With so many remote workers, cybersecurity is more critical than ever
Among the many secondary impacts of the global pandemic has been a surge in cybersecurity threats targeting both the fears of individuals and the new networking dynamics of a suddenly enlarged remote workforce.
Criminals have seized upon this disruption to steal money or personal information by generating COVID-19-related scams via email, text and phone calls, with an increase in attempts to lure people into visiting malicious sites, clicking on malicious links or providing personal information over the phone.
Because many employees have been transitioned to a remote workforce, IT teams can only do so much to combat these threats. Even prior to COVID-19, they struggled with a shortage of cybersecurity talent and resources, and in many organizations, there was already the growing worry that in the ongoing cybersecurity arms race, the bad guys were winning.
With the pandemic, armies of workers have now set up shop in their living rooms — many for the first time — so demand on IT systems has surged even further, making the task of beating the cybercriminals that much more difficult. Now, more than ever, IT teams need the support of everyone in the organization in following all proper procedures and making sure not to unintentionally open up new security gaps.
Creating a “culture of security” involves helping employees understand how security affects them and their jobs, and accepting their role as the front line of security.
With a captive audience engaged in an unprecedented level of transition and disruption, now is the best time possible to begin training employees across lines of business in good “cyber-hygiene” practices. Security is a team effort, and employees need to understand the part they have to play, how they can take on that role — and take it seriously.
For employers looking to get started, it is important to prioritize what to communicate to the workforce. Under the pandemic, people are being overwhelmed with information. Plus, they’ve had to adjust to new working arrangements, their children are out of school and they may have family members to care for or worry about.
The last thing they need is communication that is complicated or seemingly unnecessary. At best, many may see security policies as a nuisance; at worst, they may avoid them. Employers don’t want to make that situation worse.
So, step one is to keep it simple. Forget the hackers regularly seen in movies or on TV. By far, the biggest security threat to any organization is email. Cybercriminals don’t need sophisticated tools when they have the human psyche to prey upon, which is why the most effective hackers design emails or texts that lead to large numbers of people clicking on a link or sharing sensitive information.
With that in mind, employers should upgrade their secure email gateway to ensure that it is highly effective at eliminating spam and phishing and automatically defusing malicious attachments.
The next step is to communicate two important issues to the workforce: how to spot a fake email or text and what to do if they receive one. Employers also want to provide any updates if a particular threat has appeared or is at high risk of doing so.
Also, use simple language and provide examples. IT teams may not necessarily have the skills to effectively craft employee communications, so HR and marketing teams can come together to design something that will resonate.
Besides email, it’s important to dust off baseline rules and policies related to cybersecurity, reinforcing with employees how critical it is to follow existing policies and procedures. This includes reminding them that things such as virtual private networks (VPNs) for accessing networks or using multifactor authentication (a combination of a standard password and another one-time key phrase) are crucial to keeping the company safe and protect their electronic devices.
Password policies, the use of personal devices for work purposes and access to social media sites are also worth reinforcing. Consider sending reminders from senior leaders to reinforce that cyber-hygiene is more than just an IT concern — it’s critical to the successful operation of the business and an expected part of everyone’s job description.
And, as much as possible, reduce the opportunity for employees to circumvent these requirements by simply building them into the system.
Don’t just train, engage
Few organizations likely have the appetite or resources to launch formal training programs at this time. The good news is they don’t have to. While many companies that specialize in cybersecurity offer easy-to-access online training resources that can be easily leveraged, now might be an ideal time to get creative.
There are many forms of less traditional training methods that have proven to be very effective, and they can address challenges CISOs are facing in building a truly cyber-aware workforce:
Just-in-time job aids: Instead of a manual or a link to a long document on a shared drive, work to bring together IT, HR and other internal marketing or communications resources to develop a one-page snapshot that covers everything. This should be content that is easy to print and post near their workspace or to consult later. Capture everything in a Top 5 list or a graphical layout that makes it easy to consume and understand.
Bite-sized learning: Avoid the “one big communication” approach altogether and consider breaking out learning into an always-on approach that doesn’t risk overwhelming. Microlearning content can be delivered in a variety of ways, ranging from a modern learning management system (LMS) that pushes microlearning content to users to less formal means such as quizzes or a list of true/false questions. With the landscape changing so often, microlearning is easy to put together and more likely to be read, increasing the odds of retention and compliance.
Gamification and competitions: A lot of teams are seeking ways to get together virtually, so introduce ways to rally ’round workplace culture. In this context, gamification may make sense. By engaging learners through fun activities that may even extend to team-based or friendly, competitive scenarios, training can be accomplished in a way that’s fun and without people feeling like they are even being trained. One idea — work with the IT team to send out simulated phishing attacks and award points to employees who avoid it or who can identify all the various characteristics that mark it as dangerous.
Since March, we have all had to learn how to adjust our lifestyles and implement social distancing to minimize the risk to our health and safety and ensure we don’t put needless pressure on the health-care system. On that note, now is the time to help people understand the importance of cyber-distancing themselves from potential attackers.
By taking advantage of quick, easy and engaging educational initiatives, we can go a long way toward helping IT teams manage this unprecedented challenge and ensuring we don’t open the door to those who want to interfere with normal business operations.
Derek Manky is the Burnaby, B.C.-based chief of security insights and global threat alliances for FortiGuard Labs at Fortinet. For more information, visit www.fortinet.com.
IN-HOUSE TRAINING MOST POPULAR TYPE OF CYBERSECURITY TRAINING IN CANADA
In-house training material that’s promoted internally
Lunch-and-learn sessions or workshops
Standalone, computer-based training
Third-party seminar-style training programs
Standalone phishing simulations
Integrated training, phishing and reporting platform
Source: Canadian Internet Registration Authority