By the time you realize you have a serious IT culture problem, the situation will be hard to fix. Consider these signs your culture is starting to crack – and how to respond.
Remote security policies: 5 essential components
What are the key elements of a remote access policy? Experts explain how to update or create a remote security policy for your organization and stay safe while people work remotely
4. Training and communications
This is not the time to mothball your security awareness programs. In fact, you should be doubling down on them and addressing heightened risks as a result of remote work and/or the pandemic.
“Many employees may not realize the security risks that are introduced when working from home. Employees can act as an additional layer of security if they understand the risks and impact,” Partlow says. “Now is the time to adjust your user awareness training specifically to fit this new model.”
[ Read also: Remote security: 5 common myths about phishing scams.]
Wilson from SAS concurs: “Make sure your employees understand how the risks change when they are away from the office with training,” he advises. “Disruption, like we’re experiencing now, is a boon to cyber adversaries and fraudsters alike, so make sure you adjust your training to reflect these new risks. It’s more important than ever to remain engaged with your staff and ensure they understand how to respond to an incident.”
Partlow actually sees an opportunity here: Given the situation, employees are paying closer attention to corporate communications.
“Our CISO customers report that employees are more responsive to internal comms than ever,” Partlow says. “There’s an opportunity here to train and educate the workforce on protecting the corporate environment. Use this time to go over best practices for phishing attacks and social engineering using the latest virus-related examples from threat actors.”
Matt Wilson from BTB Security shares some bonus advice on the awareness, training, and enforcement front: It’s just as important to reward the right security-related behavior.
Explaining and incentivizing good behaviors encourages wider adoption of your security policy than a long laundry list of “do not’s” he says. “Ensure your users have a stake in protecting organizational data and that they follow good security hygiene. Remind them that organizational data often includes their own personal data, and that good practices at work translate to better protections for the user in their personal life.”
Even in the best of times, security policies and controls shouldn’t remain static. Unless your most recent pen test was very recent, for example, it probably didn’t account for everyone working remotely.
“For many organizations, it’s likely that their last penetration test focused only on corporate network users, not remote users. When these users are no longer on the corporate network, the attack surface changes and introduces new risk,” Partlow says. “Target your testing on your newly remote workforce – for both new controls and incident response procedures – through either a pen test or to better identify your gaps amidst the changing threat landscape, continuous attack simulations.”
Review security and other technical policies on a regular basis, advises Gamblin from Kenna Security: Every six months or so is a good rule of thumb. The current situation underscores that ongoing need – and accelerates it in many organizations.
“Policies should be constantly evolving as your company grows and matures,” Gamblin says. “You should always be looking for ways to enforce parts of your policies that are only controlled by procedures with new technical controls when that makes sense.”
[ How do containers help manage risk? Get the whitepaper: Ten Layers of Container Security. ]