What do businesses need to consider, in the return to the office and the work-from-anywhere future?
Right now there’s a big conversation going on in every organisation and team, in video-conferences and meeting rooms around the world: How do we get people back to the office, and move forward in the ‘new normality’ safely and securely?
Of course, they’re talking about physical and biological safety, in a changed world. But the implications of all of that for spacing and distancing, mean an urgent need to consider cyber-safety as well. It’s not only people who must be kept safe: personal data, intellectual property, and technology assets and devices, all face different (and in some cases new) threats.
With so much upheaval in the past year or so it’s easy to lose track of some of the important changes, and the way we use digital assets and data is just one thing which has been forever transformed. A lot of this might be invisible to the everyday user, but InfoSec professionals are having to address a lot of new worries, and figure out how to solve new challenges, to support a work-from-anywhere hybrid future.
The cloud revolution 2020
While the visible change in the lockdown crisis was where people sat to do their work, behind the scenes what mattered was the location of the data and services they used to get it done. Those organisations most resilient and ready weren’t necessarily those with the hundred-page disaster recovery policies and extensive scenario testing under their belts — it was those who already had decentralised cloud communications and storage in place.
Enterprises who already used a business cloud telephone system like Ringover, in additional to online access to their data and assets, had a significant advantage.
For lots of businesses, voice calling was, in fact, the final frontier of a lengthy cloud migration strategy.
Having moved most of their assets and other communications to cloud-based systems over a period of time, they still depended on a legacy PBX located in a physical data centre somewhere, waiting to prioritise this shift once external factors like the POTS switch off finally nudged them to take action. There were probably a lot of expenses claims, during the early part of lockdown, in these organisations - from people forced to use their own mobile calling plans and data, to stay in touch with colleagues and clients.
But for the fully VoIP enabled it was so much easier to integrate the final stage of true location-independent working, and get their teams up and running fast — without having to ship out devices or instal new lines, because of native apps which would run on anything they already had at home.
Security wise, were corners cut by some organisations during the crisis? Undoubtedly, particularly at first — it was probably seen as more important to get people online and hooked into the office systems, especially those who others looked to for leadership and reassurance, via any means possible. Setting up their VPNs and firewall was of course important, but we know that in some cases this happened afterwards. In addition, the crisis itself spawned a depressing multitude of opportunistic scams, from bogus exposure alerts to fake test results, with bad actors keen to take advantage too of the naturally lowered guard people feel about work-related security issues in a domestic environment.
But once the gaps in the enterprise security blanket were plugged, users were left with an expectation of being able to connect and work from any location, and any device. Honestly, some IT directors are unsung heroes of this crisis, simply for enabling that and keeping things going — but they have forever changed the relationship of users to their workplace technology, which now pervades their personal devices and boundaries in ways we would not have dreamed of 2 years ago.
All those knowledge-workers are taking those expectations and attitudes with them, wherever work takes them next.
Back to the office?
Every town and city centre contains empty buildings right now, and some organisations have decided they are going to a completely distributed remote-first future, and will never come back. However, in most cases this is not a practical option, if only because of investment in lengthy leases or real estate owned, and others have concerns about productivity and cultural continuity.
In cybersecurity terms it should be easier, to protect vital IP and personal data, if people are physically located in one place. That always worked before! But the reality is, that whatever nostalgic longings they have, reopening of office buildings does not mean time travel back to the pre-pandemic days - when people crammed on to rush hour trains 5 days a week to sit side-by-side and work simultaneously. Information security professionals are dealing with a new reality, not a return to what we knew before.
It used to be fairly easy to manage networks and perimeters from a technical point of view, but what about now? The physical boundaries have been absent for some time, and they are not returning in any meaningful way, because there will always be a remote component in each team - people who cannot return to the office due to numbers and spacing, who have moved their homes further away, or who are clinically vulnerable.
What we’re looking at in most cases — what everyone is talking about — is a hybrid future.
But this could mean all or any of the following scenarios:
- Some people work from home all the time, others in the office all the time
- Everyone works a fixed amount of time in each place, for example 2 days in the office and 3 at home
- Everyone works flexibly, coming into shared spaces when they want to collaborate face-to-face and deciding based on activity and productivity needs
- Some people take up desk-space closer to their homes, perhaps on an ad-hoc basis, somewhere like a local co-working centre or even a coffee shop or bar
Others can visit clients face-to-face like in the old days...
Back to moving around!
So, many people are going to be moving around a lot more, and the immediate security challenge is that we’re all going to take our work with us when we do so.
Not just mobile phones, but laptops, documents… Even those regularly working from the office will be packing and carrying their own devices, because they’ll likely have more theft risk with more people coming and going around the buildings themselves at different times of the day and night, and they may not have exclusive access of any given desk or room.
When we were all locked down in our homes, the cyber threat was real, but physically things were very different. Burglary rates tumbled worldwide, while curfews were in place and their targets sat home all day. Nobody was leaving discs or devices on the bus when we weren’t allowed to travel any more...
Now that people are starting to commute again, they will have to re-learn personal safety and awareness, not least as access to their entire office systems will probably be right there in their shoulder bags, hundreds of euros of tempting technical gear. They will be travelling on less crowded services, and possibly at odd times of the day and night.
Responsible organisations will advise and support their people to move around safely, and not let novelty distract from vigilance, because the physical devices themselves will make them a target. But from the cyber-security point of view, the organisations can at least ensure:
- Centralised application administration — for example, the Ringover account of every user can be rapidly deactivated from an admin dashboard in the event of loss or theft.
- Usage monitoring — with alerts to flag and block anything unusual or risky. Sudden lengthy calls to premium rate numbers on another continent can trigger immediate warnings, or be pre-emptively locked to all users Who simply don’t require access to those kinds of numbers in their work.
- Modern device management protocols for the lifetime of corporate handsets — ensuring security updates And patches are pushed out in real time, And retired devices appropriately deactivated and reset, with a clear disposal policy.
- Comprehensive and up-to-date BYOD policies, which enable secure asset and app management on personal devices. No one should have to have their own cellphone bricked by their IT department just because they misplace it for an hour — and they won’t be in any hurry to report it missing, if this is likely to be the consequence.
-Setting and enforcement of minimum access requirements, such as multi-factor authentication.
The latter issue of authentication has always been a source of tension, between information security officers and their users, whose priorities for security vs accessibility have seemed at odds. But with more access points than ever before, in more locations, it’s even more essential that these are enforced.
The good news is that the user experience is improving all the time, so that higher levels of security are easier to put in place and use — from password managers to biometrics, there are more and more layers of protection which can be implemented, such as the New Functionality in iOS 14.5 to unlock your iPhone Using facial recognition, even if you’re wearing a facemask.
De-risking cloud communications
For organisations, the issue is one of managing and mitigating risk, because risk cannot be eliminated altogether. It’s about planning and thinking through scenarios and possibilities, and documenting this exercise in a comprehensive risk assessment.
The world has learned the hard way that unforeseen events can disrupt the way we work overnight, and while there was a sense of ‘winging it’ with workarounds being acceptable When the pandemic first hit, expectations have now changed for good.
One easy way to manage risk is to outsource as much of It as possible through subscription services — such as VoIP telephony and unified communications. If your calls are all being handled by Ringover, you know that The network you are communicating over is a member of RIPE (European IP Network AS201188), all calls passing through Ringover’s applications are encrypted (DTLS-SRTP), and stored only in an EU-based, GDPR-compliant data centre, for example, registered in the UK with OFCOM (Office of Communications) and in France with ARCEP (Regulatory Authority of Electronic Communications and Posts).
So, not only do you outsource the uptime and reliability of the service, you get the peace of mind. Even for small organisations, software as a service solutions will be key in ensuring the continual monitoring and updating required to address cyber threats in real time.
Investing in a secure future
The good news for all enterprises is that the technology is continually improving, and when you partner with the right suppliers for your cloud services, they will remain at the forefront of the evolving arms race.
Of course bad actors will forever seek to take advantage of crisis and confusion, and the future remains uncertain for many. Economic threats, including the end of financial support for employees and businesses, may impact on the viability of jobs and particular enterprises. All this creates heightened anxiety for many, and employees will appreciate — and be loyal to — organisations who create safe work environments for them, in every sense.
The possibility of future viral waves and a return to rolling lockdowns cannot be ruled out, and regardless of preferred policy intention regarding office usage, every organisation will need to hold itself ready for a flexible return to distributed working. This should be easy to maintain now that fundamental changes have been put in place regarding cloud adoption and decentralisation of data, but it’s important that old habits are not returned to, and high standards of data protection remain in place.
Many organisations will fund this investment in cybersecurity from their old real estate budget, but others will find additional savings coming from cloud-readiness and new ways of working themselves: no longer forced to spend on instantly depreciating physical servers and switchboards, the savings can be reinvested in ensuring the work-from-anywhere future is secured and assured.
If you're looking for a safe and secure phone system then why not get in touch?
Contact our experts to help guide you step-by-step at +44 20 3808 5555 or send an email to email@example.com. Start your free trial today.