How to build a security-first culture with remote teams

If recent world events have driven an increase in the number of remote workers in your organization, you are now confronted by even more security challenges for already stretched security teams and busy IT departments. Sixty-one percent of CISOs are more concerned about security risks targeting employees than they were pre-COVID [IDG], and much of that is due to staff working remotely.

It’s important to get all employees – remote and on-site – to understand the benefits of following company-wide security directions and the pitfalls of not sticking to them, even if they are working from the apparent safety of their dining table. While there are many elements in the deployment of best practices, helping remote workers stay safe from data breaches is foremost a matter of education.

Simple routine behaviors, like clicking on a link or email attachment, can invite security risks. Compromised accounts that have been taken over by cyber attackers are a very real threat for remote teams. Everyone in your organization should be aware of the main tactics used by malicious hackers and the consequences of ignoring them. Common risks include malicious social engineering, like phishing for malware distribution. The first steps to mitigating security risk are creating a draft security document and adopting a broad policy that security is everyone’s responsibility. These are key to making cybersecurity a company-wide and collective effort.

Failure to educate should never be an excuse

It is a good idea for employees (initially during onboarding, but with frequent reminders) to complete a security awareness exercise in your working-from-home group security practice. This could be as simple as watching an internally created slide deck/video or being asked to read a standardized document, with a short questionnaire at the end to ensure understanding. Awareness and the importance of security is something everyone needs to embrace. This exercise should outline the security obligations with which you expect your staff to comply. For clarity, you should communicate in simple plain language and avoid acronyms or technical jargon. You should include the consequences and ramifications of non-compliance. It should be possible to complete any security training or awareness exercise remotely and inclusively, preferably conforming to WCAG 2.0 or WCAG 2.1 standards. If you are introducing this across your company after onboarding, then each member of staff should be given a window of opportunity, during work hours, to familiarize themselves with your documentation, complete any compliance documentation, and ask any questions. It is advised that you track compliance with the training and follow-up with employees and managers who have not completed it. When your colleagues have formally acknowledged this policy document, it’s then your job to enforce it.

Actively promoting security by default

Even with the best education and full adoption, employees shouldn’t have to be constantly worrying about adhering to best practices – best practices should be easy for them. Security, while their concern, is not their job – it’s up to the business IT security team to champion the right hardware, software and systems so that others can carry on with their jobs with the least interference and with maximum safety. Our colleagues should have the right anti-virus software in place already, and the right multi-factor authentication process to get easy network access. They should have an easy-to-use VPN and a robust password management system. Devices should (ideally) be standardized and optimized. These aren’t things they should have to worry about.

The use of varied, strong, and compliant passwords should be mandatory. A staggering 4 out of 5 company security breaches are due to poor passwords. Changing them regularly and setting high standards for password naming conventions is critical. Companies often blacklist common password choices, but there is a balance between maintaining productivity and best practices for security. Passwords should be long (to help mitigate against brute force attacks), strong (containing a mix of letters, numbers, and symbols), avoid any personal information (15% of the people commonly use a pets’ name as a password), and should be changed frequently (at least every 3-months). Personal accounts are far more open to compromise, but 53% of users admit that they reuse the same password for personal and work accounts meaning unique passwords are critical for the workplace. Most people think they are far better at online security than they are.

You may wish to consider a single sign-on system or password synchronization as an alternative to multiple passwords, and limit access of individuals only to the data they need to do their jobs using a suitable database security tool – it’s possible to grant different levels of permissions to users, with assisted permissions detection for ease of implementation, based on the level of visibility each user needs. Using an authorization and authentication policy – making the most of best practices and historical information to recognize which user accounts and business applications should have access to sensitive data. Adopting a “zero trust” policy (a phrase coined by Gartner in 2010) is an ongoing policy of “never trust, always verify” with a mission to secure all users and all devices, anywhere, anytime.

“Zero trust is a way of thinking, not a specific technology or architecture.”
– Gartner Fellow Emeritus in Gartner Research, Neil MacDonald

Zero Trust means strict verification systems like multi-factor authentication and contextual access, but having the likes of a friction-light MFA (or other recognized standards) in place across the enterprise soon becomes part of the daily staff routine and is generally seen as a common, valuable, and necessary practice.

It may be suggested that the implementation of an employee monitoring solution become a part of enforcing your employee security policy document. In many countries around the world, employees have the right to know what monitoring is occurring and why. Even where a regulation doesn’t require informing employees of monitoring, it’s often best practice to communicate clearly about monitoring.

Find time to address the important things

A third of security breaches are caused by unpatched vulnerabilities. It’s important to arm any system or company remote device with antivirus software, spam filtering tools, firewall software, etc., but it’s equally important for an IT security team to keep those systems up-to-date, including regularly updating any network security systems. Put simply, this is an IT security team’s job, and by ignoring (or not having time to address) potential risks and developments in cybersecurity, which includes essential patching, you can be putting your business at risk. It’s you and your team vs the bad actors of this world.

It will further be the IT security team’s responsibility to answer questions, put minds at rest, offer a smooth path to transition, and show best practices and the pitfalls of not sticking to them. Much of the successful adoption of remote working security best practices is down to staff education and getting everyone, across all departments and disciplines, on board with the mantra that security is everyone’s responsibility.

Leave a Reply

Your email address will not be published. Required fields are marked *