Maksim Kabakou - Fotolia

Security Think Tank: Hydration, hiring, hacking – lessons in post-Covid risk

With Covid-19 restrictions easing, offices are welcoming back remote workers this summer, bringing with them their notebooks and mobiles, and creating an endpoint management headache for CISOs. What do security teams need to account for to protect their returning office workers?

I recently spent a day in my office again after more than a year away from it. Three things stood out to me – hydration, hiring and hacking. Each offers a lesson in post-pandemic risks, and how to handle them.

Hydration was the simple observation that I’d left a cup on my desk a year ago, and immediately wanted to go and clean it, but couldn’t because we had closed the office break room and the water fountain. If you’re going to be one of the first back into your office, think about bringing some water with you. 

Thankfully, the person who organised my in-person meeting had had the foresight to clear out all the long-expired bottled water in the conference room and get fresh, sealed bottles for everyone who needed to be there. Never underestimate the value of good provisioning.

The reason I was thinking about hiring was that I got to meet two senior execs in person, neither of whom had ever been to our office before, despite doing some great work since they came on board. It was a pleasure to see them in person and show them around, but the excitement had a bittersweet tinge, because several of the empty desks I walked past still bore the names of people who had left the company since I was last in there.

It’s been a time of enormous change for all businesses. In my case, I have a new head of engineering who had never seen the floor layout of the team he had been leading on one of the fastest-moving and most innovative projects we’ve ever done. It was a startling reminder of how much shaking up there has been – a mix of good and bad, but with far more on the good side. Working from home has been like putting everyone into their own rocket ship – we’re moving faster than ever before, but everyone is isolated.

As for hacking, well, all healthy networks are changing. The zero-trust mentality has really taken root now, and the old “hard shell” networks are finally going away, after years of us security professionals complaining about the dangers of a hard network perimeter, with its tacit assumption that everyone inside the walls could be trusted.

These ideas were gaining mind share before the pandemic, but the disruption of the pandemic itself has presented an ideal opportunity to change how networks are laid out, and where policy is enforced. In the real world, you can’t refit the engine on an aircraft in flight, but the pandemic rush to get everyone productive when working exclusively from home was a form of forced landing for the network, and savvy security teams seized the chance to refit while the opportunity was there.

I saw this for myself on my first day back in the office – I had to reach the main code repository, and I had to authenticate to do it. In the past, I wouldn’t have to do that from my work desk – only when at home. Once we all worked from home, it created the opportunity to break the old assumptions and make a uniform environment – if you want to access the company’s crown jewels, you have to prove you have the rights to do so.

These three lessons encapsulate what the pandemic has meant to risk professionals. The difficulty I had in obtaining a simple glass of water may not seem like much, but it’s a reminder of the webs of trust we have, and how easily they can be disrupted. The changes in headcount (positive and negative) built up over a pandemic served as a reminder of how fluid job roles really are, and why it is so essential in security to have good onboarding and offboarding processes.

And finally, the move to zero-trust is a great opportunity to be seized. Employees can be very resistant to change – it was no easy thing to implement zero-trust properly in a pre-pandemic network, just because people were used to working in a place that trusted them based on being in the office.

However, everyone has had to get used to working from home, where we get used to logging in, firing up a VPN, or authenticating to your SSO or SASE solution of choice.

So now is the time – help your employees bring that home work experience into the office. That means granting flexibility, but in return, you can finally establish realistic zero-trust, where users have to show their credentials before they are allowed to do whatever they want simply because of where they are.

Read more on IT risk management