The recent shift to a completely remote workforce has many security training and awareness professionals at the drawing board. If your company already widely supports a mobile workforce, the shift may be relatively painless. Nonetheless, even well-prepared businesses should reinforce important cybersecurity principles.
History shows that hackers often take advantage of local, national, and global events, including natural disasters, emergencies, and pandemics, that distract employees and/or create system vulnerabilities. The sad truth is that hackers never practice “cyber distancing” and distracted people make great victims.
Arguably, the number one challenge facing every organization right now is how to give employees a crash course in cyber secure teleworking. Much has been published on this topic, and SANS has released a Security Awareness Work-from-Home Deployment Toolkit to assist organizations to rapidly address this need. The toolkit includes excellent tips on engaging internal security teams and educating users on identifying social engineering, creating strong passwords, and keeping systems and devices updated. However, that is really only the tip of the iceberg for this ongoing crisis. Here are some additional challenges currently facing every organization's training and awareness team:
Adjust Your Phishing Programs, if Needed
In light of the current situation, do you continue with normal phishing programs or do you alter or halt them entirely? On the one hand, hackers are doubling down on their attacks, so extra practice and training could be beneficial. On the other hand, your current environment may pose some complications. Some questions to ask include:
- Can your IT helpdesk handle the workload?
In many cases, helpdesks are working remotely for the first time, and handling a lot more calls from employees struggling with VPN connections, file access, and a myriad of other remote worker issues. Some helpdesks, overwhelmed by the onslaught of user tickets, are crying “Stop!”
- How will phishing simulations interact with your VPN and newly remote workforce?
Due to the architecture and security tools deployed in your environment, you may see more false positives, link auto detonation, and blocked emails in your phishing simulations. Additionally, your phish reporting methods may not work as designed or intended. These factors can cause skewed results that misinform your training plans.
- How will your organization react to your program’s “business as usual” demeanor during this stressful time?
Good communication and strong internal relationships are important components of a successful security awareness program. When business units are stressed, these relationships can be strained by otherwise routine training campaigns. You must consider how continuing your phishing program will impact the Security Awareness Team’s overall reputation and the relationships built with your user community. Can you articulate the value of continuing your regular phishing program in the current climate? Will the training benefit your organization enough to offset any real or perceived disruptions to the users?
- Can your IT helpdesk handle the workload?
- Avoid Fear, Uncertainty, and Doubt During Uncertain Times
Awareness professionals have known for years that too much fear, uncertainty, and doubt (FUD) can cause people to turn off and tune out. So, stick to the facts surrounding the current reality and don’t overhype possible risk vectors. While it is important to send your remote workforce information about cyber risks, make sure you don’t sensationalize the threat. Mitigate FUD with concrete things people can do to help themselves and the organization. Give them action items to address risks. Suggest ways they can alter things they can control, such as tips for good cyber hygiene (see below). This is always a good practice in security awareness, but it is especially crucial now.
- Prevent Message Confusion and Overload
Now is the time to coordinate with any team likely to communicate information related to cybersecurity, security awareness, or working from home. Work with these teams to ensure messaging aligns, is accurate, and works in concert. Your user community needs clear, concise, and timely information, not additional confusion or an overwhelming barrage of the same information.
Ensure Everyone Knows How to Handle Data
With your workforce now conducting business outside the office and off the network, correctly handling sensitive data and protecting data privacy becomes simultaneously more important and more difficult. Now is the time to ensure employees know how to manage sensitive and private data in accordance with the organization’s policies and procedures. Make sure they know whether or not they can store data on removable devices. Additionally, what cloud storage sites are approved? Are there any restrictions on the types of data that can be stored in the cloud? What information can be emailed from outside the network? If your organization does not have answers to these questions, leadership should be alerted so they can quickly address.
This Shift May Have Long-Lasting Benefits
Amid all the global chaos, there is, perhaps, a silver lining when it comes to our programs. We can finally talk about cybersecurity at home!
Many organizations have historically balked at providing tips or suggestions to employees for keeping personal devices secure. If your organization has been reluctant, current events may make them rethink those reservations. Below are a few simple tips on how to keep devices “clean” and “virus-free” to share with your organization …sort of like handwashing for electronics.
How to practice good cyber hygiene at home:
- Keep your devices (computer, laptop, tablet, mobile phone, etc.) updated. This includes the operating system and all applications installed on the device. Many updates address bugs and vulnerabilities hackers take advantage of.
- Make sure your antivirus software is installed properly and up-to-date. Antivirus software is now available for most mobile devices, including phones and tablets.
- Check your home network security settings. Your internet provider should have resources to help. At the very least, make sure your network requires a password to connect (we suggest at least 12 characters), and ensure that password is not the default password set at the factory or when your router was installed. Many of these default passwords are publicly available and well-known by hackers. If your wireless router is old it may be using WEP encryption, which can be easily broken and should not be relied upon. If your router is not able to use more secure wireless protocols, such as WPA or WPA-2, you might consider replacing it.
- Be careful about mixing business and leisure. Avoid visiting risky websites on any device you use to access your company’s systems or data.
- Backup, backup, backup. Always backup your work to an approved location per your company’s data handling policies and procedures.