Introduction
The rapid shift from the traditional office to the hybrid office brought on by the COVID-19 pandemic means organizations’ must adapt their workplace processes and policies and respond to the growing workforce expectations equally rapidly without compromising safety and performance.
Naturally, for a flexible work environment to function as efficiently as it can leaders must look at the various performance and productivity factors at play. That being said, overall employee productivity is not the only important aspect to consider in a hybrid work model. Employee safety, physical security and data security are of the biggest issues to tackle in a flexible workplace. While some may look at this as yet another challenge to overcome, it can as easily be seen as an opportunity to strengthen an entreprise’s existing security system and make large scale improvements.
The best way to do so is to assess your hybrid workplace security. The 3-step process is simple and can go a long way in getting you on the right track. Performing a security assessment will shed some lights on the gaps to bridge and how to best go about mitigating risks. In addition, the assessment should also help leaders organize the priority of the necessary improvements so that the bigger issues are dealt with right away.
Step 1: Identifying Stakeholders and Threats
Stakeholders
Performing an extensive assessment such as this one requires the participation of different stakeholders. Working together with cross-functional partners within your organization will facilitate the process from start to finish by helping you gather the points of view essential for success and ensuring that you have access to the necessary resources.
Departments involved in the security assessment planning include:
- Compliance
- Workplace
- Facilities
- HR
- IT
- Executive leadership
Meet with the identified stakeholders before starting the assessment process to discuss the different roles and responsibilities as well as the timeline for the project. It is possible that you will need to hold more than one meeting depending on the size of the organization in order to paint a clear picture of what your goals are and how you are planning on achieving them.
Threats
The best security assessments will identify threats across the entreprise’s various operations by answering the following: what is the worst possible scenario, or incident, that can occur under any given pillar? Asking yourself this question for each affected area will allow you to identify the most significant threats.
The areas to assess are listed below:
- Physical security: prevents unauthorized access to a company’s facilities, equipment, and resources
- People security: protects against malicious, negligent, and unintentional insider threats
- Data security: prevents breaches of critical company data stored across devices, networks, and the cloud
- Infrastructure security: protects against service disruptions that may threaten business continuity
- Crisis management: minimizes emergencies on a company’s employees and business
Moreover, you will need to tailor your list of threats to the hybrid office meaning that you will need to include emerging potential risks directly related to flexible work.
In the category of data security, risks linked to the hybrid work model may resemble the following:
- Phishing scam
- Ransomware attack
- Malware/virus
- Unauthorized disclosure of customer data
- Unauthorized disclosure of employee data
- DDoS attack
Once this initial planning is completed you will move on to step 2.
Step 2: Establishing a Grading System
The overarching goal of the security assessment is to evaluate this efficacy of your organization’s security across all pillars and workplaces. As it is with any evaluation, you will need to define the grading criteria that you will use to measure efficacy.
After you have clearly identified all possible threats and risks you will need to create a scoring system sheet. This tool will be used to grade your hybrid workplace security by classifying security risks based on probability of occurence and degree of severity. Your grading system will be used for your security assessment matrix and is essential for conducting the assessment properly.
Below is an example of what your scoring system sheet should look like:
Step 3: Conducting the Assessment
The next step is to perform the assessment using the security matrix. Your matrix will first be divided into the different security pillars listed above, physical, data, and so on, each including various on-site and remote locations where employees work. Then, for each pillar, you will add the identified threats and finish by assigning each threat with a score from your scoring sheet.
Below is a sample of what your matrix might look like, using the data security pillar as an example:
Step 4: Interpreting Results
The last step is to analyze the results of the assessment and apply the key takeaways. You should be able to clearly see the strengths and weaknesses across all pillars and locations. The results of the security assessment will point to emerging needs such as employee training on identification and mitigation of cyberthreats or the necessity of a new access control system for your hybrid office.
Naturally, the findings will vary from one organization to another but regardless of what the results show, you will need to rank the necessary improvements in order of priority since not all threats can be addressed at once. Draft an action plan listing the work that needs to be done, the people responsible for each task, and the timeline for the rollout of the improvements.
Your ranking system should go as follows:
- 1st: Intolerable risks
- 2nd: High risks, critical risk
- 3rd: Moderate risks
Alternatively, you could focus on a particular workplace location or pillar of activity depending on urgency and scale the security improvements across other areas once the immediate risk has been adequately addressed.
Conclusion
A security assessment is critical in order for your organization to enjoy a secure hybrid work environment. The approach outlined above will help reveal potential risks and help you prioritize key improvements.
