To understand the nature of an organization, you need to look at its people.: Whether this is a government department, a charity, or a small business hoping to stay afloat during the worst economic downturn for a generation.
More specifically, it is important to look at the management of this organization: Those who hold sway over an institution will naturally come to define the culture which is projected to the world. Security culture is no different.
As a result of the pandemic, remote working has been adopted en masse, with the ONS suggesting that over half of all London’s workforce had moved to a remote model in April. But when the entire fabric of working life has fundamentally changed, how is the culture of security impacted?
A recent OneLogin survey, aimed at understanding the security posture of businesses who have moved to remote working since the beginning of the pandemic found that senior management were significantly more of a concern from a security perspective than their junior counterparts.
The survey found that:
Senior managers, compared with more junior counterparts were twice as likely to share a work device with someone outside the organization, with 42 percent reportedly doing so compared to only 20 percent of their junior counterparts.
When it comes to sharing confidential passwords 19 percent of senior managers admitted to giving their passwords to someone in their family compared to only 7 percent of junior employees.
Senior management also reported working from public Wi-Fi networks at double the rate of their juniors, with only 15 percent of junior staffers admittedly doing so compared to 30 percent of senior members of staff.
These figures serve to highlight a problem in the newly-established remote working culture, but they do not help us to outline a solution. From my experience of working with senior leadership teams they are removed for the day to day, coal face work of configuring technologies, and with technologies constantly changing it is hard for leadership to stay involved. This is why it’s so important to build that open, honest and trusting security culture so management and leadership at all levels can seek expertise and support to make informed risk-based decisions, including technical configurations for systems/applications and technologies.
Building a security-first culture from home
While senior managers in this instance appear to pose a significant security threat, they are conversely the solution. Those in leadership positions need to take ownership of security, understanding that it has evolved into an existential business crisis. In fact, the BBC recently reported how one company is being hit from ‘all angles’ from a security perspective, with remote working making this onslaught even more difficult to fight against for lack of a geographical location or protected, centralized network. This kind of all-encompassing attack requires an equally all-encompassing defense.
Once a security-consciousness culture has been fostered, the first practical step in achieving this is a unified program of security training. Managers need to have the wisdom to know when they need help, and provide opportunities for themselves, and their employees to learn about the dangers that come with a lack of basic cybersecurity hygiene. This training should cover the tell-tale signs of how a security incident could occur – phishing incidents, BEC fraud, and how they can lead to malware or ransomware distribution – and the business consequences of this: Long term outages, massive fraud, and ultimately, a loss of brand reputation if the security incident goes public. These training programs can be hugely impactful on an organization’s security posture, with the Aberdeen Group suggesting that they can reduce security engineered cyber threats by up to 70 percent. Further to this, it is important to not let security become a negative term within the culture of the business: Do not punish those who unwittingly perform bad security practices, but praise those who do well.
The second step is to understand that if businesses are to move forward in the hybrid working model, then the traditional security approaches are no longer enough. End-users no longer have the security controls afforded to them when they were based in their offices full-time. Organizations need to understand this and review existing models, applying new security models and programs to their hybrid operating environment. Identity is the most important aspect of this operating model – understanding who and what device is trying to log into the business environment system and associated applications. Streamlining identity with IDAAS technology solutions will support organizations to continue to deliver quality IT services while balancing cost and risk.
The third thing that senior managers must do, is to champion security to their bosses. While senior managers can undoubtedly be setting a better example from a security perspective, the budget and will for organizations hoping to protect remote workers comes from the C-Suite. Managers need to make their voices and security concerns heard. Whether the pandemic continues to force the employer’s hand, or the outlook of employees change, remote work is here to stay. It is up to businesses to ensure that this change is also reflected in their security posture.
With regards to security, talk is cheap. Threat actors, similarly to all criminally minded individuals and organizations, thrive on chaos; The pandemic has brought chaos like many of us have never known into our working lives, and cybercriminals know this. For organizations to prevent this chaos to engulf their security posture, the steps outlined above need to be taken to heart by senior management. Just as managers have a pastoral duty of care to those who work under them, they need to take on a security duty of care in order to ensure that individuals both above them and below them in a corporate structure understand that they are doing all they can to ensure that the woes of the Pandemic year are not added to with a serious security incident: Leading by example will help everyone in their organization to see the seriousness of maintaining a good security posture, and may also help them to imagine the severity of the problems which could develop if security is not upheld.
Niamh Muldoon, Global Data Protection Officer, OneLogin