At present, humanity is going through a period of unprecedented uncertainty as coronavirus sweeps the globe – my thoughts and condolences are with all those affected by the virus.
In an effort to halt the spread of the disease, billions of people are living in relative isolation, with a lot of these working remotely, many for the first time. This has created a unique challenge for IT teams as they are, also for the first time, having to support a huge remote workforce – especially for security teams. In this time of uncertainty, maintaining an honest, open, two-way conversation with their workforce is key for security teams looking to keep their organisation safe.
Crisis brings opportunity for the bad guys
At times of crisis, hackers see opportunity. They will ruthlessly look to take advantage of situations of panic. Current security response is to roll out widespread security measures, such as Virtual Private Networks (VPNs) and Two Factor Authentication (2FA). Whilst I always welcome additional security measures, particularly in times of emergency, I question the effectiveness of these tools when deployed in isolation. It isn’t enough to simply deploy them and hope they reduce your risk.
My chief concern is that even with these measures in place, the CISO and their security team still have very little idea of what their users are doing on their laptops – are they letting their children use their machines outside of work hours, or have they downloaded unauthorised programs, such as conference calling software or education platforms, that might have been targeted by cybercriminals? Also, these security tools can also be quite intrusive, particularly for workers that aren’t used to using them, which will lead to confusion, irritation and often users ignoring new protocols.
During my time as a CISO, I was regularly frustrated by workers bypassing security measures. Productivity always trumps security, and while we all have a duty to keep our company as safe as possible, I can now sympathise with users. Cybersecurity isn’t in the job description of your everyday employee. For example, marketers are busy enough spreading the word about the company and shouldn’t have to have to worry about security as well. Afterall, we don’t expect the CISO to run social media campaigns.
Communication is a powerful, but underused tool
At times like this, security tools more or less go out the window, so it is more important than ever for security teams to have an open, honest and constant two-way conversation with their users and start building a risk profile for each employee and the company as a whole. I would suggest the following three steps as the best possible method to reduce the risk posed by a remote workforce:
- Have a conversation: by having a constant and open two-way conversation with employees, security teams can find out what users like about security and, more importantly, what they don’t like; any areas of frustration towards security; any security measures that aren’t necessary in their day to day role; areas they feel need more security or better processes in place; whether they need any additional tools that might require a download, including conferencing software; as well as any risky behaviours they exhibit, such as letting other people using their machines whilst at home.
- Build a risk profile: by collating this feedback with analysis of job roles, security teams will be able to make an accurate risk profile for each employee. They will quickly realise that not every user needs all the tools available to them – some people don’t require 2FA or privileged access to carry out their job, so why bother them with unnecessary, often expensive, security tools?
- Make highly targeted interventions: with these risk profiles in hand, security teams can see where the gaps are, and make highly targeted interventions that are bespoke to each employee’s needs, drastically reducing risk and being more cost effective. It might be as simple as inviting one team attend a webinar about an issue a few members discussed with the security team or putting certain individuals through very specific training instead of the one-size-fits-all, broad brush security awareness training and funny videos we see today.
Some work I did with the finance team in one of my previous roles is a great example of this in action. By sitting down and having a coffee with a few of them, we found out they hadn’t been encrypting invoices when they sent them out as the process took a minute or so per file, and they were sending out hundreds per day. I had set an unrealistic expectation and underestimated the sheer number of files they had to send out. So circumventing security wasn’t their fault, but mine – the broken security policy had forced them to act outside of protocol and created risk. So, instead of putting them through a course of mostly irrelevant, patronising training, we were able to deploy tools that made the encryption process much faster and effortless for them. This not only reduced the risk of sensitive data being leaked, but also reduced the impact of security on the teams’ productivity. Had we not had a conversation with them, they would have continued these risky behaviours, but from one ten-minute coffee, we had solved a problem and made the company safer.
Working smarter, not harder
This sounds like a lot of hard work for security teams, many of which are already overstretched. Of course, having a face to face conversation with each employee of a large enterprise is impossible for the CISO and their team. So, we must look to tools that enable two-way conversation, making it possible to effectively communicate with every employee and easily action their feedback. This will allow security professionals to work much more efficiently, with live, first-hand feedback available.
Without this key intel, you will continue to see gaps in your company security, especially with so many users working remotely. It is vital that we stop blaming them and instead look to implement effective, targeted training, solutions and policies that work for all employees and don’t impede productivity. This starts with an open conversation and the gathering of intel. Only then ensure you have an accurate, collaborative, real-time risk profile for your enterprise and are able to implement measures that keep your staff happy whilst reducing the risk to your company.
by Flavius Plesu – founder and CEO at OutThink
Company bio: Founded by a team of four CISOs and an esteemed university professor, OutThink provides an enterprise Human Risk Intelligence SaaS Platform aimed at providing large, global organisations with a complete view of their risk posture down to individual employee level. Based in London, UK, OutThink is an alumni of both LORCA and CyLon accelerators and recognised by the Department for Digital, Culture, Media & Sport (DCMS) as one most innovative cybersecurity start-ups in the UK.
Author bio: Flavius Plesu is founder and CEO of OutThink, the world’s first Predictive Human Risk Intelligence platform (SaaS), aimed at revolutionising security awareness and giving security teams the power that comes with identifying high risk users – fully understanding who is not behaving securely and why. Flavius has over 18 years of experience in the security industry, and prior to founding OutThink he worked for a number of blue chip companies, most recently as CISO of Bank of Ireland UK, where he was inspired to create his own security solution, to solve the Human Risk problems he had encountered throughout his career. OutThink is recognised globally for innovation and has a number of large enterprise customers including FTSE constituents Vodafone, Bunzl and Holland & Barrett, as well as Abu Dhabi Islamic Bank.