Unwinding a Remote Workforce

Home    Blog    Cyber Security Advice
group of people inside building
, , , ,

The idea of an entirely remote workforce was once a pipe dream, often dismissed as something that wouldn’t work. It couldn’t possibly work. Then, what once seemed impossible, happened almost overnight, bringing years’ worth of change to organizations. A little over a year has passed since the COVID-19 pandemic began and we rushed to the safety of our homes. The dust has settled and most of the chaos of shifting the global workforce to working remotely is over. Organizations around the globe now face an equally daunting task. Unwinding some or all of their remote workforce.

Looking Back

The pandemic forced many organizations to make decisions with far reaching implications with little to no data. Fear was in the air, and everyone wanted to stay safe.

Your organization may have sacrificed visibility into corporate assets, such as laptops and mobile devices. You may have asked your employees to use their personal computers to perform company functions when equipment became hard to find.

In many ways, we all had a single job. It was to stay safe and keep our organizations operating. Unfortunately, this singular focus means we have faced challenges keeping the remote workforce safe. It also means we face a reckoning for those decisions.

Brighter Days

In the coming months, as the raging pandemic becomes a whimper, we will begin to emerge from our homes and return to offices, stores, and businesses.

This means understanding the challenges that lie ahead. What do you need to consider when bringing operations back into the corporate offices? Let’s dive in.

Repatriating Devices

Did your organization loan laptops or desktops for staff to use from home? Many organizations gave staff an allowance to buy a computer to work remotely. The specific scenario doesn’t matter.

The important question is “How can we bring IT equipment and data back without exceeding our risk tolerance?”. Risk tolerance, or appetite, is different in every organization.

As you answer these questions, keep your organization’s risk tolerance in mind. Doing so will enable you to remain grounded in the face of potentially daunting decisions.

Ask yourself…

Did we maintain visibility into software updates and antivirus updates while the equipment was off our corporate network?

Without the ability to see the status of corporate devices you face a critical blind spot. Have these systems had updates applied in a timely manner? If the answer is “No.” or “I don’t know.”, you must not trust the devices. A single device with self-spreading malware, known as a “worm”, can copy itself to other devices in your network with no interaction with the user of the system.

Were our staff the only people with access to corporate assets, such as laptops, or did they allow spouses or children to use the systems?

Corporate policies cover what is acceptable and what isn’t. Employees must read and understand the policies. You cannot, and should not, expect the same of their families. Many employees found themselves in uncharted territory, trying to balance everyone’s remote working or learning needs. Such circumstances will undoubtedly have resulted in “unauthorized” people using a corporate asset. Children see the world differently. They trust more readily and, as such, may be more susceptible to taking actions that an employee with appropriate training may not have.

Not everyone understands that corporate assets should only be used for company purposes. Companies generally accept that workers will use corporate assets for some amount of personal use. Unfortunately, what people consider acceptable varies greatly from person to person. This variability means you cannot know what has happened on these systems and must not trust them to return to your corporate network.

Did our remote workers follow good security practices, such as avoiding free public WiFi?

Has your internet has ever stopped working, or your phone battery died, when you needed to get some important work completed? If so, you know that free public WiFi is everywhere. From vehicle repair shops to coffee shops – most businesses offer some sort of free WiFi for patrons.

The question is not, “Is someone trying to hack me?”, but rather, “Is someone watching me?”. Many users of free public WiFi, such as coffee shop patrons, consider the service a requirement before buying their favourite beverage. Savvy patrons will scope out the best seats to avoid glare from windows, staying away from shoulder surfers, to set up an optimal work environment. The devil is in the details.

Free public WiFi is designed to be as easy to use as possible. It has to support a wide number of devices – no one wants the staff to be fielding complaints about issues with the internet. But remember, they make money selling coffee, not troubleshooting Grandpa Joe’s 10-year old laptop. Because of this, the WiFi security settings on are almost always turned as low as possible, if not off completely. As a result, the information sent and received is not protected between the device and the WiFi access point. It also means someone can impersonate the WiFi access point and pretend to be the website someone is trying to access, like their bank or company portal.

An attacker may have viewed any information sent or received while on free public WiFi. Savvy attackers can change the information that was sent or received, including passwords. The file that someone tried to download could be infected with malware – even though it looked like they were going to the right website.

Were non-corporate devices connected to the computing equipment?

Electronic devices surround us. Most have small storage devices built into them. With increasing frequency, these devices can have their software, or code, updated. These updates fix flaws in the software and bring new functionality to the devices. However, the problem is that many of these devices can be altered, or hacked, to perform actions that aren’t what the manufacturer intended. Even worse, threat actors can make these devices intentionally malicious.

Looking beyond devices that have been altered or compromised, we find another type of device that was designed with malicious motives. USB devices can have hidden software and hardware that is undetectable to the naked eye – it might even look like a regular USB cable or charger. The malicious device may not do anything – at first. It might be waiting to be connected to a certain type of device before unleashing an attack. These attacks are difficult to detect, as they exploit vulnerabilities in hardware that cannot be fixed by regular software updates.

Even more difficult to detect are the USB devices that emulate, or pretend to be, a regular keyboard. These malicious USB devices are recognized by the computer as a normal keyboard. Once recognized by the system they can send pre-programmed commands to perform any function imaginable, including erasing the hard drive.

Finally, USB “thumb drives”, or “flash drives”, have been used for over 20 years. The technology has changed very little since the first USB flash drive appeared in 2000. Some vulnerabilities in USB flash drives have been resolved, but the underlying problem has not been solved. Anyone can write a file to a USB flash drive and then insert it into another device. Those same files can contain malicious code that can compromise a vulnerable system, such as a laptop or desktop.

What to do next.

You must take proactive steps if you’re uncertain of any of these answers, or you know good security practices weren’t followed.

Do you trust your protection mechanisms, such as antivirus and web filtering? Are the tools you have in place providing visibility into your computing devices? Do you trust the computer devices are safe? If your answer is yes, build a simple plan to thoroughly scan each machine before connecting it to your network, and make sure IT scans the devices as your staff returns to the office.

If you said no or hesitated in answering, don’t trust the systems.

The safest way to handle these devices is to safely erase their storage and re-install the operating system. Often called “flatten and pave”, this means you safely erase every device as it returns to the office and issue your staff new devices. This requires specific steps to avoid potential malicious software from spreading. Do not copy data off these systems. While unfortunate, the small amount of time required to re-create the information pales in comparison with the time and money required to recover an entire organization from a ransomware attack.

Be cautious not to overwhelm your IT staff and return workers in smaller groups to allow IT to keep up. While this method is resource intensive in terms of time required to complete, and results in all data on the machine being lost, you may prevent an even more costly data breach or malware incident.

What else?

Many people will have become accustomed to their new remote working setups. Some of these individuals will want to bring anything they feel has made them more productive with them. While increased productivity benefits the company’s bottom line, the cost of a malicious device entering your network will quickly offset any gains. Build a process to evaluate any non-company issued equipment. Your IT staff can review the equipment and determine if it is safe and appropriate.

Organizations must also ensure passwords are secure. While you may be unable to tell if any passwords or sensitive information were exposed while a device was using free public WiFi or any untrusted wireless network, that doesn’t mean there is nothing to be done. Ensure all users change their passwords for all company systems, including cloud services. Require this once they receive a clean machine, or IT has given their device a clean bill of health. By doing this, you mitigate the risk associated with compromised passwords. It no longer matters if an attacker has a username and password. The credentials won’t work, so they will be unable to saunter in your digital front door.

To elevate your protection even further against this type of attack, implement Two-Factor Authentication.

Bringing Back the People

People are critical to every organization. Without employees and contractors to maintain the systems, support your users, and process the transactions necessary to the organization’s operations, every organization would grind to a halt.

These same people are also one of the biggest threats to your organization. Whether intentionally malicious or inadvertently careless, these insiders can unleash unpredictable and irreparable damage to an organization.

Consider these questions to understand where your people may be the source of a catastrophic incident.

Ask yourself…

Did our organization require extended hours from our remote workers?

The massive shift to remote working lead to a complete upheaval in companies big and small. To facilitate these changes, companies required their workforce to rapidly transform organizations.

IT teams worked around the clock to increase remote working capacity or design it from the ground up. Teams upgraded systems to support the tools necessary to carrying on business. They had to source, procure, and install software licenses to facilitate remote work. Tasks such as these typically take months of planning and execution. At the same time, businesses expected (and needed) these services to be operational. The end result was long hours and days on end “away” from family.

Others who worked extended hours were administrative staff, juggling their normal daily activities with new challenges. The mail had to continue flowing. Sales teams needed to print and send proposals to potential clients. The phones would continue ringing and someone had to answer the calls. It wasn’t uncommon for administrative staff to rotate in and out of their offices to maintain these important services.

Working long hours and feeling underappreciated or under-compensated can result in normally happy, productive employees losing their focus. These individuals may have become jaded with the organization. They may feel they are owed something.

Could staff work flexible hours to accommodate their personal commitments?

Everyone made sacrifices to keep each other safe. Parents had to work from home. Our children were forced to adapt to learn remotely.

Consider your personal situation. How many truly usable spaces are there in your home to work quietly and effectively? If you are like most, there is a computer room or desk, or a dining room table to sit at.

These challenges resulted in people needing to get creative with their work arrangements. One parent worked early in the morning while the other got the children ready for the day. Once the children were off to school or “quietly” learning in another room, the second parent would start their workday. As the day wound down, the early worker ended their workday and began to look after the children.

This flexibility allowed everyone to “make do” with the resources they had, in situations that were less than ideal.

Did you support your staff with this flexibility? Or, did your organization expect everyone to be online from 8AM until 5PM?

Every organization is different. The needs of every company will vary, and those organizations must juggle what is right for them and for their staff. Much like the malicious insiders from the previous section, a lack of flexibility can push an otherwise happy, content worker to stop caring. They may feel as if the company did not care for them or help them, so why should they care for the company?

Did our organization have processes in place to maintain healthy relationships with staff?

“Man is by nature a social animal; an individual who is unsocial naturally and not accidentally is either beneath our notice or more than human. Society is something that precedes the individual. Anyone who either cannot lead the common life or is so self-sufficient as not to need to, and therefore does not partake of society, is either a beast or a god.”

Aristotle, Politics

For over a year, many of us have put the needs of society ahead of our own. Everyone has a right to their own opinion on the merits and faults of doing so. Look at Aristotle’s words in the context of the isolation we’ve endured.

Humans are naturally social. Without interpersonal interaction, society would fail. Equally as important, without social interaction, humans will fail.

Did your organization facilitate a healthy relationship with its staff? Did your team have informal gatherings around a virtual “water cooler”? A forum where their frustrations and the proverbial “steam” could be let off safely? Did managers interact more with their direct reports, checking in on their mental health?

Without these human interactions, people can quickly become disillusioned and jaded. As with the previous questions in this section, when workers feel they are not important to the organization, they can begin to lose focus and make errors. Even more serious, they may grow angry with the organization.

It is imperative that we “tend our flocks” even more closely in times of great upheaval and unrest. By understanding how its workers feel, a company can foster a culture of openness and communication. Open, communicative environments help build trust, and this trust is critical to enabling workers at all levels of an organization to communicate their mental state.

Did you support everyone in your organization?

Were policies or processes changed to facilitate remote workers and their interactions with our customers, suppliers, or systems?

Resilience.

Adaptation.

All organizations were forced to change how they operated, in ways both big and small. They made changes to be resilient and survive.

Businesses were forced to make changes that enabled their workers to be productive while not being physically located in the company office. How and what these changes look like will vary from organization to organization, much like there are no two snowflakes that are identical.

Some changes may have included suspending policies regarding removing documents and information from the company office. You may have adopted new technology. Was the way technology supported your people changed?

Workers will need to adapt once again as organizations around the world adapt to an ever-changing landscape. Some changes have been good, increasing security, productivity, and resilience. Others were necessary evils, balancing the risk to the organization with keeping staff as productive as possible.

What changes did your organization make?

What to do next.

Ensure your teams feel supported.

At one end of the spectrum of “insiders” is the happy, content worker who loves everything about their job. At the other end, we find a darker path being taken by insiders who have crossed from unintentionally malicious to intentionally malicious. These employees are actively working against the interests of the organization, either to their own benefit, or simply to the detriment of their employer. Between these extremes, we find the person who is overworked and stressed, making them prone to errors. These errors are not intentional, but they do pose a threat to organizations.

Check in with your staff to see where they are at, ensuring you identify anyone who may be moving down the insider spectrum from happy towards intentionally malicious.

The actions you need to take are based on how your organization supported the people working for it. It is imperative to check in and identify where your people are at. Are they mentally healthy?

Equally important is identifying and weeding out those who have reached the intentionally malicious insider state. Reduce their access and privileges to limit the potential damage. A malicious insider can expose company secrets, leak competitive details to the competition, or simply cause as much damage as possible if they feel threatened.

Consider everyone. Anyone can be an insider threat: part time, full time, or contract, regardless of their employment status. From your administrative workers and IT staff to senior management; anyone can become a threat under the right circumstances.

Seek guidance from your human resources and legal counsel. Facilitate these discussions in a healthy, productive manner.

By adapting to the ever-changing needs of the workforce and facilitating better communications with the staff, your organization can identify and support those posing the greatest risk before an incident occurs.

What else?

Next, make a plan. Understand all the ways the company adapted. Take a long, honest look with your leaders and staff.

Which of the changes were positive? Consider whether these positive changes should remain part of the organization. Perhaps by increasing the flexibility of working hours you saw an increase in productivity.

Did the changes increase organizational risk? If so, you must look at the risks and evaluate whether they exceed organizational risk tolerance. One option is applying appropriate controls to reduce the risk to an acceptable level. If you cannot reduce the risk, consider rolling the changes back to return to a more secure state, or, re-evaluate your organization’s risk tolerance.

Did the changes improve company security posture? Were multi-factor authentication, device storage encryption, or enhanced password policies leveraged to enable secure remote access? If so, consider the benefit they bring to the organization. Once in place, many technologies have minimal costs associated with maintaining them compared to the effort to remove them.

Have patience. Humans are creatures of habit and become accustomed to doing things a certain way.

You must engage with your staff to help them understand the need for keeping certain changes. Involve them with understanding of why the previous way was better or worse. These insights will allow you to feel out your people.

The change to remote was sudden and traumatic for many. Consider how you can plan to transform the organization into something better than it was. Engage your human resources and legal teams for guidance and insight.

As with any of the human-related concerns, be vigilant. Change can bring about a great number of emotions, not all of which will be positive. Be alert for any negative behaviours or indicators that something is off and address it before it becomes a problem.

Don’t Forget (Your) Data

Star Trek Multitasking GIF - Find & Share on GIPHY

Data is the lifeblood of many organizations. It facilitates decision making efforts, business intelligence and insights, and enables effective communication with customers and prospects.

Many organizations changed or suspended policies and controls surrounding their data. These changes enabled organizations to be more agile and quickly adapt to the rapidly changing circumstances they faced.

Around the world, businesses are returning to their offices. You must account for this data and repatriate it safely and securely. Organizations must take the approach of protecting the information they are responsible for, such as personally identifiable information. They must balance this with ensuring they are not placing their organization at unnecessary risk when returning the data. Remember, data that has been corrupted, deleted, or is otherwise inaccessible has no value to an organization.

While you answer these questions, keep the value of the data in mind. Recognize opportunities to minimize data loss but don’t lose sight of the underlying risks this data may now pose. This includes operational, regulatory, and reputational risks.

Ask yourself…

Did staff use personal computing devices to access or create data?

Many organizations were not prepared for the massive shift to working remotely. The global supply chain was overwhelmed in a matter of days.

Companies placed orders for hundreds of laptops and desktops, monitors, office furniture, webcams, and more. Nearly every component supplier or final product manufacturer faced issues. As a result, factories were shutdown. This resulted in ongoing supply challenges, due to lockdowns, restrictions, and staff being unable to work. In demand items are still difficult to find today.

Organizations scrambled to ensure workers had access to the tools and data necessary to perform their tasks. Often, this meant personal computers were conscripted for company use. These personal systems were a necessary evil. Workers could install the software needed to work, whether through remote access solutions or downloading the tools necessary to perform their roles.

Companies around the globe lowered their proverbial drawbridges. They gave workers access to the information, data, and systems needed to complete the work. The corporate “castle” no longer protected these assets. Unfortunately, this also meant threat actors could compromise the personal computer of a worker to gain access to the organization. These personal computers lacked the more advanced tools typically deployed to protect company assets. Without security policies, antivirus applications, remote support, and monitoring tools, organizations found themselves exposed.

The end result was devices without critical software updates being exploited to gain access to company information. More frightening, these personal devices became a gateway into the company. A portal from the outside world into the heart of organizations.

Are we able to scan files that are brought back to corporate systems to look for malware?

You must safely return any data that your staff accessed or created while they worked remotely. This information is important, if not critical, to your operations. Without it, the organization would cease to exist.

With their best intentions at heart, workers were forced to make do with what they had in front of them. As a result, they copied data to the storage on their personal and company-issued devices. The challenge ahead for organizations is not just understanding what and where data was created, but more importantly, whether that data is valuable enough to attempt to save.

There are three primary concerns surrounding data: availability, confidentiality, and integrity.

The availability of this data leads to concerns surrounding confidentiality. Was this data visible to unauthorized individuals? Organizations suspended many of the controls surrounding what devices and systems can access data. This resulted in data leaving the carefully controlled confines of corporate networks and devices. Consider the following. How do you return secret data to the control of the organization and ensure no copies are left behind?

Availability causes another concern – integrity. Is the data trustworthy? The first thought when integrity is mentioned is often “Was anything changed?”. This is a deeper question. You must consider whether the data was changed, intentionally or accidentally. It may be the simple transposition of numbers in a spreadsheet. Or, it could be the result of more insidious changes. Ransomware encrypting a file. A worm, injecting itself into a file so it can move deeper into your network.

The repatriation of data from devices that are not owned by or were not visible to your organization requires careful thought and planning.

Was staff was using personal file sharing services for accessing and sharing data?

Many organizations lack the technical infrastructure to support securely transferring files in and out of the organization. Without this infrastructure, workers will use the tools they are familiar with and have access to. This includes Dropbox, iCloud, and Google Drive, to name a few.

The files stored in these personal services are not subject to the same controls that they would be within the company, or a corporate file sharing service. They may be inadvertently shared with other family members. Even worse, they may be shared publicly with no control over who can access the information.

For many organizations, this may not be a concern. The information they work with is generally public knowledge, and very little harm will come from it being publicly available. Other companies may have highly sensitive information that is being shared through personal file sharing services and be completely unaware. This can lead to data breaches. These breaches can result in lost business, reputational damage, or even regulatory fines or sanctions.

An additional concern becomes any changes to these files. Did your workers create or change files at home, save them to their cloud storage, and forget to bring them back to the corporate file systems? While the information may not be sensitive, it could have significant impacts on the organization if it relies on that data.

Was information in physical formats, such as manuals, files, or records, taken home by staff to facilitate their roles?

Organizations that require physical copies of information, or those that have not yet transitioned to digital-only information face a unique challenge. How can they track a piece of paper?

A wide variety of organizations rely on data that is stored on a single piece of paper – from bookkeepers to lawyers, and everyone in between. The information may be secret or public, but it shares a common trait – it is not digital, and only a single copy may exist.

Imagine, for a moment, that you are an accounting firm. One of your workers took home a stack of receipts from a client in order to enter that data but lost a few receipts in the wind. How do you recover that information?

What about an associate at a law firm taking home a file and their child deciding it needed to be decorated? Was any information lost?

It is important to understand what data has left your organization’s offices in physical format. Without this knowledge, it becomes impossible to be certain no information has been lost, accidentally or otherwise.

What to do next.

Create an inventory of all staff. Identify if they were assigned a corporate computing device from the outset, later on, or not at all. Any staff without a corporate device will require more engagement to understand what data they may have on their personal systems. While staff with corporate devices may have been less likely to use personal computing devices, they may have shared machines at home and worked from both corporate and personal devices.

With this inventory, you can begin to understand what data exists on corporate file storage and what is solely stored on the personal computing devices. Next, develop a plan to repatriate the data from these personal devices back to the company’s file storage.

You must consider the value of the data compared to the risk posed by bringing data from untrusted devices. Thoroughly scan and safely transfer any data that is worth the effort to keep back to corporate systems. Personal devices must not be connected to the corporate network. Instead, use an intermediary device to scan and transfer these files safely. This effort will reduce the likelihood of malicious software piggybacking into your environment on these files.

Solutions to the problem of personal file sharing services are less clear-cut. Engage with your workers in a supportive manner. Understand whether they used any of these services. Have them to check their commonly used file sharing platforms for any company data and follow the practices mentioned above for repatriating data.

Be supportive. Provide resources to workers that did use these platforms to understand the nature of the data they hold. Help investigate the account settings to determine if data was shared outside of the account. If any data is found to have been shared, or exposed, follow any breach reporting requirements, such as CCPA or GDPR.

What else?

Ask questions. By answering these questions for each piece of information, you can understand what is important and valuable enough to worry about.

  • Is this data important?
  • Will it cost an unacceptable amount of time/money to re-create this data?
  • Is this data sensitive, secret, or proprietary?

Now, think about each answer and then ask one more question.

Why?

Why is the data so important, costly, or secretive? Honest answers, supported by data, will help identify what information you don’t need to worry about. And, more importantly, what information you must take steps to repatriate and protect.

Consider data that will be left behind as lost and no longer private. How you handle this may vary with the data – from simple deletion to shredding paper copies to securely wiping the storage – the key is to understand the data and take appropriate actions.

“Every piece of information can be an attack.”

Andrew Ginter

Remember this quote when considering the actions you will take to return the data. Again, these steps will vary based on the nature or value of the data.

Scan any files that must return with a different antivirus product than is normally used by the organization. Never plug the original device into the network. Use file upload software to transmit data from the original device onto a device within a protected segment of your network to allow the scanning. Once data has been verified safe, use the same method to transfer the data from the protected network back into your regular corporate network.

Follow these steps will ensure data is appropriately handled to protect the organization.

What about non-digital information?

Paper files that return must be the original copies and undamaged – a coffee ring can make an important number unreadable.

Review all files you expect your organization to have, including any sign-out sheets that might have been completed.

Businesses will need to work with their staff to understand if any information was taken, the reason it was taken, and where that information now resides.

It is difficult to accurately assess what information has been lost once it is gone.

Mitigate any potential losses by reaching out to all workers to review what information they removed from the office. Determine where the information now resides and have honest discussions regarding the potential for lost information.

Work proactively to identify potential data losses now. By doing so, you can begin to plan to search for lost files in your office and the residences of your team members.

As you understand the state of your physical information, think about how you can improve processes. Will duplicate copies of any records being removed prevent data loss? Perhaps, but the cost associated with making and stories copies could exceed the value of the information.

What Lies Ahead

This guide was not meant to be exhaustive, but a starting point for necessary conversations.

Remember these three key points:

  • Be supportive
  • Scan all data and systems
  • Do not blindly trust workers or devices

The changes resulting from a remote workforce can be positive and empowering for organizations. At the same time, they can be taxing and difficult on employees who were not prepared for such a shift.

Have open, honest conversations with your teams and foster discussion so work as a team to return to whatever state the organization desires. By doing so, you will reap the rewards of an engaged workforce and the cost savings of a tailored work-location strategy.

In search of more guidance? Call us today to get started!

Ready to protect your business?

Sign up for our newsletter!