The Office of Personnel Management’s 2020 Federal Employee Viewpoint Survey notes that while 23% of federal employees indicated the pandemic was “extremely” or “very” disruptive to their work, federal employees reported a minimal impact to their workplace effectiveness. This continued effectiveness can be attributed to IT leaders that quickly made remote work possible for employees, including recognizing and addressing important considerations like significant security concerns.
One year later, as agencies roll out plans to reopen or continue telework scenarios, there are bigger threats to consider than the initial hurdle of mass telework. IT administrators need to prepare to support a more challenging transition to maintain security as employees return to the office.
While employees were teleworking, many developed poor security practices. They likely conducted some level of data mingling—using personal devices for work and government-issued devices for personal activities—and may have connected to personal networks. These activities all present opportunities for cyber threats. While public and private sector organizations have seen their fair share of cyber incidents over the past year—a new ransomware attack seems to appear every week—many attackers may have been lurking in the background, waiting for devices to reconnect to agency networks that contain even more sensitive data.
It’s inevitable that some employees will unknowingly bring compromised devices back to the office and expose the agency to new threats. IT leaders must be prepared for this scenario. To reduce risk, IT leaders can start by implementing IT policies designed for a mixed work environment, ensuring data is backed up so it’s always available regardless of a potential attack and heightening employee cyber hygiene.
When employees come back to the office, so will the equipment they’ve been using from home. These devices are a major security risk — it’s safe to assume that many users have not maintained the same protocols they did while working in the office. IT leaders should physically go through all resources that have been out of the agency perimeter to ensure they’re ready to re-enter without a cause of concern.
IT leaders can ensure devices are secure by rolling out risk assessment policies for employees and their respective devices. There needs to be a framework that clarifies what devices have been regularly maintained and vetted for vulnerabilities. IT leaders need to know what updates were made, what applications were downloaded and what types of networks a device connected to while employees worked remotely. An employee should detail the device’s location, how it was connected to the internet and login information. This organizational clarity helps in the long run and ensures that the procedure is preserved.
Before IT leaders authorize employees back on their networks, they also need to check to see what passwords have been given away. When work equipment was at home, employees may have used the same passwords for personal and work-life instances. Doing so ultimately increases an employee’s attack surface and is a significant risk for agency networks.
Practices for a hybrid work world
After working from home for an extended period, many employees have let standard best practices slack. IT leaders can start by re-educating their employees on the best practices they should have been following all along, as well as by bringing back regular trainings to ensure employees can spot phishing emails, malware and other threats.
New guidelines will need to be created to ensure employees understand the right methods for safely and adequately downloading materials. There may be a split in telework employees, full-time office employees and hybrid employees which all requires different protocols and standards. Employees must know what procedures to follow and be aware of any high-level IT changes that would affect their work and equipment.
Ensure backups are maintained
If an agency experiences a ransomware attack or a hardware failure occurs as employees start returning to work, the most critical priority is recovering data to ensure agency continuity. IT leaders need a proper backup and recovery strategy that includes off-site replication.
As a starting point, IT leaders should reinforce a “3-2-1-1-0” backup rule. Employees will need to maintain at least three copies of business data, store critical business data on at least two different types of storage media and keep one copy of the backups in an off-site location. Lastly, store one of the media offline and ensure that all recoverability solutions have zero errors.
If employees maintain this backup strategy, it will be easier for agencies to navigate the risks ransomware poses and keep all service levels running without data loss.
As agencies move employees back to the office, it will be challenging to return to pre-pandemic normalcies. Just as human resources will need to create new guidance, IT leaders will need to ensure security in the transition.
For those eager to go back to the office full time or in a hybrid capacity, there’s essential IT and cyber preparation needed to secure network environments, devices, software and more. Taking simple proactive measures and guidance will be helpful in the long run for federal agencies to strategically manage their workforce to succeed as they make plans to return to the office.
Mike Miller is the Vice President of Federal at Veeam.