Every CIO understands that the pandemic was a major disruption to their business and the importance of information technology. Their workplaces went from being filled with people to being deserted. Now that vaccines have become available, those workers are starting to trickle back in. However, the workplace as we used to know it may never exist again. Instead, it’s going to be transformed into a new environment. Not all of our workers are coming back and not all of the ones who are coming back will be there all the time. How is a CIO going to secure this new hybrid work environment?
The Office Has Changed
For many CIOs and employees, there is a measure of relief in returning to the office – especially for those who have the flexibility of continuing to work from home part of the time. But for those CIOs who are working to protect their offices from hackers, the new hybrid workplaces aren’t nearly as welcome. In a typical hybrid workplace, some team members will be in the office, some will be working from home – or spaces like coffee shops and client headquarters – and some will be cycling back and forth. Computing devices, too, are moving in and out of the company network, with employees bringing their laptops onto company networks and then taking them back home – where they’re much more exposed to hackers and can easily get infected with malware.
So, people with the CIO job are faced with the task of supporting a constantly changing mix of office workers and remote workers, and company and home devices. Whereas in the past security teams were able to focus on protecting the remote workforce during stay-at-home orders, doing so when employees are in the office for certain days of the week and at home for others will be difficult. It’s hard for CIOs to maintain a security staff that looks one way in the data center or one way in an office, and then one way for remote employees. Making things even worse: CIOs understand that security teams have been stretched thin by the demands of the pandemic. For the past year, these teams had to make sure that everyone is equipped to work from everywhere and can use critical tools such as virtual meeting rooms. Things are going to get tighter now that businesses are hiring more workers and launching into new projects they had put on hold during the pandemic.
The issues associated with hybrid work follow a bruising year for CIOs who were caught flat-footed by the coronavirus pandemic, many of which had to move to a fully remote model for the first time – and often almost overnight. Hackers were quick to realize that team member’s insecure home networks and a lack of security controls typically found on corporate networks could work to their benefit. Cyberattacks jumped 238% globally last year. Those attacks have continued to hammer corporate networks, and in many cases target the technologies that CIOs implemented to quickly provide for remote work, such as cloud services. A report found that attacks against cloud-based email, remote desktop applications and similar technologies designed to assist with remote work all increased last year.
Dealing With The New Workplace Reality
Many organizations probably rushed the move to remote work and perhaps they haven’t done it in the right way. Now, the task gets even harder, as some team members return to the office, some stay home and some do both. One of the most basic problems security teams will be facing is getting their machines up to speed with the latest software patches. These updates are released constantly by manufactures to ensure that security vulnerabilities aren’t left open for hackers to exploit. If companies miss just one of these patches, they can pay a high price in terms of their vulnerability. Now CIOs are wary of the number of devices that may have sat idle in offices for over a year – turned off and unable to download patches – while employees have been absent. CIOs need to realize that we’re not talking about just one patch, but potentially dozens or hundreds.
Of equal concern are devices that have been used by team members during remote working. Because of the extended time away from the office, team members may have gotten negligent about installing patches, leaving machines vulnerable when they reconnect to the corporate network. Companies tend to push a lot of the patching stuff down to their end users but if they have not connected to the network in a long period of time, it’s not possible to know what’s left unpatched out there. When it comes to team members’ work-from-home devices, it’s not just a lack of patches that’s a problem. It’s the fact that many team members have gotten lax about security practices while stuck at home for so long. A survey of 2,000 workers found over half had connected work devices to public wireless networks, which are often regarded as insecure. Another survey of over 3,000 workers found that over half of respondents had used work devices for personal business such as online banking and downloading apps, and over a third had connected them to smart home devices such as speakers.
Bringing those machines into a company network, where they might spread infections and give hackers a beachhead, could be a dangerous thing to do. Instead, the safest thing for the person in the CIO position to do may be to have personal devices log into a “quarantine network” . Under this model user devices would connect to a network that is separated from corporate systems until security staff can ensure the devices are both free of malware and appropriately patched. Security teams must also be vigilant for deeper threats that may be waiting in employee devices. This can include malware that can stay asleep for some time before it awakes and allows for further infection. Will quarantining work on a continuing basis? Quarantine networks may be difficult to manage if team members are in and out of an office frequently and have to continually quarantine devices, rather than doing so once during a full office return. CIOs need to understand that improving identity management and other core zero-trust concepts can go a long way toward foiling hackers, who often rely on compromised credentials such as breached usernames and passwords. CIOs need to focus on strong identity proofing, not only of individuals but of devices, too.
What All Of This Means For You
The world in which CIOs work has undergone some significant disruptions. The pandemic caused all workers to have to switch, almost overnight, and become at-home workers. Now that things are starting to change, there is the possibility that those at-home workers may start to come back into the office. However, things are not going to be the same. CIOs need to understand that changes are going to be happening and they have to start to get ready to deal with them.
The workplace is changing. The new workplace is going to be a hybrid environment. Some workers will be in the office and some will be at home. Who is where can change day by day. This means that computers will operate in both environments also. Making sure that all computing systems are up-to-date with their patches will be critical. A big problem that CIOs will be facing is that many team member’s home networks may be insecure. Devices that sat idle may also have not been updated while everyone was out of the office. Team members may have also gotten sloppy when it comes to safe security practices. Connecting compromised laptops to the corporate network may be a bad idea. A better idea might be to create a quarantine network that laptops can connect to before being allowed to connect to the corporate network.
CIOs need to understand that everyone on their team is getting ready to go through a number of changes. As they filter back into the office, we need to be prepared for the security issues that they are going to be bringing with them. We need to be aware of what threat our team members may be facing, how we can deal with them, and how we can go about securing our new hybrid workplace. If we can stay on top of all of the new security issues, then we can create a safe work environment and perhaps even get some work done!
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: What would be the best way to get team members to secure their home networks?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!