Nick Heywood, Associate Vice President at Guidepost Solutions, talks to Security magazine about the physical, environmental, and cybersecurity issues behind long-empty offices that are reopening as restrictions lift. 

Security: What is your background? And current responsibilities?

Heywood: As Regional Associate Vice President and a member of the Guidepost Solutions Leadership Team, I am responsible for driving and leading our Western Region team to deliver and exceed client expectations with security design and consulting services that deliver value and support the continual evolvement and progression of our clients’ security programs. Identifying solutions and promoting growth opportunities for clients is an essential element of my role, as well as ensuring our team engages in trusted advisory relationships with clients.

Security: The workplace is once again shifting and coming into focus as restrictions lift and more people are vaccinated. Are office environments safe from a physical and cybersecurity perspective?

Heywood: Before the pandemic lockdown, many businesses operated with robust physical security programs and cyber hardening measures that placed an emphasis on maintaining the safety and security of their people, and a focus on preventing outsider threats from penetrating critical network infrastructure and sabotaging intellectual property. While many of those pre-pandemic office and business operations environments remain, it may be risky to make assumptions that the conditions left behind a year ago will be found in the same state. Business leaders should be asking will the pre-pandemic conditions meet the ‘new’ working environment that employees expect?

We have seen business owners and operators acknowledge that change to the working environment must and will occur. To ensure that the workplace remains safe, we recommend assessing several important contributors to the security posture. These include environmental security, physical security, and cybersecurity. Assessing change to these factors as return-to-office gathers pace cannot be overlooked, the status quo security measures of pre-pandemic are likely not sufficient in the changed working environment.

Security: What are some of the physical, environmental, and cybersecurity issues that security leaders will have to address prior to the return of employees to facilities and offices?

Heywood: Here's what you should consider:

Physical Security

In terms of physical security, the factors to consider may include reassessing the security technology currently deployed. Do your systems still function in a manner that meets new operational needs? Is the pre-pandemic functionality of systems reflective of current and new operational needs? Are electronic security technology systems supported by back-up power measures and are they functioning as intended? Are there any compromises to the built environment that need to be remediated? Does the built environment path of travel for pedestrians flow in a manner that supports and maintains potential future social distancing needs? Is there seamless touchless entry and egress capability? Are there maintenance issues that need to be addressed that compromise your physical security program and are electronic security program updates current, have systems been maintained during the work from home period?

Environmental Security

Examine what has changed about your business location in the past year. Has there been an uptick in crime since the pandemic hit? Consider the impact of crime on your business operation and the safety and security impact upon your business assets and people. Are there specific trends and patterns in crime activity, i.e., unauthorized entry, vagrants, serious crime including aggravated assault, rape, and homicide? Consider how crime statistics, both existing and future forecast, may affect your security program and current mitigation plans. Do you need to update your security program policies and procedures to reflect the new environment of operation?

Cybersecurity

Cybersecurity measures to secure critical network infrastructure play just as an important part of your security posture as business location and physical security measures. Cyber measures serve to prevent an often-silent breach to gain unauthorized access to protected data and intellectual property. Implementing measures and employee training to generate good cyber awareness and prevent against phishing, ransomware, malware, and other cyber-attacks should be considered. If your business did not consider or implement cybersecurity measures pre-pandemic, now is the time to address and correct the situation. The returning workforce lives in a world that thrives on the Internet of Things (IoT). Personal devices are a source of weakness and penetration when connected to your business networks. Implementing cyber measures to mitigate risk and maintain business continuity should be at the forefront of your return-to-work process.

Security: How can security plans be adjusted to meet the new safety and health expectations from employees?

Heywood: Security plans should already be subject to regular review and revision based on business operational needs. The adjustment of plans in this situation should be no different. Reviewing, amending, and reissuing of security plans to all employees should be a standard practice. The post-pandemic return to work operational security changes is key to demonstrating to employees that change has occurred, it has been addressed and the business is formalizing those changes and communicating them to provide guidance and set expectations of the new working environment. The security plans are a component of the bigger picture and should be tackled just as health and safety plans are being rewritten to meet the changed working environment.

Security: How can security leaders update and retool their network infrastructure to support remote workers, hybrid workers, and full-time in-office employees?

Heywood: The unprecedented COVID-19 pandemic confirmed that the way we conduct our business has changed, and the hybrid work environment is appearing to be the new normal, with some employees not wanting to return to the office full time. Legacy systems and on-prem solutions may not work for the new hybrid workforce. IT and security leaders should be looking into a mix of on-prem and cloud-based solutions to support the digital needs of employees both onsite and remote based. However, remote access and cloud solutions will increase cybersecurity vulnerabilities. Businesses should be looking to mitigate risk by considering the following:

1. Implement encryption.
2. Ensure all applications support multifactor authentications.
3. Block the firewall traffic by default, allow only necessary traffic, and monitor user access.
4. Implement cybersecurity screening policies for IoT devices.
5. Train all employees on how to maintain the security of work IoT devices and computers.