How one expert battles digital threats with workplace technology
The security of our customer’s workplaces, employees, and their visitors is Envoy’s number one priority. Through the lens of the IT, facilities, and security experts doing this work, our new blog series, Safe Spaces, Secure Places, explores the many ways today’s workplaces protect their data, people, and physical spaces.
The third blog in our Safe Spaces, Secure Places series features a Q&A with Erin Merchant, Workplace Technology Success Manager at Envoy. We focus on digital threats to the modern workplace and how to create a successful, secure work environment.
Erin never envisioned herself in IT. In fact, she studied Japanese, public health, infectious diseases, and emergency medical care. What eventually lured her into the world of workplace technology? She supposes it’s her interest in ‘really weird, squirrelly, out of control things.’
While she may be interested in tough-to-tackle problems, she clearly has things under control at Envoy. Every day, Erin is tasked with troubleshooting staff issues, onboarding new hires, protecting Envoy’s networks, maintaining compliance, enforcing security policies, and making sure everyone has the tech and tools they need to be productive and protected.
Read on to learn about Erin’s unique approach to workplace technology, the threats that keep her up at night, and the hill she will die on.
Prioritize both physical and digital workplace security
What are some of the biggest challenges Envoy’s Workplace Tech team faces when it comes to maintaining security?
EM: There are two aspects to this. There is the engineering side of it; the real nitty-gritty security and compliance aspect, which includes how we enforce policies. This applies to our physical space and physical data. We need to make sure that information on a piece of hardware is always going to be secure in the hands of an Envoy.
But there is also the digital aspect, which is the other half of the engineering part of our work. How do we set up systems in a way that they’re still accessible? And, are these solutions going to be viable? We need to retain a certain amount of privacy and keep security top of mind.
I’m deeply concerned about the experience people who work at Envoy have when it comes to their tech. The internal user experience is my top priority.
The challenge involves questions like, how do I keep the experience of using your machine (and the services on it) as open as possible, without compromising your ability to do work? While also making sure I don’t stay up at night worrying about where your data might be stored, where it could end up, or where there might be holes in our pipeline that might compromise your data?
I work hard to make sure everybody has the ability to use the tools they want, on the device they requested, without having to say, ‘Okay, you have this machine, and now I’ve removed your complete autonomy from the use of this device.’
Avoid the dangers of phishing and Wi-Fi network access
What are the biggest cybersecurity threats to the modern workplace?
EM: Phishing is a real thing and it’s shockingly easy to do. Because we work in really fast-paced environments, I think it’s very easy for people to assume trust of others on the internet. It can create a real access portal to an environment that you assume is 100% secure. It’s terrifying because, when done well, access can be granted to your passwords and potentially your two-factor authentication, which has been commercially sold as this indestructible resource for both individual consumers, as well as a stop-gap for large enterprise organizations. On top of that, if you add in portals like Okta and OneLogin, who consolidate your private information, it’s incredibly dangerous if someone gets a hold of that.
I also want to talk about Wi-Fi and accessibility, which we don’t think about on a daily basis. General access is a hot topic right now. Think about walking into a new environment with a distributed workforce or co-working space. What’s the first thing you need? You need a Wi-Fi password. A lot of places just wash their hands of it and say, ‘Screw it! Let’s just give everybody one centrally available password.’ Then, all of a sudden, you’re opening yourself up to a cascade of things that can happen like man-in-the-middle attacks, phishing, data scrubbing from devices, and more. Are you scared yet?
You may be wondering how secure Wi-Fi is possible in a high traffic workplace. It’s something I feel we’ve done a really good job integrating into our office. While we can’t protect for everything, we have reduced the number of variables that could leave our network exposed. We provide guests with a singular unique password that gets you connected in a secure way, with an expiration date, which means this is the only time you will be able to access our network, and you can’t pass that on to someone else.
By doing this, we create a digital footprint that (somewhat) mirrors their physical footprint in our office, showing when and where they were active. It’s a great tool to find trends around our busiest times, but also to track down and protect against potential threats.
Create an open dialogue around workplace security education
What are some common characteristics you notice from companies who have successful security programs in place?
EM: Openness is a really successful path to effective security. Some physical institutions don’t have that flexibility. But, I like to give people an experience that doesn’t feel restricted. I want people to feel a sense of ownership around their security. This involves education and transparency—a consistent dialogue about what our policies are and why they’re in place.
I always share best practices and I don’t reprimand people for fudge-ups when it comes to security. If people feel comfortable coming to me right when a problem arises, I’ll have less I need to do, because we’ve had an open conversation. I want to set expectations for security. I want our policies to be proactive, not reactionary, and this involves educational discussions. Good companies start these discussions early and make it a central part of their onboarding and regular health checks.
I want our policies to be proactive, not reactionary, and this involves educational discussions. Good companies start these discussions early and make it a central part of their onboarding and regular health checks.
What tech have you put in place at Envoy that you think companies should consider when trying to protect their data, networks, information, and intellectual property?
EM: I may sound like a broken record, but just like people say ‘location, location, location,’ I want to say ‘education, education, education.’ It’s so key. You want to deploy tools that are going to help people enforce that security education and feel engaged in that education. The hill I will die on? The product 1Password (or a similar password manager). Get a password manager in your life! It’s the smartest thing you can use to protect your existence online.
Password managers do require a bit of a mind shift and change how you interact with your devices, so you need to prepare people for that. Let them know what that looks like and be friendly about it! I want people to walk away from our conversations about security feeling cared for and engaged. Workplace security not only affects their business life, but it also affects their personal life. I want them to know I care about them and I want them to be safe and secure in everything they do.
How do you integrate new workplace tech and security processes in the workplace?
EM: I tell them to deal with it. No, I’m kidding. There is a fine line of push and pull. Change is inevitable and it’s happening at a rapid rate—much faster than we are comfortable with. I come from a position of wanting people to understand that these changes are necessary, explain how they are going to happen, and justify the switch. It’s my job to relay the benefit and do everything I can to assist in the transition.
It’s important to avoid using fear as a mechanism for change. That’s usually the most visible reason for a switch, but it doesn’t help to create a culture that perpetuates good security habits. If possible, try to make it a fun experience. Funny music videos and tasty pastries always help.
Prepare for a future where you are the key to your technology
What predictions do you have for the future of workplace security?
We talk a lot about the scope of data privacy, and the ways we’ve applied our privacy today, and I believe the future of workplace security technology will depend on our uniqueness—what makes us unique individuals.
EM: Which is a funny way to approach your privacy! We all have different DNA and different fingerprints. I’m thinking about the use of face ID scanning as proof of authentication. In the future, I think we will be used as our own keys. This is an evolution I can’t wait to watch.