Advice on cybersecurity and data protection essentials for office return
Preparation will be paramount for many organizations, with the transition from working from home (WFH) back to working from office (WFO) requiring safe and considered management as they reoccupy their facilities. Maintaining a company’s information resilience is a key element of these plans to ensure that cybersecurity risks are managed, and data privacy regulations are not violated.
Organizations are currently reviewing guidelines such as planning one-way systems, implementing staggered start and finish times, reviewing the effectiveness of safety controls and measures, and taking immediate action to improve those that are not effective.
From a cybersecurity perspective this includes reassessing system networks, reviewing Shadow ITˡ activity, or bring your own device (BYOD) usage. While for data protection the focus will be on workstation changes, employee health data, data protection impact assessments (DPIAs) and transparency.
Focused on supporting companies across all industry sectors to plan their reopening and develop a sustainable methodology to working in their ‘next normal’, business improvement company, BSI, has outlined the following 10 cybersecurity and data protection essentials for consideration:
- Physical security – make sure that physical security controls, employee identification and physical media are all up to date and fully operable
- Access control – ensure credentials like multi-factor authentication (MFA) and password expiration and reset are all up to date
- Data protection and privacy – seek the advice of your Data Protection Officer or Privacy Officer on impact of changes made to existing processes or new processes where data is recorded and collated. Conduct Privacy Impact Assessments (PIAs) where relevant
- Asset management – re-evaluate bring your own device (BYOD) policies and ensure that all non-inventoried assets are correctly logged
- Network security – remote access is still important during a phased return to work, so keep network services such as Virtual Private Networks (VPNs) available and secure
- Vulnerability management – patching is a challenge even for an information resilient organization. In returning to the office, organizations must evaluate their patch posture, and where found wanting prioritization patching
- Operations security – organizations should re-evaluate any configurations they made during the work from home period to ensure that they are still the most effective
- Business continuity – it is now time to learn from recent activities – the remote working paradigm – and apply the acquired knowledge to improve the readiness of the business continuity plan
- Incident management – incident response represents the last line of defence should an attack materialize. Make sure your organization is set up in preparing for and responding to a data breach
- Security governance – risk registers should be reassessed given the newly restructured threat landscape and control plane
BSI has developed a self-assessment questionnaire for organizations focused on cybersecurity considerations for reopening the office. The questionnaire can be accessed in their website. On completion of the survey the recipient will receive a report from BSI outlining their readiness to reopen focused on cybersecurity and data governance implications.
Stephen O’Boyle, Global Practice Director for Cyber, Risk and Advisory at BSI explains: “The last few months have tested many organizations of all shapes and sizes across the globe. Many needed to adapt quickly to the restrictions to ensure the safety and wellbeing of their employees and clients, with remote working being activated, and IT systems tested and reconfigured to remain effective.”
“While there were many challenges, including the increase in cyber threats and risks, and data privacy concerns, it also provided organizations with the opportunity to customize, review, update and improve their response planning and enhance their business continuity plans to prepare for the phased reopening.” she said.
The focus now is on opening safely and a top priority is an organization’s cybersecurity and data governance needs, O’Boyle said. Those responsible for it need to be part of the planning process. Not only will this ensure that the correct protocols are adhered too and implemented, it will enable a business to operate in a more secure, safe, sustainable, trusted, and resilient manner, protecting its people, information and reputation.