Having employees working from home isn't news – many organizations have enjoyed this practice for over twenty or more years. However, since the onslaught of the Covid-19 pandemic we know that many organizations have shifted entire workforces to remote working and many others have made equally interesting adjustments.
I am sure that many reading this article still have waking nightmares, recalling those weeks in March and April 2020 spent accommodating and managing the transition, while also leaving us with two interesting truths…
The first truth: many organizations who would have never considered having a remote workforce, now have one – this wasn’t the plan. Many are confounded by the pragmatic reality that not everyone has fully returned their entire workforce to the premises – and, may never do so again!
Following on, the second truth: many individuals who never desired to be home workers, have found themselves in this position with the unintended intrusion from the family cat during conference calls. The transition is complete and many have become used to this mode of working and discovered that their line management (mostly) trusts them to continue working this way.
However – what of the cybersecurity elephant in the room, or realistically now sitting within millions of bedrooms around the world?
The cybersecurity pandemic
Many early challenges were overcome, laptop availability, bandwidth, remote access, connectivity and licensing. Employees became productive and some probably changed their working practices, some used their own computers, some already had work tech and we survived. But, what of their pre-existing cyber hygiene and the unavoidable fact that the threat surface increased by an unforeseen factor, by virtue of the fact that the network is now exposed via all employees’ VPN connections, home email connections and change in professional practice?
Unfortunately, your workforce will always be the most probable unintentional threat actor in any cyber-attack. As Malware developers have already understood – IBM X-Force identified a 6000 percent increase in Covid-19 vectored attacks, preying on individual fears and vulnerabilities – it takes one colleague to click on the bait while connected to your precious VPN, and then we can only hope your own internal defenses are suitably equipped to mitigate the attack.
We are all vulnerable – admit it, even with our collective level of cyber knowledge. Adding the current challenges on top of day-to-day life, you may have not have been in your best frame of mind, worried about yourself or those you love. However, if you can see this as a seasoned professional then it is easier to understand how many employees have been operating. The mass change to working from home is a positive, but at a time of uncertainty - which has not actually abated – then the challenge continues. Then there is another elephant, who has been using the computer while connected to the precious corporate VPN. Family life has been a unique challenge, while professionals are dealing with the squalling, squabbling sprogs, has the teenager been updating themselves on social media via the parental laptop? Everything is possible!
Getting employees on board with cybersecurity at home
The question therefore remains, what are we going to do to ensure our systems remain cybersecure while understanding the needs of our newly distributed workforces? We are going to see a long tail effect and need to adjust our cybersecure working culture, as vaccines are still months away and many senior organizational leaders are (quite reasonably) looking at how this workforce change may be the way forward.
Winning the hearts and minds of the workforce takes time. A single email with ‘CyberThreat Update’ will be ignored, as will expecting employees to complete compliance based training. These approaches seldom have the desired effect and tend to increase the sense of suspicion.
So why not thank them – thank all workers and share your appreciation for their good sense. A simple acknowledgement of the fact that the threat levels have increased and your system hasn’t fallen into a black hole is a step forward.
Then – raise awareness, offer them rewards – take an alternate view to cybersecurity and commission all of your employees as ‘threat hunters’. Giving them a little perceived responsibility for their own domain and create a discover and report approach. We know that over 99 percent of these reported threats come to nothing – however, once you move the sense of responsibility and add a little sense of reward (gift vouchers etc.), then the relationship changes. Yes, you will get some overenthusiastic souls, and you will also see some very trivial (from your perspective) observations – however, they are your allies, use them well and keep thanking them. I have mentioned this more than once, and so should you: keep it short, simple, courteous and to the point. If a colleague does spot an issue, depending on the situation, spotlight this.
We have been aware for some considerable time that individuals will compromise their computers for financial gain – turning the tables isn’t difficult and having an open policy will be the way forward.
It will also be important to focus on praise not blame. Some threats will not have been deliberate. Maybe left their computer unattended, maybe someone strayed away from the videos of fluffy kitty cats while the laptop was connected to your corporation. Reward honesty and understand that the new normal means that many members of your workforce did not plan or prepare for this – going forward, the situation is still likely to continue to be changeable. So long as it was clearly not malicious misconduct, the chances are the lessons learned may prevent a more serious breach in the future.
Your workforce will always be your greatest asset, yet equally the largest threat surface within any cybersecure system. Treating them with respect gains more traction in the longer term, outweighing the shorter term risks. Openness is everything, your system will be attacked – this is a given. A colleague will make a mistake via their home system – this is also a given. Good management and mitigation, will in the longer term enable a more agile workforce and fewer headaches (we hope). Overall, the long tail effect of this pandemic is that with care, nurture and consideration – you may inherit a more cyber aware and open minded workforce.
Andrew Smith, Lead Educator, FutureLearn