Cybersecurity, Facility Security, Policies and Training

4 Dos and Don’ts of Information Security in the Workplace

There are just two types of companies in the world: those that have already been hacked, and those that will be. The only companies that can effectively fend off attacks are those that proactively invest in cybersecurity measures.

Over the past decade, we’ve seen a sharp rise in smart office buildings and hybrid workforces. As a result, more building managers rely on strong internet connections and complex computer networks for almost everything, including elevators, HVAC systems, bathrooms, printers, security cameras, overhead lights, and more.

In many ways, these new technologies have yielded positive change. For example, they help buildings run more efficiently by monitoring maintenance needs in real time. That way, building operators don’t have to wait until the HVAC unit breaks down in the middle of winter to make necessary repairs. And during the COVID-19 pandemic, smart office buildings could account for social distancing guidelines by tracking foot traffic.

At the same time, when everything in the building is connected to the internet, it opens companies up to new cybersecurity challenges. For example, hackers could gain access to a building’s lighting controls. From there, they could use the lighting system as an entryway into the building’s other systems if they’re not properly configured and protected.

Additionally, as more companies move to a hybrid workforce model following the pandemic, they also need to strengthen their cybersecurity to address remote work vulnerabilities. When most or all employees worked from a shared space, IT could create security perimeters more easily. But more employees telecommute now, and a Microsoft study found that 67% of employees use personal devices for work. Additionally, nearly three-quarters of companies point to technologies put in place during the pandemic to explain recent cyberattacks.

With this in mind, companies should follow these four tips to secure their smart office buildings and keep their hybrid workforces running smoothly.

1. Do prioritize physical security safeguards.

Putting physical security safeguards in place is always step one. Even the best cybersecurity solution in the world will be rendered useless if someone can just walk right through the front doors to access a smart office building’s network infrastructure.

In high-rise buildings, there are two types of equipment closets. The first is usually in the basement where the fiber optic lines originate before moving up through the riser. The second is each suite’s private closet where the lines in the riser connect to. Think about the riser as the main artery of the building: This vertical shaft holds important communication cables and wires that connect to each intermediate equipment closet throughout the smart office building.

Considering how much buildings rely on these systems, it’s easy to see why these closets need to be under lock and key. Consider implementing access controls (such as badge readers) to see who’s coming and going. Additionally, look into installing video cameras to record activity within the closets. Things like locking the front door might seem rather obvious, but there are countless smart office buildings that lack even basic physical security safeguards.

2. Don’t let the policy and procedure binder collect dust.

Most cyber-conscious teams have a binder detailing information security in the workplace, but the binder itself cannot keep the building or network safe. To do that, companies need to enforce their policies and procedures. After all, two-thirds of breaches are due to “employee negligence or malicious acts,” according to Willis Towers Watson.

Just look at the 2013 Target data breach. Much of the reporting around the event focused on an external attack through remote vendor login credentials. Once inside the network, hackers moved laterally to gain access to 41 million customers’ sensitive data, including payment credentials. Although the vendor claimed its “IT system and security measures are in full compliance with industry practices,” it’s likely that a mistake was made somewhere along the way.

Most businesses wouldn’t recover from a cyberattack of this magnitude, so learn from the Target data breach and enforce the guidelines. Remember: An ounce of prevention is worth a pound of cure. Hold intermittent sessions to help workers recognize and fend off tactics such as phishing and spam attacks, and regularly review policies and procedures with them.

3. Don’t neglect cybersecurity tests.

Cybersecurity is not—and will never be—a set-it-and-forget-it solution. Companies must conduct regular vulnerability assessments and penetration testing on both their buildings and corporate networks to ensure everything is secure. Yet beyond sizable publicly traded companies, most offices with 75 or fewer people aren’t conducting these tests at all.

This is a mistake. Consider, for example, the growth in co-working spaces. Being able to access different co-working offices sounds really cool in theory, but that kind of access can pose a lot of physical and cybersecurity challenges. What would happen, for example, if an access badge got into the hands of a bad actor? These are the kinds of scenarios companies need to be testing for.

The process of vulnerability scans and penetration testing involves hiring an independent third party to scan and try to exploit all endpoints, including network connections, servers, and laptops. This scanning has to be done from both the outside and inside of the network to get real results. Companies should be doing this twice a year at a minimum.

4. Do implement Zero Trust.

Considering the shift to remote and hybrid work, it’s important to assume that there is no traditional network edge. The Zero Trust security framework does just that. It requires all users to be continuously authenticated before accessing a company’s applications or data. By implementing Zero Trust architecture, businesses can protect their networks from external attackers and eliminate internal vulnerabilities.

If companies take a traditional network security approach, which inherently trusts users who are already in the network, attackers can infiltrate and move laterally to cause mass destruction. For instance, an office in Germany experienced a cyberattack in 2021 in which an unauthorized user accessed the building automation system. The attacker was able to lock the owners out of the system and render several hundred BAS devices non-operational, leaving no digital footprint behind. These attacks are truly a matter of when, not if.

Today, we’re witnessing the convergence of physical security and cybersecurity in the modern hybrid workforce. Yet, too many smart office buildings are vulnerable to attacks. Cyber-conscious companies should follow these dos and don’ts to maintain a stronger security front and keep their employees (and themselves) safe.

Ken Schriever is the Director of Information Technology at Ross & Baruzzini, an international technology consulting and engineering firm. Ken manages all aspects of the organization’s information systems, including server hardware, software, telecommunications, email, and security systems. With over 30 years of IT experience, Ken’s project background spans information security governance, business continuity, disaster recovery, system architecture, and integration.