This year’s pandemic has forced some businesses to relocate workspaces. This article provides actionable recommendations for helping your organization protect its intellectual property, personally identifiable information (PII), and other sensitive data during a move.
Transitioning office space or equipment can be a chaotic time for any organization and put sensitive enterprise and customer data at risk of exposure. In the last year for example, we saw Morgan Stanley fined $60 million for failing to properly oversee the decommissioning of several data centers and the investment bank faced a $5 million class action lawsuit for failing to properly safeguard PII when discarding old computer equipment.
Multiple organizations are considering offices moves or downsizing as they prepare for indefinite remote work staffing solutions. This creates opportunities for IT and cybersecurity teams to work together on cyber risk management approaches and designs.
Cybersecurity Risk Management Tips for Your Office Move
An office space re-design or full-scale move increases your risk for a harmful cybersecurity incident. The following practices are key cybersecurity concerns for organizations planning to downsize, upsize, or consolidate their office space:
- Protect Media to be Transported to Your New Space: Are all of your data assets properly classified? Handle all media based on its level of sensitivity. Ensure throughout the move that only authorized staff handle, transport, sanitize, and dispose of media. This may include backup tapes audit logs, hard copy forms, external hard drives, and more.
- Review Electronic and Software Asset Inventories: Have you classified and inventoried all of your assets? Does your organization have a data policy or an information asset security management policy that provides responsibility and guidelines for asset ownership? If so, when was the last time it was updated? If not, categorizing your assets now can help with understanding how they need to be protected during and after your move. Now is a great time to conduct full-scale device inventory of server room or IT workspace equipment that is no longer necessary. See ISO/IEC 9770 Information Technology Asset Management for more information.
- Establish Security in Your New Space Prior to Moving In, Physically and Digitally: Have you implemented administrative, technical, and physical controls for the new site, wiring closet, server room, and media? Make sure that server room door locks are attached and functioning with proper staff authorization for access, alarm systems are fully activated, and cameras are installed and working properly. You may need to review the property perimeter, parking, facility entrances/exits, and any requirements for a server room or data center such as temperature and humidity.
- Conduct Due Diligence on Your Moving Company: Vet any external moving companies or contractors that will assist with moving IT equipment and sensitive information to/from your old/new office space. What process will they use to ensure seamless pick up, deliver, and receipt of the items they are responsible for moving? Consider assigning trusted, internal staff members to oversee these activities.
- Secure Internet of Things (IoT) Devices in Your New Space: Sequester IoT devices on a separate network so that your IoT devices do not have access to other sensitive devices or servers on your internal network. This may include TVs, refrigerators, HVAC systems, cameras, door lock systems, and more. Refrain from placing IoT devices on the open Internet, rather put them behind a firewall so that they are not directly accessible externally. Change default IoT device or system credentials before connecting them to the Internet. Keep your devices updated with the current firmware release, either by enabling an auto-update or by periodically checking with the manufacturer’s website for firmware updates.
- Determine What Business Continuity/Disaster Recovery (BC/DR) Will Look Like in Your New Space: If your organization currently has a BC/DR plan, will it still apply to your newly designed space or office building? What timeline have you considered for running BC/DR testing after your move? How does your move affect your organization’s Disaster Recovery Plan? Your Business Continuity Plan should include the people, processes, and infrastructure supporting your organization. It should also include strategies, processes, and procedures for sustaining your critical pace of business operations in the event of a disaster.
These are only few examples of how you can improve your organization’s cybersecurity posture during an office move. Developing or reevaluating your security and risk management approaches during an office transition is critical.
Connect with GPSG’s Cybersecurity experts at cyberteam@gpsg.co, we look forward to helping protect your organization’s intellectual property and data and securing your remote workforce with our cyber engineering solutions, or our ISO 27001/2 compliance preparation services.
Disclaimer: This website provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.