Recently, John Harbaugh, the head coach of the Baltimore Ravens, expressed his concerns over the possibility that the first virtual NFL Draft could be hacked. His biggest concern was based on media reports about security issues with the Zoom meeting platform that will be used for the draft.
While working with the executive board of a non-profit, a concerned volunteer forwarded a text message to several members that she believed might be a COVID-19-related SMIShing scam. She reported where the link redirected the user and asked the receivers to examine the link, but not to click on it. Three members of the Board clicked on the link in the forwarded text message.
Many IT teams are discovering that their employees are not following good cyber hygiene habits at home. For example, the move to remote work has uncovered issues with employees having not changed default passwords and not using strong, complex passwords on home networking devices.
What these three scenarios, and numerous others like them, are exposing is a critical issue in the realm of cybersecurity – as the working landscape and situation has changed in the midst of the COVID-19 pandemic, we are seeing that many organizations have failed to develop and nurture a true cybersecurity culture and mindset in their employees. For those who have taken the approach that “check the box” training was sufficient, the inadequacy of the approach is now coming to light.
Employees who have not been properly, thoroughly, and consistently trained in security and privacy awareness are at a significant disadvantage in this new world. This places organizations and their data at risk. What are we seeing “in the wild”?
- Without the security apparatuses provided in an office environment, individuals are more exposed than ever. Employees are your largest targets for attacks, whether in the office or working from home. In many cases, companies are discovering that they have failed to harden the employee attack vector against the exploits we are seeing now.
- The scale and chaos associated with the pandemic have left many people worried and distracted. People are now more prone to poor decision making without the usual security and privacy safety nets of managers and colleagues in close physical proximity, as well as the reminders and reinforcements that come from posted information.
- Due to the rapid deployment of work from home infrastructures for some companies, there has been a realization that there was too much reliance on technical solutions for security in the office environment and not enough attention paid to the “Human Firewall”. Since employees have not been exposed to common security and privacy exploits in the office, they do not recognize them as they are occurring in their home office environment.
- Employees are operating “out of context”. If training programs only provided education on “in the office” policies and procedures, people are lacking essential skills to stay safe and protect company data while working remotely.
- A lack of awareness of the organization’s data protection strategies is causing significant issues. Employees seem to be unaware of basic risk mitigation techniques, such as using a VPN, encrypting sensitive data at rest and in transit, not using public platforms like Google to share documents with outside persons, and how to ensure the security of internal communications.
- Many companies have built their Standard Operating Procedures, especially those concerning financial and HR data handling, for a specific in-house technical and physical infrastructure. The accompanying security best practices on which employees were trained may not align with work from home realities, and employees are not sure how to modify these safely.
- In some cases, employees may have been given new technologies to use while telecommuting, but not given enough training on using them safely. This is especially true if people are using SaaS or cloud-based products for the first time, such as web conferencing platforms.
- Issues with “not my job” syndrome are also becoming apparent. Companies have failed to build “Security Champions”. Employees assume that because IT/HR/Support have always taken the lead on security and privacy concerns, this will continue even while they are working from home.
- Documentation related to security and privacy policies and procedures is inadequate, not easily accessible remotely, or non-existent. This is a serious issue in this day and age, as employees need to know what is expected of them while telecommuting and be able to access that information when a manager or supervisor is not as readily available.
- Finally, companies are realizing that employees’ cybersecurity habits at work are a reflection of their habits at home. The training provided has failed to emphasize that a security mindset must be 24×7, 365. Employees who may struggle with a security mindset in the office also struggle at home. Employees who are great with security and privacy on the job may fail to realize those same best practices (e.g., the use of strong passwords, not clicking on links in emails, not using default passwords on systems, verifying a person’s identity and attention before providing sensitive information, etc.) should also carry over to their life outside of work.
Even as many businesses find themselves in the midst of forced, rapid Digital Transformations, the good news is that it is not too late to shore up the weaknesses in security and privacy awareness training programs. Quality training can be delivered online to employees, no matter their location. Although there are some indications that companies may be pulling back on investing in security and privacy awareness training during this time, now is actually a perfect time to work with a company like Global Learning Systems to design, plan,and deploy a program that will help to Strengthen Your Human Firewall ™ .
As the legendary basketball coach John Wooden pointed out, “…the true test of a man’s character is what he does when no one is watching.”. Can you trust that your employees are doing the right thing to protect themselves and your organization’s data while working from home during this pandemic? If not, fill out our Contact Form and let’s get started today building a security-minded culture that can save you time, money, and reputation.