Over the last 6 months we have witnessed and experienced that more and more organisations have moved to home working in order to continue service delivery to their customers. We continue our series of blogs for European Cybersecurity Month (ECSM) and National Cyber Awareness Month (NCAM) with a look at the impact of home working on cyber security.
Human elements of security awareness
When we discuss home working and information security awareness, by default we immediately assume it is our physical assets that need securing. Of course, this needs to happen, but our people are also one of our greatest assets and we should not underestimate the significance of the human element of security awareness. As I mentioned in my first blog of this series, the goal of any organisation raising awareness is to convert learning into action by either reinforcing or creating lasting behaviour change; and this is an element I would like to discuss further by challenging businesses to look deeper into the human factor rather than focusing purely on technological aspects.
When do you check in with your remote workers? Whilst cyber security awareness is for life not just for October, so is the wellbeing and involvement of staff in order to engage and drive a culture of security behaviours that will in the long term mitigate risk to organisations from cyber-attacks.
How can we evolve and become more innovative in how we cascade and reinforce our cyber security message to the teams working in their home environments if we are to ensure the protection of our assets and data? However the message is cascaded, it should be very clear that the organisation’s information security policy is an enabler and is vital to protecting all assets and data. Everyone in the business should know that Information Security is everybody’s business and responsibility. For example, are all staff aware of current policies and have they been directed to the relevant or any updated policies to reflect their new ways of working? How do we ensure they apply the relevant learnings and actions to their new environment?
Increased incidents following home working changes
As noted in the NCSC weekly threat report 28th August 2020 a report conducted into the impact of the coronavirus on businesses has revealed an increase in cyber incidents relating to a change in working practices. In fact, 20% of organisations had experienced a breach caused by remote workers.
Whilst many people actually prefer to work from home, there are also people who are now sat working at a table they share with their family for meals, or on a sofa that they use to relax and focus on family time. A lot of people do not have the luxury of a designated workspace. Work has crossed into their personal space. Are we supporting the transition and encouraging them to create a structured workday that they can switch off once the laptop has been turned off?
Creating an inclusive information security work culture
Remember our people are one of our biggest assets and they contribute a vital role in the confidentiality, integrity and availability of company data. We have to trust people feel valued and included in the business security strategy and objectives enough to protect our business assets regardless of environment. We want our employees to use their integrity and do the right thing, even when no one is watching.
By creating an inclusive information security work culture employees will engage in mindful security practices; for example, preventing passers-by eavesdropping on a conference call by simply closing a window, or not leaving confidential information visible on a screen when contractors are in their home. It is essential that people recognise that their physical action and conscious behaviours have as much consequence to a business as an unpatched system or an unsecured Wi-Fi network. Only through a top down approach of engagement, inclusivity and a consistent structured lifecycle of cyber awareness training can this be achieved.
Please be sure to read our next blog in the series on Phishing.
How can Nexor help?
Nexor’s experienced cyber security consultants can work with your business to ensure your remote working policies and processes are effective for the new ways of working, as well as ensure your staff awareness training is delivered in a relevant and effective manner.
Author Bio – Dawn O'Connor
Dawn O’Connor is an associate of Nexor with an extensive business background across different market sectors including retail, local and central government and law enforcement. She is a member of the Chartered Institute of Information Security and co-chairs the Nottingham/Derby/Leicester Branch. Dawn holds the Certificate in Information Security Principles and the ISO 27001 Foundation certification.
Be the first to know about developments in secure information exchange