2020 has seen a massive shift towards home working. By and large, businesses seem to have coped with the logistical, health and safety, and security consequences of that shift; and people seem to have adapted pretty well to remote working arrangements and processes. Job done?
Certainly, from a security perspective, there’s more to it than that. It is not just that the threats have changed. More fundamentally, the context within which most work takes place has changed. And if you understand that all behaviour is driven by context, then that means approaches to help our people remain secure must adapt.
Changing threats
As the world went into lock-down, and companies suddenly had to ask staff to work from home, organisational risk profiles changed significantly. Clearly staff had worked from home before, but not in such numbers. And staff in roles and departments where remote working was not commonplace suddenly found themselves at home.
New tools, such as Teams and Zoom, became the norm. The use of social tools for work became even more of a temptation. The security of home WiFi became pertinent, as did policies on printing and document sharing. Some companies had to ask staff to use their own IT for business purposes. New risks became relevant – family members sharing devices; being overheard through an open window or whilst working in outside spaces.
Annual e-Learning was not well placed to keep up. Nor was it an appropriate mechanism given the increasing competition for people’s attention. Staff were busy adapting to new tools and ways of working, juggling home and work responsibilities…all while attending constant Zoom calls, and keeping half-an-eye on the latest news.
Changing context
And then there’s the double whammy of changing context. All behaviours are influenced by context, and security awareness practitioners have often used this to their advantage – with posters, video screens, even mouse mats, to help prompt staff into secure decision making and embed the importance of a strong security culture.
But context impacts people in other ways. Stand up from your desk in an open-plan office – seeing a busy room you might remember to lock your screen; get a suspicious email – lean over and ask a colleague for a second opinion; a phone call starts to become confidential – glancing at a colleague makes you think to find a break-out room. Even the office environment, with its corporate feel, influences professionalism in the way staff act.
Those cues have all gone.
Adapting Security Awareness
So, what does this mean for Security Awareness? We believe that these two threads (changing threats and changing context) will demand the following response:
- Security Awareness must find new ways to keep up. Gone are the days when an annual awareness course will cut it. Instead, Security Awareness is increasingly about drip-feeding short snippets of information directly to users, with a content creation cycle of hours or days rather than weeks or months. Adapt quickly, minimise impact on staff, win the competition for attention, yet still pass on those key pieces of actionable advice.
- Security Awareness must find new ways to be part of the context. Physical cues have gone, so we need to create virtual cues towards secure behaviour – embedding security in people’s day-to-day use of IT. For maximum impact, these interventions should be Easy, Attractive, Social and Timely. Ideally, they are delivered at the point of risk – going far beyond simply reminding people of the professional context. By providing the right guidance at the right time we can change the context to drive secure behaviours.
It is clear that many current Security Awareness approaches aren’t well suited to this new and changing environment. Far from providing a way to rapidly communicate ways do things differently, their tendency to offer ‘once-a-year’ rhythm or to require long periods of engagement means that they are simply not up to the significant changes in work patterns that we have seen, and will continue to see. We haven’t settled on a “New Normal” [sic], work context will continue to change for the foreseeable future as we move in and out of lock-downs. It’s time for security awareness to adapt.
