WFH Now: What Leaders Need to Know

COVID-19 is causing many industries – hospitality included – to quickly adapt to new ways of conducting business, which of course includes a large work-from-home employee base. 

How might this experience change the way IT departments across industries, but specifically in hospitality, handle work-from-home protocols in the future?

“It is going to change it forever, in ways we don’t know yet,” says Kristen Menard, director of managed security services at Claro Enterprise Solutions. “I certainly believe that we will see some interesting and positive things happen on a macro scale when it comes to outsourced IT, procurement of technology and the types of technology that we see assume a leading role in the future of work, whether remote or otherwise.”

Take A Long-Term View of WFH

While they may not be exactly sure how the industry will change, security experts anticipate that the work-from-home trend will continue to extend past the end of the pandemic.

“It’s unlikely things will return precisely to ‘business as usual’ when the hospitality industry is finally on the other side of this pandemic,” says Christoph Hebeisen, director, security intelligence research at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions. “IT security teams would be wise to prepare their networks and fleets of devices for large segments of workers to be working remotely for an indefinite period of time.”

To support this larger than anticipated work-from-home workforce, IT departments will need to scale access controls and other key security processes to support the increased workloads indefinitely, says Harrison Van Riper, threat research, team lead,  Digital Shadows.

“Before, security teams could largely treat remote workers as an exception, building systems that accommodate them as such,” Van Riper adds. “Moving forward, it’s looking increasingly likely that companies will be forced to treat remote work as the default when building and securing their networks.”

Implement New WFH Protocols

Of course, working-from-home was a trend that was already on the rise prior to COVID-19. But the pandemic likely will accelerate that trend, Van Riper notes. Thus, when hotels are on the other side of this pandemic, IT departments will likely be tasked with creating a new set of protocols to follow when onboarding employees that specifically deal with working from home.

Some of the changes this experience could bring to the forefront include IT departments standardizing remote work policies as part of future employee onboarding, says Heather Paunet, vice president of product management at Untangle.  And even employees who are signing up to work from an office regularly will still be given training on software, connectivity, credentials, and VPN security in anticipation that ongoing training will be easier to maintain than an immediate crash course during a crisis.

Kofi Ahrin, PhD student at Rensselaer Polytechnic Institute agrees, noting there could be a surge in online video tutorials aimed at helping employees set up devices at home or connect to an organizations resources.

“In addition to this, just like a cable company could send a technician to your home to attend to a particular problem, IT employees might be required to visit home of other employees to handle more advanced security/tech related issues,” Ahrin adds.

Review Equipment/Software Purchasing Practices

IT departments will likely find that some employees will transition to WFH permanently, even once the pandemic is over. For this reason, IT staff will need to commit to ensuring more workstations are properly monitored, says A.N. Ananth, CSO, Netsurion. This means they must come within the scope of Security Information and Event Management (SIEM) deployment and/or be protected with endpoint threat detection and response (EDR) sensors that are able to sync up to a SIEM monitored by a Security Operations Center (SOC).

“Quite often, this level of security is restricted to what are deemed ‘critical devices,’” Ananth says. “But as the corporate network perimeter becomes blurred, any vulnerable device becomes a critical device in terms of cybersecurity risk.”

Likely IT departments will need to review their equipment and software purchasing practices, says Geoffrey Lottenberg of Berger Singerman. Companies were caught unaware by COVID-19 and have perhaps allowed employees to use personal devices to conduct business, but that will likely no longer be allowed once the pandemic ends.

“This means IT departments will need to invest in more laptops, smartphones, and tablets than ever before.  Server-side upgrades are also an absolute must to ensure that the systems can securely handle the influx of remote workers,” he adds.

Ananth also recommends that IT staff implement a zero-trust approach; take inventory of the devices attaching to the network; and perform risk-assessment on an employee-specific basis in addition to providing secured laptops for all employees.

Educate Staff on How to Securely Access Data Remotely

Additionally, companies are going to find that a shift to multi-factor authentication for remote working will be necessary, says Mark McCreary, CIPP/US, partner and co-chair of the Privacy and Data Security Practice at Fox Rothschild. And while many companies will implement VPN technology, some companies might find that they’re not the best choice for every employee and thus Citrix or remote desktop service solution is better for some employees.

“This approach allows the company to have better control over the ‘leak’ of data from devices,” McCreary adds.

This work-from-home experience might also jumpstart many hospitality companies’ transition to using the cloud for most – if not all – services and operations, says Rocco Grillo, Managing Director with Alvarez & Marsal’s Disputes and Investigations Global Cyber Risk Services practice.  However, this transition does come with a warning.

“Company workforces that transition into remote and virtual operations need to know how to handle data remotely and what new exposures or compliance issues may occur as a result of these new arrangements including monitoring capabilities if this is not happening already,” Grillo says.

This means having well-documented plans for disclosure obligations should sensitive data be exposed inadvertently or through a remote employee’s misuse or even a direct cyber-attack, he adds. Compliance requirements such as General Data Protection Regulation (GDPR) (72 hours), California Consumer Privacy Act (CCPA),  Payment Card Industry (PCI) Data Security Standard, NY DFS Cybersecurity, Health Insurance Portability and Accountability Act (HIPAA), Third Party / Vendor Management contractual requirements, and many others underscore the importance of this review.