When Covid-19 forced many employees to begin working remotely, one of the first things chief information security officers (CISOs) thought was, “How am I going to secure this new environment?” Sure, some employees were already working from home at least part of the time, but this was a mass exodus toward a distributed environment, the likes of which most businesses hadn't experienced before. CISOs scrambled to protect a perimeter that had been expanded dramatically overnight.
Several months later, remote work continues to pose a threat to organizations. A recent survey from (ISC)² found that 23% of respondents stated cybersecurity incidents in their organizations have increased since they began working from home.
Good cybersecurity starts at home
But even though remote workers are targets, they can also form a powerful front line of protection against potential attackers. With a little bit of knowledge and some vigilance, they can create strong security postures that can protect their companies and assure customers they are working with a vendor that is well fortified.
It all starts with the three A’s: awareness, adaptability, and application.
Making users aware of the risks is key to mitigating cyberthreats. The responsibility for creating awareness begins with the CISO and their technology team. They can brainstorm ideas and communicate risks to business managers, who, in turn, should be empowered and expected to relay this information, including cybersecurity best practices, to their direct reports.
Creating awareness can stem from something as simple as developing a program that helps employees understand what they can do to protect themselves and their organizations. This should not be a one-off, one-hour training but an ongoing initiative that raises awareness about the potential risks of cyberattacks and reminds everyone to be ever vigilant about the sites and applications they use, the data they share, and how they protect their devices.
It is just as important to impart the ramifications that could happen if employees are not vigilant. A hack that exposes corporate data could have a significant impact on the business, resulting in loss of revenue, trust and reputation. Employees could also be putting their personal information at risk if they do not take precautions to protect the applications and devices they are using. Managers should use real-world examples of cyberattacks to bring their messages home.
Next, managers should encourage their reports to adapt their behaviors and put their cybersecurity responsibilities into action. Behavioral changes can be easy and fast, and they include updating software on a regular cadence, using highly unique and well-protected passwords, not using easily guessed password strategies (no birthdays or sequential numbers, please), and possibly using password generators — simple everyday tactics that can have big impacts on security.
Because good cybersecurity hygiene is not a one-and-done process, managers should continue to engage with their direct reports to ensure they are maintaining a high level of security. For their part, CISOs and their teams should keep managers informed of any changes in corporate security protocols or new threats that may arise. Anything noteworthy should be immediately communicated to managers so they can relay the news to their teams.
Finally, CISOs and technology managers must monitor and measure how users are applying the best practices they have been asked to implement. For example, the technology team can monitor how many users have updated their operating systems or applications and when. They can keep track of who has participated in any corporate security awareness programs or trainings that might be offered in the company.
These operational metrics are important to measuring engagement. If numbers are low, perhaps it is time to ask managers to reassert the "awareness" and "adaptability" portions of the three A’s with their direct reports. They might also change settings on key applications to require frequent password resets. If numbers are good, managers should encourage employees to keep up the good work.
CISOs and their teams can even be creative and instill a healthy sense of competition to get people engaged. For instance, they can create teams of users and make the data points public to show which teams are doing their part. Teams that are lagging behind will likely feel compelled to accelerate their efforts to catch up. This can be a good way to get everyone involved without calling out individuals.
Once your team is on board and applying all that they have learned about their role in cybersecurity, it’s time to think about raising awareness with customers.
Good cybersecurity impacts customers
Customers want to know their vendors are taking measures to protect their data. Practicing the three A’s aligns with their interests.
It is important to communicate the steps that are being taken to ensure their information is secure. CISOs and even business unit managers should not hesitate to reach out to customers and outline the measures their companies are taking. Simultaneously, they should ask their customers to share any best practices they have been applying over the past several months because this may be a source of additional expertise.
To borrow the famous saying: Everyone is in this together. Sharing information and learning from each other can help both vendors and their customers bolster their defenses and strengthen their partnerships.