A successful security awareness professional influences employees to continuously adopt positive security behaviors as the world around us changes. In order to do this, we must keep a pulse on company culture and stay connected to our employees. With the massive change we’ve been going through in response to the pandemic, there are a few things I’ve learned that have helped me continue to stay plugged into our culture and employees even as we work from our separate homes. Here’s what I’ve been doing to maximize our security awareness program.
1. Started Phishing Again
When the pandemic hit, we saw phish attacks ramp up in volume and sophistication. The attacks callously preyed on emotions and took advantage of workers distracted by kids, pets and the new challenges of working from their dining room tables.
The awareness community was quite divided as to whether to let up on phishing employees during the transition to their new work environments or keep them in good practice. Neither approach was right or wrong, but it remains crucial to know your culture and audience and then use your best judgement. For me, it was important to get buy-in from our CISO and CEO since they’re managing security and company culture, respectively. At Code42, we decided to take the month of March off from our phishing education in favor of getting our employees comfortable and productive while working from home. “Testing” them seemed unfair at that moment. But we are back in the game now because the attackers are pushing hard and using the pandemic as bait.
Cybercriminals ramped-up phishing attacks over 667% in the month of March alone, according to KnowBe4. Google says it identified more than 18 million daily phishing messages featuring coronavirus themes within just one week in early April. During that time our email filters were getting hit three times more than they did pre-pandemic. That also meant that more got past our filters and into employees’ inboxes. Good thing we trained them well over the past several years because no damage was done!
If you also took a break, I say now is the time to get back to it. And if it makes you feel better, you can communicate to your workforce the reason you need to get going again and reinforce (as you should always be doing) that you are not trying to “trick” them or “catch” them — you are arming them to help protect your company. You are giving them an opportunity to better spot attacks so that when a real phish comes along, they don’t get “caught.”
2. Remained Transparent
Now is a great time to communicate that threats have not diminished, and, in fact, some have increased — so you need everyone’s help. Let your employees know that the job of the security team is to protect the company and data and you can’t do it without them. For instance, if you have an Insider Threat program watching for data exfiltration, secretly monitoring behind the scenes is much less effective than being transparent. Tell your employees that you are monitoring data movement so you can protect the company from losing the very data that keeps it running, and hopefully they will be on board. Let them know that it is not your goal to spy on them; indeed it’s quite the opposite. You want to focus on important data that might be inadvertently exposed rather than getting bogged down chasing after non-threatening data movement, such as someone moving personal photos around. That’s where they can help save the day. If they need to move data for a legitimate reason, they can do so by alerting the security team. That way, you know the details upfront instead of starting an investigation. It’s far better if you can help them find the most secure way to move the data. The very knowledge that you are monitoring, and for very good reasons, will make people more cautious. Additionally, they can help cut down on unnecessary investigations and be an important part of the solution. It’s a great story of everyone working together to increase security of the crown jewels.
3. Updated Trainings to Make Them Relatable
The corporate images of people in suits that we’ve been using in our training videos may not be as relatable to people moving forward. The last few months, we’ve seen our coworkers in casual clothes and settings. An image in your training materials of employees in suits in a conference room may now need a refresh. Adjust as it makes sense for your company. Not all companies are moving in this direction and suits in images might still work for your organization. I don’t advise doing an immediate overhaul, instead build it into your planning whenever your trainings are due for a review.
4. Providing Tips for Home Network Security
Home network security used to be outside the purview of IT and security teams, but now it is a concern. Prior to the pandemic, awareness professionals offered up helpful information to our employees on how they could better protect their family and personal data by improving their security at home. That is no longer a nice-to-have — now it is a must-have. With bad home wifi set-ups, kids using company devices, and the like, home security practices are now much more concerning to us. It will be a new internal conversation with your IT teams on how much support you want or can give to everyone. In the interim, consider sharing tips using RedBlue42’s blog on the topic or publicly available resources, such as the SANS “OUCH” newsletter, CISA’s Stop.Think.Protect., the FTC Consumer site, the National Cybersecurity Alliance Stay Safe Online or this video from Consumer Reports on home wifi security. Of course, these are created for general public consumption, so if they don’t quite fit your environment, consider working with your learning and development or corporate communications partners to record your own 2-3 minute videos on home security best practices. If that sounds daunting, recruit one of your TikTok-obsessed employees to assist you.
5. Embrace Video Conferencing and Collaboration Tools
You can’t influence behaviors for the better if you can’t capture the attention of your “audience,” in this case, your employees. The best way to get anyone’s attention is to show interest in them, learn who they are and deliver the right messages at the right time in a way that they can relate to and consume. Trying to keep a pulse on the culture of your company is MUCH more difficult now that we are all working from home.
All the “water cooler” chatter that we may have thought of as fun but perhaps frivolous while in the office, is now a missing piece to the culture puzzle. Slack has done a great job replacing that essential chatter for me at our company. Having all the project channels is super helpful, but what I enjoy the most are the dog, cat, wine enthusiast, and take-out advice channels. I feel like I’m staying connected to my fellow employees and in a lot of cases, actually getting to know them better.
I also really like that I get immediate feedback on whether my message is being seen because people post their reactions in real time with emojis or questions that I can answer for everyone to see. I’m obviously an advocate for being transparent, but if something is a sensitive topic, you can simply reply with a direct message.
If your company is evaluating new or different collaboration tools, be aware that employees may use some of these tools in their personal lives, too. With both corporate and personal accounts in the same tool, there is a risk of what we call “Mirror IT” — where corporate documents can easily be shared on a personal rather than corporate account. So, be prepared with policies and best practices about what is okay to share internally versus externally.
To assuage any of your concerns about data loss, take advantage of our 60-day free trial to see what documents are being shared and with whom, not only on Slack, but with all off-network file activity. In fact, for your employees dabbling in a little Shadow IT and exploring apps that will help make them more productive, this is a must have for companies to keep track of valuable data.
The other thing that has been critical to help me stay connected to my fellow employees is using videos on all of our calls. Facial clues or micro-expressions are so important in gauging how what we say is being received. We can see if someone is getting annoyed or isn’t following our logic so that we can adjust, add clarity, etc. And being able to see who we’re talking to is not just for extroverts. Many of the introverts I talk to are also expressing the need to see the faces of their coworkers – we’re awfully isolated right now. Of course, you’ll get a few objections if video has not been part of your remote culture so far (particularly from those who may need to ditch their pajamas). If you can put a bug in your leaders’ ears, both these types of tools — video conferencing and tools like Slack — will greatly increase your security awareness program’s efficacy. (Hint: Recruit your HR department. I’m sure they’d be on board for these as well.)
I hope these lessons learned help you get the most out of your security awareness program while we’re all working-from-home. Find new ways to stay connected to your “audience” or employees; continue training, training, training; deliver relatable messages that appeal to employees right now; and be transparent when asking for their critical help to keep the company secure. Whether we all end up back at the office soon or have to stay home for some time to come, this “new normal” will continue to be an interesting and ever-changing landscape for security teams and awareness professionals.