Much of the discourse around getting employees back to the office has been focused on convenience and accommodations but a year of working from home with lax physical and IT security protocols may prove to be the biggest challenge. With cyber-attacks and hacks making headlines with increasing frequency, ensuring that physical access controls and IT security protocols are being followed will shape the office of the future. As the shift towards hybrid work creates new security vulnerabilities for the office, our offices and our office practices will have to adapt.
The physical office
Access control has changed permanently. With remote work set to play a significant role in offices long-term, how and when people come to the office is changing. Security used to mean making sure checking everyone in at 9 am and out at 5 pm was as streamlined and safe as possible. Now that people’s relationship to the office is changing, workers and visitors are coming and going with more frequency and less predictability, posing new risks security must adapt to meet. Smart access control systems are becoming a must-have. Not only do access control systems ensure secure access, but they can also help understand occupancy by collecting and aggregating data collected at entry and exit points. To protect security personnel by limiting interactions, collecting the most useful data, and ensuring access is as quick and easy as possible, offices are turning to automated access control.
Most offices already had access control with some form of authentication procedure in place. Many forms of authentication require too much physical contact. Using a key on a door, pushing buttons on a keypad, touching a biometric scanner, elevator buttons and even electronic proximity credentials are all being phased out in favor of contactless entry. Upgrading to equip access points with Bluetooth Low Energy (BLE) or Near Field Communication (NFC) enabled card readers allows offices to use device credentialing or electronic wearables for touchless entry.
When using a touchless system, some inadvertent door locking can occur. To minimize the impact, HID, Wavelynx, Openpath, or other forms of hand-wave readers can help. Hand-wave readers can be created utilizing UHF long-range identification to help keep entry touchless. Identity enrollment can be done via the cloud, issuing credentials or revoking them remotely. For ultra-secure offices, touchless biometric scanning options are available (if pricey). Facial recognition and iris scan devices can be wall-mounted, some vendors even offer contactless palm scanning.
Visitor management is another issue paramount in office security. Some offices are switching to self-registration tools for visitors to limit face-to-face interactions, sometimes eliminating the need for a receptionist altogether. Handwriting temporary badges should be a thing of the past. Printers can be placed near access points so visitors can take them themselves. Video surveillance can help to augment the effectiveness of all security protocols, analyzing video footage for compliance.
Even the most advanced gate is only as good as its gatekeeper. Office security is about following best practices at all times so building staff and occupants need to follow proper protocols. We are creatures that generally take the path of least resistance so it is important that systems are designed to help people follow the steps needed to keep everyone safe.
For most teams, cybersecurity has been lax over the past year, with members using personal devices with more frequency and remotely accessing critical company files and servers more often. A recent report found 61 percent of respondents used their own personal devices for work at home while only nine percent used an employer-issued antivirus solution. The process of employees coming back to the office could mean bringing a compromised device directly onto your company’s network. Even work computers may be exposed. It goes both ways, some workers may be using personal devices for work, others may be using work devices for personal use, hosting social gatherings, streaming, gaming, or shopping. Just like physical security, devices need to be credentialed and authenticated when they come to an office.
A device risk assessment may be worth the IT department’s time. Auditing which devices have been patched and regularly maintained with anti-virus software will help to understand where vulnerabilities are. Scanning company devices for unauthorized software or apps, endpoint detection will help expose cybercriminals who often target them specifically. Resetting passwords can be useful if employees were sharing devices with family members. Scheduling training to reacquaint employees with proper IT security protocols in the office will help to reinforce the importance of cybersecurity.
Hybrid workers pose a unique challenge for IT security. When work is being done exclusively on the company’s network, IT has tools that help protect devices as long as they’re centralized. Hybrid workers bringing devices to and from work multiple times a week pose a serious risk. Hybrid workers need to be aware of the threat and do their best to personally manage their own cybersecurity, making sure work and personal passwords are different. Cybercriminals sense an opportunity, 61 percent of malware attacks through cloud applications targeted remote workers. Cloud applications being used by the business are up 20 percent over the same time frame, increasing exposure to malicious attacks. Over one-third of all phishing attacks now target cloud-based apps that remote workers rely on.
To protect remote or hybrid workers, IT departments should consider using multifactor authentication and enabling single sign-on so attackers can’t abuse automatic sign-ins. It’s not convenient for employees working remotely, but it’s crucial for security. Data encryption is a last line of defense. Encryption can be expensive, costing hundreds of dollars per user per year, but it ensures that in the event of a breach, any data bad actors take is unusable.
Security comes down to diligence, both building and tenants IT security teams need to be prepared, making a special effort to monitor activity and flag issues as they arise in real-time. The next few months will help to form new standard operating procedures of physical and IT security that will keep new forms of flexible office hours safe. It will be challenging, but if this past year has taught us anything, it is that people will rise to the occasion when under adversity.