Restarting business with security in mind
Restarting business with security in mind
Read Senior Manager, Bryan Beesley's latest article and learn more about restarting business with security in mind.
With the recent local relaxation of COVID-related lockdown requirements and as Manx businesses re-open, staff will begin returning to the office, or other places of work, in greater numbers. With health and safety paramount, what changes to working practices should be considered to maintain security and privacy hygiene and effectively manage your security team? Restarting business with security in mind is vital and below are some security and privacy considerations for returning to the workplace.
Health and safety — the first priority
The Chief Information Security Officer (CISO) should ensure they're looped into conversations between Human Resources, Facilities, Legal and IT to guarantee adequate consideration is given to security and privacy in the new 'return to the office' environment. As well as providing input on the risks, the CISO should consider what practical guidance they could offer.
We’ve put together some questions to help you access the changes that need to be made:
- How can the security team operate during the transition period and what processes and behaviours should be retained in the long-term?
- How can you enable the business to operate safely during this unusual operational phase? What risks are you willing to temporarily accept during the transition into the new normal?
- As physical distancing requirements ease in the longer term, what are the new physical security and data protection considerations around the office?
A physically distanced security team
Security teams may have become used to working remotely, so what does their transition back into the office look like?
- Are they able to sit together in the same part of the office, with access to their previous monitors and equipment, or will space be reconfigured to accommodate newly spaced out business teams?
- Will the team be allowed in the office at the same time? If not, does this limit the team's ability to perform regular security activities?
- Do they still have access to the servers, backup safes and security operations spaces? Will there be a limit on how many people can use enclosed spaces at once?
- Has there been turnover in the team during remote working? Do they need new physical IDs or hardware? Are these in short supply, and could this affect their ability to work at this time?
- Where organisations require workers to prove they have tested negative for COVID-19 before returning to the office — can arrangements be made for the security team to undergo such testing to smoothen the transition?
Supporting physical distancing requirements
As well as enabling the security team to work effectively in the new normal, it’s critical to support the business with privacy and security hygiene. How can you help them accommodate physical distancing measures?
- Employees and contractors may be spaced out across meeting rooms, breakout areas and cafeterias that aren’t adequately protected by physical security controls. Previously restricted areas may be used to accommodate workers that don’t ordinarily get access to them. Are you recording the changes made, or else advising on alternatives?
- Revised guidance on external visitors in public office areas may need to be provided, along with secure working guidance for employees in atypical spaces.
- Work with the facilities management team to understand how to provision secured hardware, security cables and privacy screens for employees.
- Could any physical security controls increase the risk of infection? For biometric controls such as fingerprint scanners, are there alternatives? Some doors will have been converted to automatic to avoid physical contact— have relevant security controls been adapted to support this?
New faces in the office
There may be many new faces in the office, with some staff turnover during the transition. What affect will this have on the ability to recognise intruders?
- How are access and monitoring being handled for new onsite cleaning staff and contractors that may be brought in to deep clean the office? How is their physical access being managed? Are visitor IDs required? If so, are there enough?
- During post-pandemic deep cleaning efforts, cleaning staff may need to access areas not normally touched, such as server and comms rooms. How are you supervising access to these rooms? Are these contractors being vetted as usual?
- Many employees may still be wearing casual clothing or may be required to wear masks. What new guidance can be provided to teams to help them to recognise intruders, and challenge them politely?
Restoring good practice
Staff returning to the office may be remiss of good office practices having spent months at home. Remind them of your company’s security and privacy hygiene procedures.
- Are they continuing to wear staff IDs and lanyards? Are they using privacy screens and locking monitors when unattended?
- Are staff keeping desks and office printers clear of confidential data in compliance with clear desk policy?
- Be ready to provide new privacy screens, IDs, lanyards and key fobs and consider if it may be worth increasing the frequency of physical security hygiene reviews (including clear desk reviews) to re-establish the culture.
- Employees may have amassed confidential paperwork while working from home. Remind employees to collect and bring all sensitive data back to the office to be disposed of securely, and ensure confidential waste bins have enough capacity.
- As staff work remotely more often, remind them of the risks of taking data off site, and of policies around removable media, print copies and hardware.
Thinking about the longer term
Your organisation's working arrangements may have permanently shifted.
- There may be a rush to come back to the office at first, but some employees will have become used to working remotely and may choose to work more frequently from home. How do you adapt your longer-term controls such as insider threat monitoring?
- It’s critical to enable home working and to revise approaches to communicating security culture - for example, do posters on the wall work, when not all employees will see them?
- How can you evidence the measures you’ve taken during this time? If your organisation has an ISO 27001 certification, which assesses physical security and employee security hygiene, how can you demonstrate you’ve been governing risks effectively?
© 2023 KPMG in the Crown Dependencies is the business name of a group of Jersey and Isle of Man limited liability entities each of which are member firms of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organisation please visit https://kpmg.com/governance.