What Return-to-Office (RTO) Means for Your Cybersecurity

Lots of indicators in the past several months have pointed to a rise in return-to-office mandates this year, and President Trump’s directive to end remote-work arrangements at federal agencies is expected to fuel the trend even more – along with a possible spike in cybersecurity threats.

Business leaders pushing RTO seem mostly concerned about potential dips in employee collaboration and productivity, and of course, the costs of maintaining half-empty office spaces. Fact is, research suggests that a five-day in-office policy does little to boost employee productivity or a company’s profits or stock-market performance – and there’s definitely the risk of angering, or even losing, staffers in the transition.

That kind of uptick in employee grievance and office stress has serious implications for chief information security officers (CISOs) and others charged with monitoring “insider threats” and overall cyber safety at public and private organizations.

At its core, identity access management is about correctly identifying who is trying to gain access to your network. And that requires real-time visibility and accurate endpoint data at scale. Learn how to gain that from one platform.

And it’s one reason why enterprise leaders need to keep cybersecurity top-of-mind as they weigh the pros and cons of where workers work.

Insider threats, including sabotage, must be considered, as some employees may be personally impacted by the change and, in extreme cases, could act out.

Because it’s not just a matter of going back to pre-pandemic normal. RTO impacts cybersecurity in various ways. There are positives, sure, but experts foresee some significant challenges, as old security threats become new again and other unanticipated risks make things more complicated for security teams.

RTO’s positives and negatives for CISOs

First, the upside: While an RTO initiative might create some challenges, it also makes some aspects of cybersecurity smoother for CISOs, says Larry Whiteside Jr. The veteran CISO now operates Confide, a product evaluation and resale service for CISOs.

It is far easier to secure people within your corporate walls.

“It is far easier to secure people within your corporate walls,” he says. “You don’t know people’s home makeup and you don’t know their home network.” Who uses their work machine when they’re not around? What other insecure devices are on that network? Most home routers are “a mess,” he adds. Few people ever update the software on them – aside, perhaps, from the Chinese advanced persistent threat groups that infect them with malware.

Zero trust – the idea of distrusting everything on the network and assigning privileges based on robust authentication – was supposed to fix those problems. However, Whiteside Jr. says it’s a complex framework rather than a single product, and many companies were not ready for it.

[Read also: Hiring remote workers has its risks – beware the deepfake frauds]

RTO mandates bring their own challenges, though, among them the dreaded “lateral movement,” in which an attacker compromising a device can then hop to others on the company network and compromise those too.

“It wasn’t about moving from one device to another during the pandemic, when everybody was at home; it was more about privilege escalation,” Whiteside Jr. explains.

At home, a work device isn’t on the corporate network, so there’s no opportunity for attackers to hop from that infected device to machines on the office network. Instead, cyber attackers in recent years have focused on stealing employee credentials from remote devices that enable them to hijack their online work accounts in cloud software. An infected machine on a home network could yield the login credentials to an employee’s Microsoft 365 cloud-based workspace, for example, which an attacker could then access from their own computer to steal their work files. (Proper identity and access management policies and technology can help oversee user permissions and mitigate such risks.)

With lateral (or what’s called east-west) movement, an attacker can travel horizontally throughout a network, expanding their access with relative ease. While endpoint detection tools readily identify north-south traffic (say, movement in or out of a network), lateral moves can be harder to spot. Enterprises must rely on autonomous endpoint management and real-time monitoring solutions such as anomaly detection and sophisticated cybersecurity analytics, which can each register and track unusual user activity.

The biggest RTO-cybersecurity risk: When employees go rogue

Another RTO worry for CISOs: bad blood, which could jeopardize a company’s data or cyber systems.

Many companies told me that they felt happy when Amazon [last September] announced that five-day return to office. They view it as an opportunity to attract some quality employees from Amazon.

Mark Ma, associate professor of business administration at the University of Pittsburgh, researched RTO policies and found a significant drop in employee satisfaction when companies ordered employees back to work. It translated directly to high employee turnover, especially for female employees with kids at home, and for experienced employees, a group that often values their autonomy and are highly attractive to prospective employers, Ma notes. “Many companies told me that they felt happy when Amazon [last September] announced that five-day return to office,” he says. “They view it as an opportunity to attract some quality employees from Amazon.”

Will some of those employees take company secrets with them, perhaps to sweeten the deal with a new employer? It’s a real concern, say experts.

“Insider threats, including sabotage, must be considered, as some employees may be personally impacted by the change and, in extreme cases, could act out,” warns Fritz-Jean Louis, principal cybersecurity adviser at analyst company Info-Tech Research.

Employees might be tempted to retaliate if they were subjected to draconian employer oversight while working from home. Stories abound of paranoid companies spying on remote employees, using software that monitors how regularly home workers move their mice to check whether they’re at their desks.

[Read also: Here’s why employees are embracing “shadow AI” and putting company data at risk]

This culture of virtual presenteeism not only alienates employees but is a poor measure of productivity, warns Ma.”We found no significant evidence that return-to-office mandates actually improve or hurt firm performance or stock price valuation on their stock returns,” Ma says.

A way forward

The more acceptable solution is also part of what he sees as a way forward for companies that require an office presence while still fostering respectful, productive relationships with staff. “Why don’t you directly track and monitor the output?” he suggests. “How much progress the employees have made towards their target – the expected results.”

[A hybrid] approach prioritizes employee needs to some extent while looking at how we make that time more valuable in the office.

He advises a hybrid approach to leverage the benefits of in-office work while minimizing the hits to morale and other issues that can lead to significant cybersecurity threats.

[Read also: Why it’s time to rethink employee engagement strategies to help drive higher workplace satisfaction]

For HR professionals, this serves as a win-win. “It’s an approach that prioritizes employee needs to some extent while looking at how we make that time more valuable in the office,” says Elysca Fernandes, director of HR research and advisory services at the consulting firm McLean and Company. “It all falls within this broader trend to up the amount of time folks are spending in office settings or in physical work sites outside of their home if they’re still working from home.”

Ma suggests allowing teams to decide for themselves when it makes sense to come into the office. That could involve regular times or days, or it could revolve around specific types of events such as large team meetings or customer meetings. The key to success is a transparent, robust performance monitoring system that measures real-world results such as the number of records processed, or when a report is submitted.

Done thoughtfully, RTO policies can balance company goals with employees’ needs – while prioritizing cybersecurity challenges in the decision-making process.