by ThinkCyber | Oct 22, 2020
2020 has seen a massive shift towards home working. By and large, businesses seem to have coped with the logistical, health and safety, and security consequences of that shift; and people seem to have adapted pretty well to remote working arrangements and processes. Job done?
Certainly, from a security perspective, there’s more to it than that. It is not just that the threats have changed. More fundamentally, the context within which most work takes place has changed. And if you understand that all behaviour is driven by context, then that means approaches to help our people remain secure must adapt.
As the world went into lock-down, and companies suddenly had to ask staff to work from home, organisational risk profiles changed significantly. Clearly staff had worked from home before, but not in such numbers. And staff in roles and departments where remote working was not commonplace suddenly found themselves at home.
New tools, such as Teams and Zoom, became the norm. The use of social tools for work became even more of a temptation. The security of home WiFi became pertinent, as did policies on printing and document sharing. Some companies had to ask staff to use their own IT for business purposes. New risks became relevant – family members sharing devices; being overheard through an open window or whilst working in outside spaces.
Annual e-Learning was not well placed to keep up. Nor was it an appropriate mechanism given the increasing competition for people’s attention. Staff were busy adapting to new tools and ways of working, juggling home and work responsibilities…all while attending constant Zoom calls, and keeping half-an-eye on the latest news.
And then there’s the double whammy of changing context. All behaviours are influenced by context, and security awareness practitioners have often used this to their advantage – with posters, video screens, even mouse mats, to help prompt staff into secure decision making and embed the importance of a strong security culture.
But context impacts people in other ways. Stand up from your desk in an open-plan office – seeing a busy room you might remember to lock your screen; get a suspicious email – lean over and ask a colleague for a second opinion; a phone call starts to become confidential – glancing at a colleague makes you think to find a break-out room. Even the office environment, with its corporate feel, influences professionalism in the way staff act.
Those cues have all gone.
So, what does this mean for Security Awareness? We believe that these two threads (changing threats and changing context) will demand the following response:
It is clear that many current Security Awareness approaches aren’t well suited to this new and changing environment. Far from providing a way to rapidly communicate ways do things differently, their tendency to offer ‘once-a-year’ rhythm or to require long periods of engagement means that they are simply not up to the significant changes in work patterns that we have seen, and will continue to see. We haven’t settled on a “New Normal” [sic], work context will continue to change for the foreseeable future as we move in and out of lock-downs. It’s time for security awareness to adapt.