Protecting Your Business as Offices Reopen: A Seven Step Cybersecurity Action Plan for Physical and Hybrid Work Environments
As employees start returning to the office and some firms adopt hybrid work approaches, it’s a good idea to take a fresh look at your organization’s cybersecurity program and culture. While workers were away from the office, some office networks may have been compromised and some employees may have picked up bad cyber habits at home, opening the door to a potential breach or ransomware attack.
In addition to these risks, regulators continue to keep a laser-like focus on investment advisers’ cybersecurity programs and operational resilience. In the U.S., the SEC has made it clear that it expects firms to regularly review and update their cyber policies and procedures to keep up with the ever-evolving cyber world. And the Division of Enforcement has demonstrated that it will come knocking in the event of a potential breach, having recently conducted outreach to firms who may have been a victim of the SolarWinds® breach with a voluntary request to produce information.
ACA Aponix®’s Cybersecurity Action Plan
ACA Aponix’s cybersecurity experts have developed the following action plan to help your firm review, revise, and implement a strong cyber program that will help protect your firm against reputational and financial damage as well as meet regulatory obligations, no matter what type of work model you’re employing.
1. Revamp your information security policy
Consider implementing and enforcing a clean desk policy requiring employees to remove storage media from desks as well as information displayed on screens when they are not at their desks.
Make sure that data handling and transmission controls are in place, especially as pertains to sensitive information.
Have policies in place for physical and digital data destruction. Secure behaviors in this regard may have been lacking at home and may have not been enforced previously in the office.
2. Revise your travel security policy
Back to the office may also mean “back on the road.” Employees may travel to client engagements, conferences, and more. Reinforce the policies regarding secure travel behavior such as public Wi-Fi protections, USB use, Bluetooth use, protecting screens from “shoulder surfing,” etc.
3. Update security, response, and continuity plans
Ensure that any changes you make for your relevant work environment are made in your firm’s written information security plans, incident response plans, and related documents. Update the business continuity plan, especially considering how office reopening is still very fluid, and other changes may be forthcoming. Test your updated plans to ensure they work as designed.
4. Refresh staff cybersecurity awareness training
In addition to communicating your organization’s cyber policies to employees, conduct mandatory cyber awareness training to refresh their knowledge and responsibilities. Make sure they are aware of potential risks, how to prevent them (e.g., phishing prevention), and how to respond in the event of a potential event.
5. Verify physical equipment is secure and up to date
Make sure all devices are checked for ransomware and other malware. In addition, check that any network equipment and any employee “bring your own device” equipment is fully up to date with all required patching.
Verify that there was no kind of network infiltration while the majority of office staff was away – have the IT team scan for any indications of intrusion or other abnormalities.
6. If going hybrid, incorporate the appropriate policies for all relevant environments
In hybrid work models, cybersecurity will be needed both at the home and in the office. Make sure robust protections are in place – that endpoints are secure, all devices are required to be authenticated prior to network access, patching is enforced remotely, etc.
Additionally, review any interim solutions (e.g., local installation of Microsoft® Teams), and consider if they will continue to be supported in the hybrid environment.
A best practice is to take a “best of both worlds” approach. Apply what works best in an office environment to the home environment as much as possible, and vice versa. Some examples:
- Clean desk policies, data destruction policies, protection of personal information, and other similar policies may be easier to enforce at work. At the same time, these are no less important in the home environment. Consider methods of mandating and enforcing these information security policies in the home environment (e.g., proof of privacy doors, shredders, privacy screens).
- Some employees thrive in a quiet environment and are more in tune with both work needs and cybersecurity needs – they will notice if an email seems like an abnormal phishing attempt, for example. In a bustling office, this focus may be lost. Consider finding ways at the office to create atmospheres conducive to those employees’ needs (e.g., specified quiet spaces, reservable conference rooms, etc.).
- Consider how behavior is different in the office and at home. For example, at home people may not be as willing to report succumbing to a phishing attempt, while at work they may seek help faster. Have IT proactively check-in with workers to see if they're experiencing any IT or security issues. Often times, the burden of complying with security controls drives people to insecure behaviors. Additionally, encourage the reporting of phishing attempts (and phishing mistakes) by rewarding notification.
- Include work from home cybersecurity policies in mandatory cybersecurity training.
7. Communicate any changes to cyber policies and procedures with vendors and portfolio companies
Don’t forget your firm’s third-party service providers – communicate any changes you make to your cyber policies and procedures, and ensure they are contractually obligated to adhere to them. Private fund managers should do the same with their portfolio companies.
How we help
ACA Aponix can help your organization strengthen its cyber program to make sure you’re protected, no matter what kind of work environment you decide to employ. We offer a range of services, including:
- Risk assessments and compliance readiness
- Threat intelligence, phishing testing, and monitoring
- Cybersecurity awareness training for staff
- Operational resilience and governance
- and more
If you have any questions, please contact your ACA Aponix consultant or contact us here.