In a post-Covid world all organisations have had to adapt to new ways of working. The transition to remote working was fast paced, reactive and not secure by design. As a result, it has required continual development to support the evolving environment.
Flexible and hybrid working continues to present new risks to organisations due to the lack of visibility of the workforce. To create a secure hybrid environment, we must help users understand why controls are needed, build understanding and accountability, use data analytics to inform the application of controls and training, and implement technical controls.
Understand why controls are needed
Working from home is less secure than working in the office environment and communicating this effectively to the workforce will help them to understand why additional security controls and training are being implemented. This will mean they are more accepting of those measures.
This should be reinforced by senior leaders acting as role models for secure behaviour. They should provide the context, and the reasons for their requests, and set an example to encourage individuals to prioritise cyber security training and other related activities.
Providing cybersecurity communications about home life as well as work can help employees to engage with the content. Good habits in an employee’s personal life will transfer to their work. Empowering them to educate themselves and their friends and families will in turn influence and embed their understanding of how to act securely in your organisation.
Build understanding and accountability
Individuals can only act securely if they have the knowledge to identify threats and the confidence to report them. Fostering a positive security culture will encourage individuals to behave securely regardless of the environment they are working in.
We must ensure all employees are provided with relevant cyber security training on how to work securely from home or alternative out-of-office locations. Regular training should allow continuous development of cyber security skills and include phishing simulations. There are many cyber security training and awareness platforms which can be used to provide engaging and relevant training to the workforce. Such platforms also support risk metrics and allow targeted, often bite-sized, and timely, training for groups with increased risk.
The days of leaving security to the IT or cyber team are gone and it is important that individuals understand the role they play in an organisation’s wider security both in their behaviour and how they do their job.
The workforce need to understand what is expected of them and the processes they should follow. This is only possible if there is an established process in place to define positive security behaviour and to communicate it clearly. Reporting cyber incidents or suspicious links helps to develop a clearer understanding of the threat landscape. In turn this will support increased awareness of the cyber security team and encourage individuals to engage with them with any concerns or questions.
Use data analytics to inform the application of controls and training
Data analytics, combined with an understanding of likely threats, can help the cyber security team understand the areas of vulnerability and risk. This then enables them to prioritise and refine controls and training to manage risk.
To enable your business to identify insecure behaviours as they happen, your human risk management must be both proactive and iterative. Identifying risks in a hybrid environment can be particularly challenging but behavioural data can provide a clearer understanding of an individual’s digital footprint and actions across business systems. The use of these behaviour analytics will increase your visibility of insecure behaviours across your workforce and provide ‘just in time’ support to prevent risks escalating.
When using behavioural analytics, you must, however, consider any regulatory restrictions such as privacy and intrusion laws. If your organisation operates in multiple jurisdictions additional regulations may apply.
Implement technical controls
In addition to educating your workforce, it is vital that you support them by implementing technical controls. These should include the use of endpoint protection software on each user’s business device, cloud-based email management platforms, and implementing always on Virtual Private Network (VPN) controls. To ensure your organisation is not vulnerable to additional risk you must also have a clear policy on the use of public Wi-Fi and outline the associated risks.
Implementing this best practice will help to manage the risks of hybrid working. The right data will provide a greater understanding and that will enable better application of controls and improved behaviour. Taking a proactive approach to influencing security behaviour will allow you to accurately quantify and manage your human risk. That human risk management must be integrated into the wider business strategy and continually updated to reflect the evolving threat landscape both for those in the office and those working remotely.
Olivia Rofe is a cyber security expert at PA Consulting.