plugging the security gap – how to establish a security culture for home working

The big unknown in the system now is the behaviour of the individual staff member. It is time to ensure people are acting in ways that continue to keep the organisation’s information safe and secure.

When CYFIRMA’s research revealed in mid-March that there had been an increase of over 600 percent in the number of cyberthreat indicators related to the coronavirus pandemic from February to early March, it was just the start. The threat grows daily, but this will not have come as a surprise to the CISO community.

Managing cyber-risk is all part of the job for the CISO, creating an environment which builds the right attitudes and behaviours towards security which supports business culture is a standard requirement. But overnight everything changed. Like dropping a bag of marbles across a polished floor, the global workforce has scattered to people’s homes. Connected virtually, yes, but connected securely? Who knows for sure.

For every CISO the security threat is now more than doubled. External threats are off the scale but the employees within the organisation are also working in a potentially insecure environment. While the external risk from cyberattacks due to remote working presents a significant challenge, it is one that can be addressed by technology and planning using the skills the security team were hired for.

The challenge

With dispersed, virtual working comes the challenge of re-establishing and then maintaining the culture of the workplace. While you may not expect someone working from home to wear formal dress, you would expect them to maintain the professional standards that they would have applied when they were in the office. But how do you really know if this is happening? How can you assess the attitudes and beliefs of staff towards acting in a secure manner, and protecting the information of their firm in the current circumstances? It is human nature to be more relaxed at home, and does this extend to attitudes around security?

One would assume it is likely to be very clear in the office environment that unencrypted USBs are forbidden, passwords for client documents must be protected and laptops must be locked away over night. But what happens in the real world? For eager employees trying to do their best in potentially new and alien circumstances, the best intentions can lead to a serious security breach. So how can you avoid this happening?

It is time to start building security culture fit for the virtual environment.

1/ Work from a position of knowledge - gather evidence from employees

Employees are used to working in offices with security measures in place, they are used to the normal encryption expectations and password usage. That has started to create a ‘security culture’ even if it has never been named as such. Now the dust has settled and workers are establishing new working routines for an extended lockdown period (and potentially only the first of several), it is time to find out how they have translated their office behaviour to the home working environment.

Use focused surveys to understand how employees have adapted to the changed working environment and how these working practices are affecting the risk register of the organisation. Make sure questions are clear and targeted for each audience:

Survey 1 – for the CISO and security team

Have you clearly assessed how information and cybersecurity risks have changed? Is the risk register updated and validated?

Have you identified what policies need to be reviewed or invented?

Have you produced clear guidelines for how people need to act when working from home?

Survey 2 – for employees, starting with those who handle client / confidential information most frequently

Do you understand what you need to do to keep company and client information secure in your new working environment?

What changes have you made to how you would normally handle confidential information?

Do you understand the firm’s policies at this time?

What more information do you need to act in a secure manner?

2/ Establishing a new security culture – don’t let the process undermine the objective

Once security professionals have digested the information from the employee survey about how workers have adapted their working practices at home, they need to re-establish the security expectations. This starts with setting new minimum security standards as part of the core business policy for home working.

Ensure senior sponsors and stakeholders are fast tracking the approval process, don’t be afraid to scrap old approval practices if the process is creating a security risk in its own right. This is not the time for decision making by committee, strip back the sign off process to get the new standards through to the front line quickly.

Communicate the new protocols – Once the new protocols are in place, work with communications colleagues to push out clear guidelines to all employees. It is essential that every worker knows what is expected of them, and why. Ensure senior executives are modelling and advocating secure ways of working – now more than ever people look to their leadership for how it is acceptable to act.

Build in virtual learning – don’t assume that every employee will be able or even willing to follow written guidelines while working in their own homes. Create employee webinars for staff to attend detailing how to carry out their roles securely in their own homes. eTraining modules on security behaviours can be very helpful when setting out a new way of working. Make attendance mandatory and enable a feedback process to ensure key messages are understood.

The new normal

Developing new and different working practices for an unknown length of time is difficult. One thing is for sure though, those companies that clamp down on lax security practices now will have a much stronger business to return to when operations restart in the ‘new normal’ of the future.

It is impossible to underestimate the impact home working has on the security culture of your company. In this unusual time it is highly likely that many security teams are so focused on the mounting external cyber risks that they miss the obvious risk presented by their own employees working in their own homes.

It is also crucial that security and HR teams – traditional custodians of guidance for how people should act and work - come together to develop a secure, productive and employee-centered way of working in the new normal. Who knows, you could end up with a whole new structure for the business that works better for all employees.

To find out more please get in touch / +44 (0) 20 7298 7878

InsightsElliott ColesMay 15, 2020cyber, security