Business management

Return to the office 2021: How to stay secure when your staff return

New recruits, stayers and leavers all need special consideration when securing access to the office and a business’s systems.

Key takeaways:

  • New approaches to office work present new risks around staff and security.

  • Access to systems and potentially insecure processes need to be checked.

  • Good management of leavers, joiners and long-term staff can minimise the threats.

How your organisation manages the great office return may be uncertain. But if it is like the majority of UK businesses, it’s likely that you’re mulling a blended approach. Polling evidence suggests that policies requiring either all staff back in the office full-time, or a fully remote approach, are least popular, meaning a mix of the two is your likely setup.

But as many organisations look at the logistics of opening the office doors – and the complexities of health and safety this implies – business security might not be the highest priority. However, according to the NCC Group, a global cyber and software resilience business, managers still need to be on guard.

“With all of this time spent working remotely, it’s easy to overlook the old risks that working in an office creates,” says Tim Rawlins, Director and Senior Adviser, NCC Group. “This might be a business’s assets, its finances and intellectual property: essentially the same security problems associated with before the pandemic, only complicated by higher levels of remote management.”  

So, what do businesses need to be aware of, and how can they minimise the risks?

Leavers and stayers: two big security threats

With many staff seeking new jobs in a bid to find better flexible working schedules, increased benefits, and higher pay, managers are faced with two problems: 

  • staff leaving and taking the knowledge and experience of the organisation with them

  • remaining staff becoming disgruntled and turning into an insider threat. 

Return to the office 2021: dealing with leavers

“Businesses need to remind departing staff of their responsibilities; the non-disclosure agreement (NDA) and non-solicitation of other staff and clients’ rules they signed up to as part of their contract,” says Tim. They should be reminded that the intellectual property they created while working remains with the organisation and that they are still bound by the rule of confidentiality. They should return, not just their laptop and other IT kit, but the business-owned phones, any papers they have printed while working from home, and their building access control passes. 

In one case, NCC Group saw a firm’s former employee use a long-expired building pass as a form of identification to persuade hotels to forward bills to the local office years after they left the company.  

“At a practical level, companies can make sure they cancel passes to limit access to their buildings,” says Neil Bellamy, Head of Technology, Media, Telecoms (TMT) and Services at NatWest. “Importantly, each pass should have an expiry date published on them, so that people outside the business are less likely to be fooled.” 

With all of this time spent working remotely, it’s easy to overlook the old risks that working in an office creates

Tim Rawlins, Director and Senior Adviser, NCC Group

Return to the office 2021: managing staff who have stayed on

As for staff who stay with your organisation, good management and leadership is key to reducing the risk of the individual turning against your business. “Understanding, regular communication – and that’s two way, not just broadcast from the management – taking the pulse of the team and responding to it effectively are important to keep the positive engagement, the commitment to the organisation, and the delivery of your business services,” adds NCC Group’s Tim. 

Having investigated a lot of insider cases, NCC Group has noted a pattern in many where an employee has committed some kind of fraud. 

Tim explains: “Colleagues often say they thought something was wrong but didn’t speak up as they didn’t feel anyone would listen; they knew the individual was isolated, withdrawn, not performing – issues that could have been better addressed through better management.”

And that open culture, where people are confident they will be heard without blame if they raise concerns, is even more important given a hybrid approach to working, where managers may have less face-to-face contact with staff than before the pandemic.

Return to the office 2021: what about new staff?

“What about those you have recruited over video calls and never met in person? Bellamy adds: “They won’t have the building passes they need to get in, so you will need to ensure that whoever issues them is able to correctly identify the right person; give them the right level of access; and ensure that they are familiar with the organisation’s and building’s security rules.” 

Such rules might include escorting guests (when you allow them in), working out of hours (whatever they may be now) and your clear desk policy. Staff should also be briefed about not allowing tailgating or holding doors open for people without the correct pass; wearing their passes inside and taking them off before they go outside; and challenging others who don’t follow those rules.  

Beyond physical security, NCC Group’s Tim says that new recruits should be reminded of the information security policy as there is a good chance they will have signed something to say that they have read it – like all good T&Cs – and not actually taken it in. “So, use the opportunity of their first visit to the office to remind them of the importance you attach to doing the right thing. Protect your data, systems, clients and colleagues and enjoy that opportunity to meet people face-to-face for the first time.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top