Jon Fielding, managing director EMEA, Apricorn
More flexible ‘hybrid’ working models come at a price, increasing the risk of data breaches and leaks as staff access company networks from a variety of locations, using a mix of business and personal devices. It’s everyone’s responsibility to protect data and remain vigilant about threats in this new working environment. This requires comprehensive and ongoing cybersecurity awareness and skills training – and covering the ‘practical stuff’ isn’t enough.
The knowledge gap
A lack of employee education was singled out as the biggest cybersecurity weakness during the first lockdown by almost a third of respondents to a recent Twitter poll conducted by Apricorn. More than 40 percent admitted they weren’t fully prepared to work at home securely and productively, with 16 percent not even sure how to.
Adequate and appropriate staff training is absolutely key to supporting safe and productive remote working on a large scale, to ensure the entire workforce is following security best practice and complying with regulations such as GDPR. This requires IT teams to devolve greater responsibility for cybersecurity onto the individual.
Education programmes should be designed and implemented with all staff in mind – including temporary workers and third-party contractors, as well as senior teams. They must be regularly updated and tested. The delivery approach will need to be rethought, perhaps combining interactive video-based training in new skills or information with frequent bite-sized, on-demand learnings that keep knowledge fresh.
Programmes should cover basic security ‘hygiene’ and the practical knowledge, tools and methods everyone needs to apply, including:
Awareness: All employees must be aware of the specific security risks associated with remote working, and how to control them. Everyone needs to have a grounding in the basics – for example, recognising common attacks such as phishing, the risks of sharing a device with family members or using weak passwords, or threats associated with not using a VPN.
Compliance: Employees should be briefed in the legislation the organisation is required to adhere to, including privacy laws such as GDPR, and any industry specific regulation.
Policy: All cybersecurity policies and processes should be reviewed to ensure they address potential vulnerabilities arising from remote working. Clear instructions on which devices and tools staff are permitted to use, and how, should be a central part of this.
Action: The strength of an organisation’s security measures lies in employees’ ability – and willingness – to execute them. All policies must therefore be communicated clearly and directly to all staff, via email or video, giving them the opportunity to ask questions.
High quality education programmes will create a solid front line of defence for the organisation’s data, but a high proportion of breaches are down to human error and this is impossible to eradicate completely. Here’s where the mandating of company-wide encryption comes in.
Locking information down
The human risk can be mitigated by putting in place a policy of encrypting all data as standard, especially when it’s being stored or moved around on removable storage devices. Encryption will create an inviolable ‘last line of defence’, meaning that even if the worst should happen any information that falls into the wrong hands won’t be exposed.
As part of their training, employees will need to learn how to correctly apply encryption techniques and use any encrypted devices they’ve been provided with.
A culture of accountability
Educating employees in the practical elements of cybersecurity is crucial. However, establishing a culture of security best practice across the entire disparate workforce is what will truly embed a sense of personal responsibility and accountability.
This requires deeper engagement with employees. Education programmes will be most effective if they cover the ‘why’ as well as the ‘what’ and ‘how’: the reasons data protection is important, and the specific risks and consequences to their company of a breach. This will ensure everyone understands their specific role in keeping information and the business safe in the new working environment.