The past two years have tested the resilience of businesses in unprecedented ways, proving that change really is the only constant in life. COVID-19 transformed the “work-from-home” option from an occasional perk to standard operating procedure. This has required businesses to quickly adapt their cybersecurity programs to accommodate a remote workforce and defend against increasingly sophisticated attacks from malicious actors. In response to the rise in teleworking, compliance requirements also became more stringent, requiring businesses to find novel ways to validate their teleworking controls.
As offices reopen, organizations must grapple with the reality of a workforce that has become accustomed to the benefits of working from home. According to a recent Gallup poll, 91% of US remote employees want work-from-home options to continue once offices reopen. At the same time, teleworking has led to an explosion of cyber attacks, which increased from fewer than 5,000 per week in February 2020 to more than 200,000 per week three months later.
The new hybrid workplace, while transforming post-pandemic operations, has vastly increased the number and type of threat vectors that can be used to instigate malicious attacks. The traditional approach of hardening the company premises with centralized IPS, firewall, anti-virus and other defense mechanisms is no longer adequate as the corporate data network has expanded past the traditional brick and mortar to include every work-from-home user and all of the workstations and networking infrastructure used to connect to the company network. In addition to securing and monitoring the mail center’s network, there is a critical need to manage and secure remote connections to company networks, which may originate from external internet service providers via non-company-managed devices. Providing guidance on the use of company resources in the home office, as well as on company premises, will also be key. Here are three steps every company needs to take:
1. Define policies for hybrid work to promote a culture of compliance
To navigate the challenges of a hybrid workforce, some companies have invested in expensive software that monitors employee activity, while others have resorted to video tours and screenshots to demonstrate the security of their teleworking controls. However, ongoing privacy concerns, limited resources, and practical barriers to monitoring employee activity limit the effectiveness of these solutions. To secure your mission-critical communications, you’ll need to develop robust policies and procedures surrounding acceptable use of company assets, bring your own device (BYOD), and remote access.
If employees need to access company network resources or applications from a home office, make sure there are policies to address how to securely connect to your corporate network, including procedures for logging into your company’s VPN and procedures for use of multifactor authentication (MFA) tokens, if applicable. You’ll also want to define how and when employees can use company resources and cover restrictions on the use of personal email and cloud storage accounts. If employees handle print correspondence, emphasize the importance of protecting sensitive information by marking communications as confidential, concealing any sensitive information from public view, and clearly indicating the intended recipient.
If you maintain any security certifications, be aware that increased reliance on a hybrid workplace is raising the bar on teleworking requirements. For example, the HITRUST CSF requires businesses that use teleworking to implement suitable protections to prevent unauthorized remote access, as well as theft of company equipment and information. Additional requirements include implementing multifactor authentication and verifying that remote offices comply with your company’s security policies and procedures.
2. Foster a security-first mindset through training
Training employees on effective security awareness is fundamental to ensuring everyone in the company understands and complies with your cybersecurity policies and procedures. Will employees be using smartphones to access the network? If so, provide instruction on how to use security-related apps and configure mobile devices to comply with “deny all/allow by exception” policies for connecting to the corporate network. Providing training on detecting and preventing phishing incidents is also essential because all it takes is one careless click to compromise your company’s information systems and data.
In case something does go wrong, everyone should know the following five actions to take as part of your incident response plan. Make sure employees know who to contact, what qualifies as a security incident or data breach, when to contact your incident response team, how to contact them, and where to find important information. Create and distribute comprehensive procedures for responding to common security incidents and train every employee on the steps involved. Everyone in the company should also know what to do if their computer is compromised, starting with disconnecting from the company network and unplugging a compromised system.
Whatever you do, don’t rely on canned annual training sessions that merely rehash the same information from one year to the next. Keep your training relevant by incorporating what you’ve learned from recent security events and gamify training through phishing simulations and other activities to provide employees with real-time experience responding to security incidents.
3. Have a plan for identifying and responding to security risks
Teaching everyone how to deal with security incidents is only half the battle. To protect your mail center network from the kind of malicious attack that derailed Colonial Pipeline, you also need to perform regular risk assessments and update your incident response and contingency plans. When conducting your risk analysis, identify any vulnerabilities related to remote access, BYODs, and mobile computing, and make sure your asset inventory includes all endpoints assigned to teleworking employees.
Once you’ve updated your incident response and contingency plans using the results of your risk analysis, make sure you distribute these plans to each facility and member of your incident response team via digital and print channels. By maintaining plans in a variety of formats and locations, you can ensure they will be available when you need them, even if your telecommunications network goes down.
If managing business communications while transitioning to the new normal of a hybrid workforce feels like a tall order, you might consider outsourcing your document mail distribution services to a secure third-party. If you decide to enlist outside services, conduct thorough due diligence for potential vendors. In addition to reviewing their security controls, look for vendors that do SOC 1 and SOC 2 reporting or maintain industry-recognized security certifications, such as PCI DSS and HITRUST.
With both ransomware attacks and hybrid work on the rise, keeping your mail center’s cybersecurity up to date can feel like a constant game of catch-up. Creating robust WFH policies, providing security training, and updating your risk management program will ensure your mail center can successfully handle the challenges of a post-pandemic workplace.
Mike Sanders is Director of Information Security and Systems for DATAMATX, one of the nation’s largest privately held, full-service providers of printed and electronic billing solutions. Find DATAMATX at www.datamatx.com.
This article originally appeared in the March/April, 2022 issue of Mailing Systems Technology.