WFH Now: What Leaders Need to Know
COVID-19 is causing many industries – hospitality included – to quickly adapt to new ways of conducting business, which of course includes a large work-from-home employee base.
How might this experience change the way IT departments across industries, but specifically in hospitality, handle work-from-home protocols in the future?
“It is going to change it forever, in ways we don’t know yet,” says Kristen Menard, director of managed security services at Claro Enterprise Solutions. “I certainly believe that we will see some interesting and positive things happen on a macro scale when it comes to outsourced IT, procurement of technology and the types of technology that we see assume a leading role in the future of work, whether remote or otherwise.”
Take A Long-Term View of WFH
While they may not be exactly sure how the industry will change, security experts anticipate that the work-from-home trend will continue to extend past the end of the pandemic.
“It’s unlikely things will return precisely to ‘business as usual’ when the hospitality industry is finally on the other side of this pandemic,” says Christoph Hebeisen, director, security intelligence research at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions. “IT security teams would be wise to prepare their networks and fleets of devices for large segments of workers to be working remotely for an indefinite period of time.”
To support this larger than anticipated work-from-home workforce, IT departments will need to scale access controls and other key security processes to support the increased workloads indefinitely, says Harrison Van Riper, threat research, team lead, Digital Shadows.
“Before, security teams could largely treat remote workers as an exception, building systems that accommodate them as such,” Van Riper adds. “Moving forward, it’s looking increasingly likely that companies will be forced to treat remote work as the default when building and securing their networks.”
Implement New WFH Protocols
Of course, working-from-home was a trend that was already on the rise prior to COVID-19. But the pandemic likely will accelerate that trend, Van Riper notes. Thus, when hotels are on the other side of this pandemic, IT departments will likely be tasked with creating a new set of protocols to follow when onboarding employees that specifically deal with working from home.
Some of the changes this experience could bring to the forefront include IT departments standardizing remote work policies as part of future employee onboarding, says Heather Paunet, vice president of product management at Untangle. And even employees who are signing up to work from an office regularly will still be given training on software, connectivity, credentials, and VPN security in anticipation that ongoing training will be easier to maintain than an immediate crash course during a crisis.
Kofi Ahrin, PhD student at Rensselaer Polytechnic Institute agrees, noting there could be a surge in online video tutorials aimed at helping employees set up devices at home or connect to an organizations resources.
“In addition to this, just like a cable company could send a technician to your home to attend to a particular problem, IT employees might be required to visit home of other employees to handle more advanced security/tech related issues,” Ahrin adds.
Review Equipment/Software Purchasing Practices
IT departments will likely find that some employees will transition to WFH permanently, even once the pandemic is over. For this reason, IT staff will need to commit to ensuring more workstations are properly monitored, says A.N. Ananth, CSO, Netsurion. This means they must come within the scope of Security Information and Event Management (SIEM) deployment and/or be protected with endpoint threat detection and response (EDR) sensors that are able to sync up to a SIEM monitored by a Security Operations Center (SOC).
“Quite often, this level of security is restricted to what are deemed ‘critical devices,’” Ananth says. “But as the corporate network perimeter becomes blurred, any vulnerable device becomes a critical device in terms of cybersecurity risk.”
Likely IT departments will need to review their equipment and software purchasing practices, says Geoffrey Lottenberg of Berger Singerman. Companies were caught unaware by COVID-19 and have perhaps allowed employees to use personal devices to conduct business, but that will likely no longer be allowed once the pandemic ends.
“This means IT departments will need to invest in more laptops, smartphones, and tablets than ever before. Server-side upgrades are also an absolute must to ensure that the systems can securely handle the influx of remote workers,” he adds.
Ananth also recommends that IT staff implement a zero-trust approach; take inventory of the devices attaching to the network; and perform risk-assessment on an employee-specific basis in addition to providing secured laptops for all employees.
Educate Staff on How to Securely Access Data Remotely
Additionally, companies are going to find that a shift to multi-factor authentication for remote working will be necessary, says Mark McCreary, CIPP/US, partner and co-chair of the Privacy and Data Security Practice at Fox Rothschild. And while many companies will implement VPN technology, some companies might find that they’re not the best choice for every employee and thus Citrix or remote desktop service solution is better for some employees.
“This approach allows the company to have better control over the ‘leak’ of data from devices,” McCreary adds.
This work-from-home experience might also jumpstart many hospitality companies’ transition to using the cloud for most – if not all – services and operations, says Rocco Grillo, Managing Director with Alvarez & Marsal’s Disputes and Investigations Global Cyber Risk Services practice. However, this transition does come with a warning.
“Company workforces that transition into remote and virtual operations need to know how to handle data remotely and what new exposures or compliance issues may occur as a result of these new arrangements including monitoring capabilities if this is not happening already,” Grillo says.
This means having well-documented plans for disclosure obligations should sensitive data be exposed inadvertently or through a remote employee’s misuse or even a direct cyber-attack, he adds. Compliance requirements such as General Data Protection Regulation (GDPR) (72 hours), California Consumer Privacy Act (CCPA), Payment Card Industry (PCI) Data Security Standard, NY DFS Cybersecurity, Health Insurance Portability and Accountability Act (HIPAA), Third Party / Vendor Management contractual requirements, and many others underscore the importance of this review.
- TIPS FOR EMPLOYEES WORKING FROM HOME
Buy a New Laptop if Possible
If your job hasn’t assigned you a work laptop, you’re likely using a shared personal computer, one that the kids probably use for homework and games. Downloading games and apps, especially free ones, puts your computer at risk for viruses, malware, and ransomware. Nothing on the internet is free. Everything labeled “free” comes with baggage. Either you’re giving away private information, or it’s installing some other program behind the scenes. The safest option during this time is to get the kids their own computer. Or better yet, get yourself a new one. You don’t want a game or app your kids downloaded three months ago to be the reason your company’s network is now compromised.
-- Steve Tcherchian, Chief Information Security Officer, XYPRO
Implement 2-Factor Authentication
Use 2-factor authentication. A second factor adds complexity to the authentication process and provides immense value in terms of addressing the risk. We’ve heard for years that 2-factor authentication should be turned on for everything, yet it’s rarely implemented. Turn it on for everything now, including your NEST thermostat, your iCloud account, your email. Turn it on everywhere possible.
-- Steve Tcherchian, Chief Information Security Officer, XYPRO
Update your router password
Most of us connect to the internet through routers at home. For years routers were shipped with weak default passwords (like “00000”) and even when users were prompted to select passwords of our own, we often chose poor passwords. This is a good time to update your password to something with at least eight characters; include upper- and lower-case letters, numbers, and special characters; and stay away from ordinary words or previously used passwords.
-- Fred Cate, Vice President for Research, Indiana University; Distinguished Professor and C. Ben Dutton Professor of Law; Senior Fellow, Center for Applied Cybersecurity Research
Update laptop and home computer software
Office computers are usually updated automatically, but operating systems and applications on home computers and laptops are often left to chance. Check for updates and install those from software companies you recognize. This is also a good time to enable automatic updates on personal computers.
-- Fred Cate, Vice President for Research, Indiana University; Distinguished Professor and C. Ben Dutton Professor of Law; Senior Fellow, Center for Applied Cybersecurity Research
Be vigilant
Before you click on an attachment or link on a website, think twice about whether there it looks suspicious. Phishing attacks are still the most common way of compromising cybersecurity, and often there are clues—promises too good to be true, misspelled words, addresses that appear when you hover over a link that aren’t what you would expect. At the end of the day, there is no better protection against cyberattacks than careful users, exercising common sense. You don’t have to be a computer expert to recognize tale-tell signs of phishing, just like you don’t have to be a police officer to decide not to walk down an unfamiliar dark street at night.
-- Fred Cate, Vice President for Research, Indiana University; Distinguished Professor and C. Ben Dutton Professor of Law; Senior Fellow, Center for Applied Cybersecurity Research