COVID-19 has changed the way every business operates. As alternative investment firms consider how reopening their offices might work, many of our hedge fund and private equity CTOs are asking about the cybersecurity implications of moving to a shared office model. Below, Agio’s alternative investment cybersecurity experts weigh in on what to consider.
But first, what is a shared office model? We define this in two categories: hot desking and coworking. Each category presents unique concerns—let’s dig into the details.
Hot desking refers to an office layout where multiple employees use the same workspace during different times. The concept is popular in industries where shift work is prominent, such as call centers. In the wake of COVID-19, alternative investment firms have been considering hot desking to accommodate staggered in-office schedules to facilitate social distancing. Hot desking lets employees schedule the days they want to be in the office and could reduce overall office size. The system has its benefits, but also comes with some inherent risks. Here, we explore recommendations to consider before moving your firm to a hot-desking layout:
- Screen shields should be placed on devices to prevent passersby from seeing private information. More employees, vendors, and guests will be moving around in an open space, increasing the risk of shoulder surfing.
- Full-disk encryption on laptops becomes more important as devices are at a higher risk of being lost or stolen in a hot-desking environment. Having the ability to remotely wipe lost or stolen devices is desirable.
- Employees will need space to have sensitive conversations. This is a common concern with any open office plan and is relevant for hot-desking offices as well. Ensure your team has access to conference rooms, phone booths, or other ample space to conduct private discussions when the need arises.
- If your users must keep hard-copy documents or store their laptops overnight, they will need a secure place to do so. Since employees may not always use the same workspace each time they are in the office, consider providing designated lockers or locked file cabinets for each employee to store items they don’t want to regularly carry to and from the office.
- Having the ability to detect unauthorized devices on the network or prevent them from joining in the first place (i.e., Network Access Controls or NAC) becomes more important in a hot-desking layout. Employees are less likely to identify if something looks out of place in the office, like a rogue device plugged in to a spare network jack.
COVID-19 Specific Safety
- Proper sanitization between in-office shifts is important to ensure employees do not spread the virus to their office mates.
Coworking refers to a single office space that is occupied by different companies (WeWork, Industrious, etc.). Coworking enables cost savings through the use of shared resources such as office furniture, receptionists, and facilities management. While opinions vary widely on the direction the coworking industry is headed, the fact remains that these spaces offer an opportunity to reduce the overhead costs associated with occupying and operating an office space.
Moving into a shared office space presents the same security risks as hot desking, with additional concerns since firms no longer own the network that users connect to and do not control physical access to the space. If your firm is looking to utilize coworking spaces post COVID-19, consider the following:
- Who is allowed into the space and how is that access controlled? Will you be notified if a company employee enters your firm’s space? Can you monitor access yourself? Each coworking company handles physical access controls differently and its policies should be in line with your expectations and included in the contract language.
- Does the coworking space have video surveillance, monitoring, and logging in place? Will you be able to review surveillance footage if a device goes missing? Again, confirm that the coworking company’s policies are in line with your expectations.
- If devices will be staying in the facility, is there a locked room? Will any other parties have access to that room? Like hot desking, ensure that documents or devices stored by employees in the coworking space can be secured.
- Your firm does not own the network or control who connects to it, so it’s best to assume all network traffic is being observed. This means that encrypted protocols are mandatory. A VPN can be used to ensure all traffic is encrypted and all web traffic should be over HTTPS.
- Are members given a dedicated network segment or is the network shared for all members? Some coworking spaces have been known to configure multiple companies to share the same network segment, exposing those companies to unnecessary risks.
- Is there a separate guest network for nonmembers? Most companies will have guests in the office space; it’s important that they are not allowed on the same network as your firm.
- Does the coworking space block access to certain websites? Can your firm enable and customize content filtering? Be sure to understand any content filtering the coworking space may have in place or offer, that it is in line with your expectations, and that it will not interfere with normal operations.
- Employees will often migrate from spaces shared by multiple companies to your firm’s designated office space. Device lockout periods should be very short (around 15 minutes) to avoid unlocked, unattended devices left in communal spaces.
- Devices should receive operating system and software updates on an aggressive schedule to reduce the risk of software vulnerabilities being exploited on the shared network.
- File sharing should be disabled on all devices, especially if no network segmentation is in place. Cloud file storage services, such as SharePoint or Box, can be used to securely store, transfer, and collaborate on documents.
COVID-19 Specific Safety
- The coworking space should be treated the same as any other public location. Local face mask and hand sanitizing recommendations should be followed.
Agio is the trusted cybersecurity partner for many alternative investment firms. Our team enables clients to stay flexible and adapt to changing times while remaining secure, reliable, and resilient. Give us a call if you’re considering making updates to your office layout; we’ll guide you through the transition and ensure you are not introducing unnecessary cybersecurity risks.