Security approaches should be human-centred: 39% believe awareness training is the key to mitigating the remote working risk
Richmond, Surrey, UK, 0900 hours, 23 February 2021 – The feelings of isolation being experienced by employees is the biggest concern IT and cybersecurity teams have around home working, say almost one third (31%) of respondents to the latest Twitter poll run by Infosecurity Europe, Europe’s number one information security event. The objective was to investigate views on the current threat landscape, as remote working remains the norm and ‘lockdown fatigue’ sets in. Staff isolation is causing more worry than employees sharing devices with other household members, the top concern for 26.4%, reduced vigilance (24.9%), and the risk of clicking malicious links (17.7%).
“The results illustrate that the welfare of employees – and the impact ongoing remote working is having on their security behaviours – is currently top of mind,” says Nicole Mills, Exhibition Director at Infosecurity Group. “Being isolated, while juggling work and all the other competing pressures generated by the pandemic, is likely to be affecting people’s mental health. Working at home also potentially distances staff from company security policies and the support of the IT team, making them more susceptible to letting their guard down, being overly trusting, or simply losing motivation. IT and security leaders must find ways of keeping employees engaged and firmly anchored in the company security strategy.”
Awareness training is key to sustaining connections with employees, according to Infosecurity Europe’s poll, with 39.2% of respondents believing awareness training is the best way of mitigating remote working risk. This is followed by web and email security (28.1%), endpoint protection (19%) and identity and access management (13.7%).
“I would suggest that understanding where your risks are is more important than jumping into ‘solution mode’ with endpoint protection, for example,” says Steve Wright, CISO of Privacy Culture and Former Interim DPO Bank of England. “Organisations have not carried out a proper assessment about the whole impact of working from home, with respect to data, IT and general operations. This will differ by business operation, role and function, in addition to people’s home circumstances – such as whether they’re in a shared flat or their wifi speed. Once assessed, the necessary policies and procedures should be updated, and training and communications carried out to staff. Refresher training delivered via short videos and animation is necessary for the whole workforce. As well as easily accessible awareness training and guidance employees need more automation and dynamic support, with messages that say for example ‘this looks like it’s confidential, go here to protect it’.”
Maxine Holt, Senior Research Director at Omdia, echoes the importance of addressing the human factor: “Organisations need data protection, but also to ensure that the remote working environment is as secure as it can be. Remote employees don’t have the same ‘mindset’ as they would in the office – they walk away from laptops without locking them, set easily-guessed passwords on routers, or don’t apply updates to equipment. We’ve seen IT and information security functions provide great regular hints and tips for staying secure when working from home, improving awareness and education. This can also include support for mental health, as security may well decline if an individual is suffering. There’s definitely evidence of the boundaries of responsibility between information security and HR merging – and this is for the better.”
On the other hand, Mark D. Nicholls, CISO at Chime Group, believes organisations should adapt controls to be more data-centric, starting with visibility. “We need to know what people are accessing, and what they’re doing with it. Do we truly know what’s going on with an employee’s home broadband network, and the personal devices being used to access corporate data? Our controls must also be truly device and location agnostic. It’s important to leverage cloud solutions that enable agile working along with good security controls. We mustn’t forget about basic hygiene, either – for example enabling multi-factor authentication (MFA), and ensuring employees know how to create strong passwords. It’s no longer easy to just walk down the corridor and speak to someone if there’s a security issue, so IT helpdesks should be empowered to use remote management tools where possible to fix issues.”
More than half (52%) of respondents to Infosecurity Europe’s poll believe that unsecured personal devices pose the biggest security threat within the remote working environment, followed by unsafe VPN/wifi connections (30%). Unapproved cloud apps (10.6%) and collaboration tools (7.3%) are seen as relatively low risk.
Nicole Mills continues: “Security threats have evolved as the pandemic has advanced. Attackers are ready to strike at the weak points that emerge as new ways of working and living continue to affect employees’ behaviours and mindsets. One particular area we all need to guard against now is the rise of ‘fearware’, as criminals seek to trick remote workers with ransomware and phishing scams, often linked to messages about COVID-19. Training undoubtedly has a major role to play here.”
The conference programme for this year’s Infosecurity Europe event (Olympia, Hammersmith, London, 8-10 June 2021) will feature a number of sessions focused on addressing how to better anticipate, detect and respond to threats, including on Day 1, 8 June:
- Decoding Future Trends: Threat Predictions for 2021 & Beyond – including
- Lightning Talk 1: After 2020’s Pandemic, What are the Biggest Risks Ahead?
- Lightning Talk 2: Cyber Attacks on the Rise - Latest Security Trends on Social Engineering
- Lightning Talk 3: Best Practices to Identify, Avoid, and Report Phishing Scams
- Keynote presentation: Combating Ransomware: How to Prevent, Protect, and Respond to an Attack. A practical guide on how to tackle ransomware attacks.
- Case study: Developing a Human-Centric Approach to Improve Cybersecurity Effectiveness. How to empower employees with the right tools and approach, so they can be the strongest link in an organisation’s cyber-defence.
- Panel Discussion: A Practical Approach to Mitigate the Risk of Insider Threats. How to change the behaviour of employees, execs, and the board, including raising cyber security awareness to prevent social engineering and phishing attacks and reduce data breaches, and the use of attack simulations and other innovative awareness initiatives.
Drawing 6,568 responses, the Infosecurity Europe Twitter poll was conducted during the week of 8 February 2021. Infosecurity Europe also interviewed its network of CISOs and analysts to gather their views on the current threat landscape.
Infosecurity Europe, now in its 25th year, takes place at Olympia, Hammersmith, London, from 8-10 June 2021. It brings together information security professionals attending from every segment of the industry, as well the leading industry suppliers showcasing their products and services, industry analysts, worldwide press and policy experts. Expert practitioners are lined up to take part in the free-to-attend conference, seminar and workshop programme. Find out more at https://www.infosecurityeurope.com