THREE CRITICAL STEPS TO SECURING HYBRID MAIL CENTERS AND MANAGING CYBERSECURITY RISK By Mike Sanders
T
he past two years have tested the resilience of businesses in unprecedented ways, proving that change really is the only constant in life. COVID-19 transformed the “work-fromhome” option from an occasional perk to standard operating procedure. This has required businesses to quickly adapt their cybersecurity programs to accommodate a remote workforce and defend against increasingly sophisticated attacks from malicious actors. In response to the rise in teleworking, compliance requirements also became more stringent, requiring businesses to find novel ways to validate their teleworking controls. As offices reopen, organizations must grapple with the reality of a workforce that has become accustomed to the benefits of working from home. According to a recent Gallup poll, 91% of US remote employees want work-from-home options to continue once offices reopen. At the same time, teleworking has led to an explosion of cyber attacks, which increased from fewer than 5,000 per week in February 2020 to more than 200,000 per week three months later. The new hybrid workplace, while transforming post-pandemic operations, has vastly increased the number and type of threat vectors that can be used to instigate malicious attacks. The traditional approach of hardening the company premises with centralized IPS, firewall, anti-virus, and other defense mechanisms is no longer adequate as the corporate data network has expanded past the traditional brick and
20
MARCH-APRIL 2022 | MailingSystemsTechnology.com
mortar to include every work-from-home user and all of the workstations and networking infrastructure used to connect to the company network. In addition to securing and monitoring the mail center’s network, there is a critical need to manage and secure remote connections to company networks, which may originate from external internet service providers via non-company-managed devices. Providing guidance on the use of company resources in the home office, as well as on company premises, will also be key. Here are three steps every company needs to take: Define policies for hybrid work to promote a culture of compliance To navigate the challenges of a hybrid workforce, some companies have invested in expensive software that monitors employee activity, while others have resorted to video tours and screenshots to demonstrate the security of their teleworking controls. However, ongoing privacy concerns, limited resources, and practical barriers to monitoring employee activity limit the effectiveness of these solutions. To secure your mission-critical communications, you’ll need to develop robust policies and procedures surrounding acceptable use of company assets, bring your own device (BYOD), and remote access. If employees need to access company network resources or applications from a home office, make sure there are policies to address how to securely connect to your corporate network, including pro-
cedures for logging into your company’s VPN and procedures for use of multifactor authentication (MFA) tokens, if applicable. You’ll also want to define how and when employees can use company resources and cover restrictions on the use of personal email and cloud storage accounts. If employees handle print correspondence, emphasize the importance of protecting sensitive information by marking communications as confidential, concealing any sensitive information from public view, and clearly indicating the intended recipient. If you maintain any security certifications, be aware that increased reliance on a hybrid workplace is raising the bar on teleworking requirements. For example, the HITRUST CSF requires businesses that use teleworking to implement suitable protections to prevent unauthorized remote access, as well as theft of company equipment and information. Additional requirements include implementing multifactor authentication and verifying that remote offices comply with your company’s security policies and procedures. Foster a security-first mindset through training Training employees on effective security awareness is fundamental to ensuring everyone in the company understands and complies with your cybersecurity policies and procedures. Will employees be using smartphones to access the network? If so, provide instruction on how to use security-related apps