferring files from home to work computers. As many people will have been working from personal devices, they may have many documents they need to transfer back to their work computer in order to continue their work.


The best advice here would be to Zip and Encrypt. Then, by putting these files on an encrypted USB stick or hard drive, it will make them more secure than simply trying to email them to yourself.


Avoid Unauthorised Access


Unauthorised access could lead to devices and physical data such as printed documents becoming stolen or otherwise exposed.


Employee's should be instructed to:

  • Never share or lend keys or ID card to anyone - even colleagues.

  • Watch out for people following them through locked or swipe-card access doors into secure premises

  • Never leave keys on desks or in other places where they could be picked up by someone else

Map Potential Weak Spots in a Hybrid Work Scenario


Your IT and Security departments face three potential work location scenarios that all affect your risk and transition plan:

  1. Employees will continue to work from home permanently.

  2. Employees will transition fully back to the office in the near future.

  3. Employees will be using a hybrid, or flexible arrangement, working from both home and office interchangeably.

For employees who will be required to return to the office, planning, standards, and processes for these users will look different.


Depending on your scenario - now and into the future - multiple IT transition strategies could be needed.


Try using a standards-based risk assessment to ensure that your transition strategies are comprehensive.


Educate Employees


Whatever transition plan you develop, education will be key before, during, and after each major transition.

  • Update employees on new and adaptive threats.

  • Outline new and return protocols.

  • Create touchpoints throughout the transition to keep tabs on compliance as well as competency gaps where additional education is needed.


Looking Back & Planning Ahead


The business disruption of the past months has been monumental. Those organisations with no contingency plans were forced to adopt new plans. Those with plans were forced to use and expand their plans. For some, it was an acceleration of trends and plans that had been on the horizon for years.


Whichever camp you’re in, the optimal recovery path is not necessarily to go back to where you were, but to use the past year as a ‘disruptor.’ Use those learnings to motivate your teams to look at the traditional ways you do business and evolve practices beyond the inertia of the old ways.

 

If you're a company looking to re-train your staff in cyber security measures or maybe get your workforce back up to speed after the disruption caused by the pandemic, you may wish to consider our Security Awareness Training package. The training is a broad brush over some of the main cyber threats to the work place, and serves to either upskill or refresh your staff's mindset.


The training is available as part of our tiered membership options, starting at Business Starter level, or as a one-off session. For more information contact us via the website.



 

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

 

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.