Large numbers of us have been required to get used to working from home (WFH) in 2020 and, as we approach the turn of the year, many of us are getting a little fed up with it. But, despite the promises offered by COVID-19 vaccines, WFH is here to stay well into 2021 and beyond, as organisations reconsider the costs of large office buildings having proven their staff can work effectively from home.
We’ve blogged before about the need for Security Awareness to adapt to this very different work context. Here we talk to Robert Coles, ex CISO of NHS, GSK, National Grid and Merrill Lynch to hear his perspective.
Clearly the shift to home brings with it new ways of working; new tools, such as Zoom, Google Meet, Microsoft Teams; and, in many cases, people using their own devices. There are real user-based risks here if people aren’t supported in understanding how to work securely in this context. But the problem is – people hate computer-based training (CBT)! They skim through it, clicking next, or run it in the background, and really don’t take anything in.
Well, they can try! But there is really no guarantee that people will take it in, especially when mandates tend to switch people off. And then there is the speed of delivery: most organisations use annual training that is slow to adapt to the new threats people need to quickly understand.
Where do I start? Simple things like the increase in online meetings, where documentation maybe would have been shared face-to-face, and documents are now attached to meeting invites – so other’s outside of the meeting may be able to view them. Also, lack of access to work resources like scanners or printers, resulting in people emailing company documents back and forth with personal email.
And use of home devices. People might share their screen whilst using a personal device and inadvertently share personal information. And staff may not actually know how secure their home devices are, or how to secure them. Because they aren’t necessarily used to having to.
In some cases, yes. This has driven a rapid digital transformation and some organisations just weren’t ready. They’ve had to open things up to allow business to keep on functioning, using great tools like O365, but allowing access to documents and download of those documents from anywhere – losing control of company data.
More technically, CISOs have had to accept device split tunnelling risks. In some cases, bypassing proxy servers that block and track internet usage. The risk here is that corporates are then blind to infected command and control traffic. And web browsing may not be protected. We know that many people actually do their personal high risk browsing from their corporate machine as they think it is better protected! So there are risks here for corporates and for staff.
It’s clear that you need to help people understand the new threats, adapt their ways of working, but securely. I really don’t think traditional CBT approaches to communicating and engaging staff on these topics are up to the job. They are too slow to react and too painful for staff to do!
We need short, drip-fed chunks of useful and actionable advice. Little and often. Easy to understand and action. And ideally something that is more supportive. That helps users tackle risky situations, steering them through situations. It might be a long time since they connected to public Wi-Fi when lockdown lifts again – so a nudge to be cautious on open Wi-Fi would be timely. As might guidance when they resort to using a USB stick. There are many more examples!
This really is something that the ThinkCyber approach using Redflags is ideal for.
Robert Coles, ex CISO of NHS, GSK, National Grid and Merrill Lynch
Read more about adapting security awareness to the challenges of working from home here.