Working remotely is changing. Our approach to cyber security needs to change too.
Remote working is here to stay. Even when we reach the day where workplaces open their doors again, things won’t be as they were.
CybSafe has joined a growing list of organizations operating a ‘work from anywhere’ policy. Whilst this flexibility has many benefits, there is one concern that remains. Remote workers are more likely to be victims of cyber attack.
What can we do to help each-other stay safe whilst working from home? Here are three approaches that can help.
1. People: The first line of defence
Human behavior remains one of the greatest cyber security risks. This was the case before the pandemic, and the rise of remote working has only amplified the threat.
We’ve all experienced it before. It might be a phishing attack, an email from a supposed colleague that appears genuine. It might be using the ‘child’s name 1’ when you’re stuck for ideas. We’re all capable of actions that increase our exposure to cyber risk. It’s natural.
Attackers play on our innate curiosity, our tendency to rush when stressed. To combat this, we need to empower ourselves and our peers, and help them become the first line of defence against security risks and cyber threats.
Improve situational support
Let’s start from the bottom.
To improve remote workers’ security, we need to improve their “situational support”. Translated, we need to make sure remote workers feel their environment aids security.
Because let’s say we tell remote employees unsecured public Wi-Fi is dangerous.
We tell them it lets people snoop. It can even reveal their passwords and sensitive information.
Suddenly, people lean in. They’re curious. Maybe even scared. They want to know how they can stay safe and not to fall prey to data breach.
So we tell them to use a virtual private network (VPN) multi factor authentication.
But they don’t have remote access to a VPN.
That’s when they disregard everything they’ve just learned.
That’s pretty much what happens when people feel their environment is working against them. It prevents learning. So security pros need to make sure remote workers have access to the resources they need.
That starts with a review of the current state of play. Review what people have. Review how accessible resources are. And ensure people know how to get to them.
This ties in with communication. Often, resource and communication policies are designed for office-based workers only. They need to work for remote workers too. Remote workers need access to processes that enable security. The processes should be easy to access with little friction. (In a CybSafe survey, 37% of people believed they had no working from home security policy pre-COVID-19.)
Resources and communications give remote workers a foundation. And that lets them build their security skills.
Give verbal feedback
With step one done, get remote workers some verbal security feedback.
Clearly, this is tricky. You don’t sit with remote workers at lunch. They get no praise for doing the right things. Often, nothing much seems to happen when they do the wrong things.
So you can see why they might be tempted to take shortcuts.
We can encourage them not to with verbal feedback.
Feedback should, of course, meet certain standards. It should come from a credible source. It should cover not just outcomes, but the behaviors that led to outcomes.
Feedback should never dent people’s confidence. Instead, it should build it. So grade feedback based on capabilities.
Praise small successes. Success is addictive. We like to repeat our success-inducing behaviors.
By definition, remote workers work elsewhere.
So how can we help them gain “vicarious experience”?
For a start, let’s simplify the question.
How can we help remote workers see a security risk?
Rephrased, the task seems much more achievable. Case studies, for example, would help. As would line management discussing security.
Colleagues can share phishing emails.
And it’s surprising how few companies promote success stories.
We need to help remote workers “see” what others are up to.
It’s not easy. But it’s also far from impossible.
2. New workplace, new methods
Change to information security was coming even before COVID-19. The old methods of security awareness training are outdated and ineffective. E-learning rarely goes beyond a box-ticking exercise and fails to engage people in a meaningful way.
The move to remote working has accelerated this much needed change. We are now working in a borderless world in every sense. It’s estimated that by 2025 70% of the workforce will be remote. The changes we experienced in 2020 are here to stay.
What we’re seeing is not just a simple increase in remote working. It is the workplace becoming borderless. The line between the personal and the professional has merged.
This new state requires a new approach. Enter, “Borderless Security Awareness”.
Borderless Security Awareness is a fresh approach to cyber security. It’s a revolution, not an evolution. A new mindset fit for a remote world. As with much of our lives, on-demand has become an expectation, and this should be the case for cyber security. By adopting this approach and raising awareness in new ways, we can meet the challenges of working in a remote world.
3. The right tools for the task
We need to support people on their terms. We need to foster a culture where advice is available at the right time, in the right place. It’s inevitable people will sometimes join an unsecure Wi-Fi network, or click on a suspicious email. We need to encourage a culture where they feel there is always help. This not only deals with issues at source, but helps build a mindset that makes cyber security awareness more natural.
We have some tools at CybSafe to help manage this transition. Our Assist tool provides on-demand advice for whenever an issue arises. There is also Protect, a digital ‘checklist’ that helps set personalised security goals and gives nudges to help them be achieved.
Remote working is here to stay. These tools not only reduce risk, but empower people to become our first line of defence against cybercriminals and cyber threats. The way we work is changing, and our approach to cyber security needs to change with it.
See people as a solution
Securing remote workers is a challenge. Still, it’s worth putting the challenge into perspective.
Remote users overwhelmingly want to follow data security policies. They’re not a liability. They want to help.
So how hard can it really be?
Helping remote workers stay safe requires some thought and creativity. But it can be done.