Cyber Security isn’t, and shouldn’t, be the sole responsibility of your IT team
2020 has seen an unprecedented rise in the rate of remote working and whilst only time will tell if this becomes the ‘new normal’, organisations have already had to take drastic steps to lock down security over these new extended remote networks.
Or they should have at least…
Many organisations are still failing in their cyber security and time and time again cloudThing has seen their main vulnerabilities being their remote workers and the access they need to centralised systems.
One of the key points we stress when it comes to cyber security and remote working is staff awareness… to make your organisation an unattractive target to cyber actors, everyone needs to do their part.
It’s not just the IT department that needs to worry about cyber security.
In an age of remote working cyber security needs to be built right into your organisations guiding principles, with every member of staff aware of their responsibilities. They need to know understand and be able to react to the dangers that working from home can bring to a company, from opening a strange email right through to logging on to a public wi-fi.
In the scramble to enable working from home at the start of 2020 an unprecedented number of organisations allowed staff to use their personal devices to connect to centralised work systems.
In theory there’s nothing wrong with that, but, if the correct guidance isn’t followed, then it can become a cyber criminals dream.
Your leadership team needs to work closely with IT, HR, and the wider organisation to institute secure policies for when staff are remote working that everyone understand, and, more critically, follows.
Staff need to know what it means when they use a personal device, what the consequences could be and what steps your IT team will take to secure company data on it. They might need to download specific security protocols or allow IT remote access to wipe the device if it’s lost.
Cybercriminals are constantly improving their skills, finding new ways to attack your organisation so if Frank from accounts is remote working these days a half hour talk on cyber security when he started two years ago just isn’t going to cut it anymore.
Your IT team will be (or should be) well aware of what’s going on in the wider worlds and they need to work with other departments to communicate that knowledge.
For the foreseeable future the two biggest threats to remote working will be phishing scams and network penetrations.
Phishing scams are nothing new, but your staff should still be kept up to date with the latest techniques cyber scammers are employing as they get ever more sophisticated.
The bigger concern is a disperse ‘home network’ as opposed to the traditionally centralised ‘corporate network’. That kind of setup gives hackers infinitely more entrance points to your vulnerable systems, massively increasing the risk of advanced persistent threat attacks, risking all your data.
Home routers, open management interfaces and ridiculously easy to crack passwords are just some of the issues your IT team need to work hard on to educate your staff, enshrining it in your governances.
As already mentioned, cybersecurity works best when all your staff are onboard. How best though, to accomplish that?
Fortunately you’ll already have two departments within your organisation who’s job it is to communicate… HR and Marketing.
HR will already be set up to communicate effectively with staff, and PR is marketing’s core job… selling others on ideas. Have both departments work closely with IT on how best to communicate the concept of cybersecurity to your staff.
Don’t be afraid to pull your experts from their normal roles to help out in communicating new and vital messages to company prosperity.
All these new security principles we’ve been discussing have to be implemented but… HR need to work with IT as it happens so as not to overburden your staff with unfamiliar concepts.
As important as these are, they need to go hand in hand with a positive staff experience.
Surprisingly, one of the biggest cybersecurity risks in this age of remote working is employee satisfaction.
Staff are worried about furlough, redundancy, job security and a whole host of other issues… all whilst coping with the mental stress of a new working environment… putting them in charge of their own cyber security with a whole host of new governances to learn could well be the straw that breaks the camels back.
Insider threats are a very real thing and won’t necessarily take the form of a staff member stealing your data. It could just be with everything else and a disgruntled/don’t care attitude they ignore new security measures from home, putting the entire organisation at risk.
That’s why IT need to work HR are about the rollout of cybersecurity controls, to make sure they’re implemented in a way that empowers rather than forces staff to adopt them.
Have a third-party test security measures before making them compulsory… just because they make sense to someone from IT doesn’t mean they’ll be easy to work with to a member of staff with a non-technical background.
Make your staff aware of why you're doing these things. Rather than just arbitrarily ordering a new way of working on them, explain what the measures are for… you’ll be amazed how much more accepting they become.
If you want people to follow your new cyber security governances, then you need to appeal to their own self-interest.
Work related cyber security concerns can feel distant to employees stuck at home so you need to work extra hard to bring these very real concerns to life for them.
That’s where all the above steps come into play, with good governance, training, crafting off the message from marketing and before and after care from HR.