The future of work is not what we were collectively promised in the days before the pandemic. Despite being nearly two years into the global pandemic, organizations are still in the process of redefining how their offices should be used now and in the future, which has lead to a surge in the adoption of smart, digital technologies.
However it’s not entirely clear what technologies are best suited to addressing workforces’ needs, as well as what the increased digitization means for an organization’s security. And companies have a lot of new technologies to choose from.
The rapid development and deployment of workplace technologies — coupled with the adoption of new ways of working — comes with added risks. Chief among these risks are those centered on user identities, device identities and technical weaknesses.
Access Control for the New Office
For some organizations, reimagining how employees gain physical access to offices will be a priority. Physical keys for door locks are difficult to manage at scale and changing keypad combinations is a communications exercise, thus some companies choose proximity card readers as a solution. Yet the relative ease and commercial availability of proximity card cloning devices — commonly used by physical penetration testers — heightens the risk of workforces returning to the office.
Network-connected biometric access control systems would appear to be an obvious solution to this challenge, as it’s considerably harder to reliably clone biometric data outside of targeted attacks.
However, these systems bring network-layer challenges, as associating a user’s digital identity, such as a user account stored in Active Directory, with their physical identity would require a network connection from IT to OT, which continues to be inadvisable at best.
Solution: An alternate approach to mitigating risks associated with allowing a physical return to the office would be to have a separate system that handles provisioning digital identities separately from physical biometric control systems. However, the provisioning system must be adequately hardened so that threat actors cannot have an easy path to gaining access to both physical and digital assets. There are also regional statutory concerns associated with biometric systems that require employers to provide an alternate physical authentication system.
Related Article: In-Office vs. Remote: The Final Showdown
Collaboration Tools and Insider Risks
Collaboration in hybrid workplaces has led to the adoption of digital whiteboards, which are essentially large displays that allow an individual presenter to share content with both in-person and remote teams. To start a session, the presenter needs to sign in, providing insiders with access to the large on-screen keyboard — if they wanted to, insiders could observe and write down the presenter’s password, which poses a slight risk.
However, a more serious threat would arise if the presenter neglects to sign out of the device at the end of the working session. This is worse than forgetting to erase the whiteboard at the end of a meeting. An insider with physical access to the collaboration device could intentionally or unintentionally modify, delete, or exfiltrate data both shown during the meeting, as well as data that are incidentally available based on the user’s identity.
Solution: Organizations should both have signs reminding presenters to sign out at the end of a working session and technical controls to force screen locking and/or automatic sign-out shortly after the end of a scheduled meeting time.
Bring Your Own Device
In a bring your own device (BYOD) environment it’s difficult to validate that a given laptop, tablet or mobile phone is adequately configured from a security perspective.
For example, disabling the ability to read and write data from external USB drives is an easy way to limit the risks associated with data exfiltration from a corporate device and is not an unreasonable control, particularly considering the persistent misunderstanding over ownership of intellectual property produced by employees for their employers.
For hybrid personal/work devices, however, this policy may be overly onerous and prevent an owner from downloading photos from their camera or taking a backup to a USB disk.
Solution: Ensure that corporate data security controls are associated with a user’s identity and applied to data, not a device’s identity, and use defined data loss prevention (DLP) policies that allow users to only use the data in appropriate ways. For example, a DLP policy could allow a user to edit a corporate document on their personal laptop, but not to print that document from their personal laptop or store that document on an unapproved cloud storage service. If another user acquires the corporate document, they would be unable to view it due to the DLP controls applied.
Related Article: Should You Allow Shadow IT and BYOD in Your Company?
Bring Your Own Thing
Computers are not the only connected devices that employees are bringing to offices.
The main challenge with bring your own thing (BYOT) environments is deciding what things to allow on the network. There are a broad spectrum of things employees might want to use, such as speakers, sensors and headphones. The security shortcomings of internet of things (IoT) devices are well-documented and are unlikely to change in the near future.
Solution: Organizations allowing BYOT should strongly consider establishing a dedicated network segment for employee-owned IoT devices. This new network segment for connected things should only allow outbound network connections, with the usual set of technical controls to prevent connections to likely or known malicious internet resources.
The Automated Office
The other emerging category of IoT devices being deployed in smart offices are environmental sensors. While some of these may be associated with mechanical, electrical and physical (MEP) systems, such as heating or plumbing, others have been uniquely developed in response to the pandemic. IoT occupancy sensors, for example, that help a company know when to schedule cleaning of a given workspace based on prior use during the day.
While these systems are clearly beneficial, they also serve to expand the attack surface, posing new risks to organizations.
Solution: As these are IoT devices, companies should consider having a dedicated network segment so that these cannot be used as lateral pivot points if compromised.
Additionally, companies purchasing IoT sensors for offices should challenge vendors on their software update mechanisms and for details regarding how long the software updates will be provided. Vendors that require companies to manually update IoT devices or that cannot provide a reasonable duration for software updates should be avoided., as the longer a given connected device is utilized without being patched, the more likely it is that one or more vulnerabilities will be found and leveraged in attacks.
Be Picky About the Smart Office Technology You Pick
Organizations should carefully consider both the strategic benefits and the potential security risks of any new technology solution.
Purchasing and deploying smart office technologies that serve the needs of the business and improve the day-to-day work environment for employees is a better strategy than deploying technology for technology’s sake. Applying technical controls and proactively mitigating the potential risks of new technologies remains a better choice than reactively issuing public apologies from breaches caused by an overly permissive stance towards adopting new technologies.