Navigating Workplace Security: Red Team Insights for the Return to Office

TL;DR: This blog reviews how Red Team insights can shed light on gaps in physical security and play a pivotal role in enhancing workplace security during the continued transition back to office environments as we relearn verification, protocol, and authorization.

The new, new normal. As organizations adjust and a shift of “return to office” policies are being enforced, they create and often ignore security challenges. We have become too complacent and relaxed with physical safeguards, often sacrificing budget at the expense of physical data protections.

In this article, we explore how Red Team insights can shed light on gaps in physical security and play a pivotal role in enhancing workplace security during the continued transition back to office environments as we relearn verification, protocol, and authorization.

The Transition Back to Office Life

With the gradual return to office life, companies face the complex task of balancing productivity, innovation, and budgets with security. As employees reacclimate to shared workspaces and in-person collaboration, the need for robust security measures is more critical than ever. However, traditional security approaches may not fully address the unique vulnerabilities inherent in a post-pandemic workplace.

Enter Red Team assessments, a proactive approach to security testing that goes beyond conventional methods to simulate real-world threats. By leveraging the expertise of seasoned professionals, organizations can gain valuable insights into potential security gaps and vulnerabilities that may compromise their operations.

With more organizations moving data into the cloud and off premise, many are underestimating the damage that attackers can inflict when they gain access to physical office spaces. However, access is access. And the average employee does not consider physical security part of their job responsibilities. They will also choose to avoid uncomfortable confrontations with individuals who may or not belong in the spaces that are restricted to employees. This can allow a well-camouflaged attacker free reign over internal office spaces and access to devices and physical data that employees feel comfortable leaving unsupervised and available in a secure environment.

Understanding Red Team Insights

Red Team assessments offer a comprehensive evaluation of an organization's security posture, encompassing both digital and physical threats. Unlike traditional security audits, which often focus solely on technical vulnerabilities, Red Team assessments take a holistic approach, considering the full spectrum of potential risks.

In the words of the great John Hammond, the CEO of InGen and creator of Jurassic Park in Michael Crichton’s 1990 novel of the same name, “spared no expense” is the dream of any Red Team. In the ‘spared no expense’ version of a Red Team engagement, everything is in scope, physical, digital, virtual, and unlimited time is available to the team to execute their attack path and to reach the trophy or goal of the operation.

During a Red Team assessments include testing the effectiveness of access controls, surveillance systems, and employee awareness training. By adopting the mindset of an adversary, Red Teamers uncover vulnerabilities that may go unnoticed by traditional security measures.

However, the ‘spared no expense’ style of Red Team is typically only reserved for the real, authentic and malicious attackers who have everything to gain and not much to lose. They are also not hindered by pesky ethics, billable hours, or legal and binding contractual obligations.

For offensive security testing firms, Red Teams simulate an attack as accurately as possible while operating within the confines of ethical and legal considerations, as well as a set of rules of engagement and code of conduct agreed upon in advance of the operation. It’s like fighting with one arm tied behind your back, and it means that most Red Teamers under the employment of an offensive security testing company have to get even more creative and be even more calculating and strategic about how they solve the complex problem of being bad actors without stooping to their level. For example, Bishop Fox’s Red Team can’t even text our client’s personal cell phones, let alone entice client’s employees with money or make idle threats.

Navigating the Return to Office

Red Team insights can provide invaluable guidance for organizations, offering a roadmap for enhancing workplace security and reassessing their pre-pandemic security controls.

One area of concern is the increased risk of social engineering attacks, as employees may be more susceptible to manipulation after prolonged periods of remote work. Red Team assessments can help identify these vulnerabilities by masquerading as various people – both internal and external to the company – to test employee awareness and response to simulated email phishing attempts, phone-based phishing requests, and in-person access requests among other social engineering tactics.

Additionally, the physical security of office spaces must be reassessed. Red Team assessments can uncover weaknesses in access controls, surveillance systems, and perimeter security measures, allowing organizations to bolster their defenses accordingly.

For example, our Red Team has uncovered doors that were vulnerable to covert, entry breach tools, stairwells that lacked surveillance camera coverage, breach door sensors that did not function properly, security guards who did not follow proper procedure for visitor verification, improper document storage and lack of document destruction, as well as many other gaps in physical security across a variety of client offices in many industry sectors around the globe.

Investing in Workplace Security

While the return to office presents new security challenges, it also offers an opportunity for organizations to invest in enhanced security measures. The Red Team can act as ‘anger translators’ for the security team to help uncover and highlight the resources, tools, and budget that the physical security team has often times both identified and asked for in advance of the test. Sometimes, having an unbiased third party reinforce the need through demonstration of the exploitation of these gaps and vulnerabilities can help to drive the point home to decision makers that the organization is just one ‘fake’ food delivery service visit away from a dangerous compromise.

By leveraging the insights gained from Red Team assessments, organizations can develop a proactive security strategy that safeguards against emerging threats. Whether it's implementing multi-factor authentication, enhancing employee training programs, or upgrading physical security controls, Red Team insights can inform strategic decision-making to strengthen overall security posture.

Conclusion

As organizations navigate the return to office, prioritizing workplace security is essential to mitigate emerging threats effectively. Red Team assessments offer invaluable insights into potential vulnerabilities and provide a roadmap for enhancing security measures both digitally and physically in the post-pandemic era. By leveraging Red Team insights, organizations can develop a proactive security strategy that safeguards against evolving threats and ensures the safety of employees and sensitive data in the workplace.