Security Benefits of Returning to Office

By John Pirc, Director of Product Management at Alert Logic

COVID-19 has changed the way we do business and in order to remain viable, almost every industry had to accommodate a virtual workforce to some degree. Technology certainly has its advantages, but working from home can also come with a lot of drawbacks. The work-life balance has blurred, and people have spent even more time online for work, school, shopping, entertainment and socializing.

As a remote/virtual executive in cybersecurity, my average work week went from ~55 hours to ~80 hours. This became the new normal, working weekends and helping my children with school. I love my job and to me it’s like playing Xbox, however, 80+ hours is not a happy work-life balance. The return to the office is a great thing for social interaction and collaboration. This will start to regulate the work-life balance as life starts to return to a sense of normalcy.

To execute the shift to a remote workforce, many organizations accelerated their transition to hybrid cloud infrastructures, complicating their efforts to maintain security against cyber threats. Enterprise grade security for remote users has been a challenge as corporations had to rely on endpoint and cloud-based security. Security is easier when you have control and the return to office puts more control on the endpoint. The human element is always what causes a security breach, whether it is lack of patching, poor hygiene, password complacency, etc. While organizations will never be 100% secure, the return to office enhances the security team’s visibility and understanding of assets. Shifting back to office gives more visibility to the infrastructure as a whole, rather than every person operating remotely.

Collectively, the pandemic has completely restructured how we all do business. Having spent most of my career working from home, I’ve gained a seasoned appreciation for the importance of separating business from personal use on a corporate laptop. The pandemic has closed the gap on forcing more people to work from home, increasing the risk to any organization, especially in the SMB and mid-sized market. Don’t get me wrong – these organizations may have the basic security controls, but their security teams are lean and don’t have the type of funding and expertise of a large enterprise corporation.

The shift to work from home placed all industry verticals in the same conundrum, especially those that didn’t have a remote workforce. The big question is: “How do we secure the remote user?” Working from home can be secure given a couple of basic technologies such as VPN (Virtual Private Network) and Client and Endpoint Detection and Response (EDR). However, companies need to factor in the human element and trust that employees are maintaining good security hygiene, especially for the executives and leaders of the company.

However, it’s not just technology that keeps you secure but its people and processes, which isn’t often highlighted. The people aspect of reducing risk is through education. Education can be delivered through corporate delivered phishing campaigns to assess security awareness and address those issues through training. The process aspect can be achieved by password enforcement (password rotation and changing passwords every 90 days, etc) and ensuring all cloud-based systems and SaaS application are configured securely, which would happen regardless if the user is working from the corporate office or home.

Protecting an on-prem environment is tough enough, but it’s less complicated than protecting remote workers. The transition to remote work presented openings to bad actors, in effect stress-testing some organizations. Lessons learned securing data assets during the pandemic could serve to create a more secure hybrid environment when people return to the office, as more companies have deployed new best-practices to accommodate a shifting workforce dynamic.