October 7, 2020
Security / Culture
BY ADAM HOEY / POTENTIA CONCEPTS & PAIGE DOUGLASS - RISK, SECURITY & COMPLIANCE LEAD / THE CLEARING
Just when you thought it was safe to leave the house again, incidents of cybersecurity are creeping full force into the home office. ZDNet reports on what’s happening since so many employees have gone remote: Users are 3x more likely to click on pandemic-related phishing scams, there has been a 2000% increase in malicious files with “Zoom” in the name, and the number of unsecured remote desktop machines rose by more than 40%.
The need to power-up humans to be an active part of our organizations’ security and privacy defense strategy is more important today than ever before. With so many people working remotely and with compounded stressors from external factors (e.g., global health crisis, social justice movement, economic impact of COVID-19, and climate effects on hurricanes and fires), employees are not always thinking about security. Mental health is taking a hit, especially for people of color, parents, caretakers, and those who are financially insecure. Clicking a false link and mistakenly submitting credentials can happen to anyone if spoofed or distracted.
How can you navigate these disruptions from both a security and a cultural lens? The Clearing is a leader in helping people and systems address organizational and individual shifts, in particular how these shifts affect an organization’s culture. Earlier this year, we shared how leaders can ensure their teams are building their capacity for resilience.
To manage through the technology side of the challenge, corporate security has adopted “Zero-Trust.” You may have heard buzzwords in the IT and cybersecurity blogosphere talking about “Zero-Trust,” “Insider Threats,” and “Artificial Intelligence” that conjure images of cyborgs and dystopian scenes from Blade Runner.
For a bit of background, the term “Zero-Trust” in the cybersecurity world, is a model which defines trust as a vulnerability a la “the dating game.” Created by John Kindervag, during his tenure as a VP and principal analyst for Forrester Research, Zero-Trust is an observation that legacy security models operate on outdated assumptions that everything inside an organization’s network should be trusted. Once on the network, malicious actors (insiders or outsiders) are free to move around and steal data, to which they are not limited. Generally speaking, the concept is to start from a position of “no trust” and then provide access based strictly on “who, what, where, when, and why.”
Meanwhile, in IT academia, we often hear about a conceptual model called the Open Systems Interconnect Model (OSI) which shows the interoperability of IT systems and protocols. It runs from Layer 1 to 7. Where it falls short is the role of the workforce and organizations. To recognize this gap, people and organizations are sometimes informally referred to as “Layer-8 and Layer-9” respectively.
Why is this important? Well, for starters, times have changed and so have the places we work, our teams, applications, social networks and the devices we use – all increasingly ubiquitous. While we strive to digitize and automate we can’t forget the critical role of people, process and organizations to keep things running safe and secure.
Our clients have experienced that even the best IT and security technology will not deliver good results without a strong workforce culture that includes values, policies, procedures, education, and recognized controls and monitoring to back it all up. Otherwise you’re spending lots of money throwing up fences, with a false sense of security, and with disconnected and unhappy workers.
The Clearing and Potentia Concepts recognize the importance of culture in all facets of an organization and bring experience developing strong workplace strategies for offices everywhere, including our homes. Together we strive to build a strong workforce security culture for our clients, which, as with other programs, starts with a charter, a strategy, and a cross-functional core-team from IT, Security, Risk & Compliance, and Human Resources working together and sharing information. Next comes discovery and planning.
While there are a number of questions you’ll want to answer, we recommend starting with these important few to get you started:
- Do we have an effective security awareness and privacy education program in place? How many complete it and with a passing grade? Is our education aligned with our policies?
- How simple or complicated are user security access protocols across company cloud and network applications? Can users get help easily and self-remediate simple application access and device issues?
- Is our workforce trained on modern teleworking security best-practices? Do they know what to do before and also after a suspected incident occurs?
- Does our workforce feel comfortable and know where to go to ask questions, get help, report suspicious behaviors or share when they’ve made mistakes without fear of reprisal?
It’s with these ideas of discovery, trust, and re-building an effective human security culture that we use as a beachhead for future articles related to human-factor security, which we like to call Human Factor Controls and Enablement (HFCE).
During October Cybersecurity Month and after, look out for more blogs from us including:
- Human-Factor Discovery & Program Development
- Safe Home & Remote Teleworking
- Simplifying & Strengthening User Access
- Controlling Administrator Standing Privileges
What workplace security or culture challenges are you facing?
Adam Hoey is Managing Partner and Co-Founder of Potentia Concepts with offices in Washington DC and Amsterdam, The Netherlands.
When he’s not riding a bike, Adam writes on topics related to digital innovation, mobility, human-factor security and education. He can be reached at firstname.lastname@example.org.