During Remote Work, Security Training Brings Teams Together
Print Issue: September 2020
COVID-19 canceled Security Week. Or so John Hampson, director of global security at Kearney & Company, had thought. The weeklong program of security education and training was meant to be held in April 2020, and Hampson and his team had been developing the program for months. Then the pandemic sent the majority of employees home to work remotely.
However, security is a high priority for Kearney & Company, which contracts financial services for the U.S. federal government and prides itself on providing its clients the best-educated employees, including on security matters. In addition, the isolating effects of remote work loomed—motivating Hampson and his team to forge ahead with a virtual Security Week instead, both to maintain the organization’s educational standards and foster a sense of community within the workforce, he says.
“I was seeing all this other stuff that was canceled, canceled, canceled, everything was canceled,” Hampson says. “We had put a lot of effort into it; it’s our paramount event of the year. People look forward to it.... It generates interest, and people love it. I saw all of these other things being canceled around the D.C. area, and so we decided to improvise.”
Typically, Hampson plans a week of two to three presentations per day, with catering, outside speakers, and hands-on training to help employees engage with security in a new way. In the past, prizes, signed books, and demonstrations with security K9s have been used to garner attention, in-person attendance, and participation.
Instead, this year the security team recruited internal and external subject matter experts to record presentations in advance, and then select presenters participated in an interactive live chat at the end of the day, so employees could ask any questions or get clarification on that day’s presentations. While some aspects of the in-person security awareness program could not be replicated virtually—CPR and Stop The Bleed certification, for example—other topics were adjusted to suit the current climate and virtual format. Live classes were offered around lunchtime, and employees could watch on-demand anytime.
Out of more than 700 eligible Kearney employees, more than 500 attended at least one session—approximately doubling attendance from the in-person 2019 Security Week.
In the time of COVID-19, with millions of employees working remotely, security awareness is as important as ever, says Mathew Newfield, chief information security officer for Unisys. “Home networks are some of the most hostile networks on the planet,” he says. “Most people don’t know how to log into their home router, have never patched it, wouldn’t know how to configure it.... If you’re going to allow your employees to put those corporate assets in homes, it is worth the time as a CIO or head of IT or CISO to start doing an analysis of where your employees live, see what the main providers are and what equipment they use, and start providing some guidance on things that [employees] can do in their homes to protect themselves personally, which will translate into protecting the organizations they work for.”
Phishing and vishing attacks are on the rise, according to data from Unisys. Employees who are used to working in offices where they can quickly flag issues and get opinions from in-house experts just by walking down the hall are now isolated, and they may be less willing to send IT or security personnel an alert via email or a more official channel about a suspicious email, Newfield says.
Further compounding the challenge of security awareness mid-pandemic is employees’ mental bandwidth to deal with yet another threat. According to the 2020 Unisys Security Index, consumers’ cyber risk has taken a backseat to matters of personal and financial risk. While two-thirds of global consumers are seriously concerned about their families’ health and their country’s economic stability and heath infrastructure, just over 40 percent said they were seriously concerned about being scammed or experiencing a data breach while working remotely.
“In this sense, consumers appear to be taking their eye off the ball when it comes to security concerns beyond health and economic well-being, putting themselves and potentially their employers at risk,” Unisys said in the report.
Newfield recommends that security leaders do their research on what employees’ main concerns are, then provide guidance on personal security—such as good password hygiene, patch management, and identity theft warning signs. Especially when many corporate employees are working remotely, these personal risks also endanger business interests and assets, so this training tone can reap rewards on multiple levels, he adds.
The goal of a security awareness program is to promote the organizational and individual actions that can be taken to reduce risk and foster a culture of security, says Bryan Leadbetter, CPP. Leadbetter is a member and director of the ASIS Professional Standards Board, most recently working on the new ASIS International and (ISC)2 Security Awareness standard, published in July 2020.
In any organization, the overall employee population will vastly outnumber the security department, he says, which means that having a robust and engaging security awareness program is key to boosting security’s reach and effectiveness.
“When you look at culture within an organization, a security awareness program delivers a recognition that security is everyone’s responsibility,” he says. “This is a program to help people meet that responsibility and achieve a collective reduction of risk for the organization as a whole.”
Conversely, the failure to have such a security awareness program, suitably tailored to the organization’s needs and risk environment, could result in unnecessary loss of assets or intellectual property, business disruption, employee harm, or noncompliance with essential regulations, Leadbetter says.
According to the ASIS Security Awareness standard, organizations need to consider a number of internal and external factors when developing a security awareness program, including security policies and procedures; organizational mission and core values; operating environments; security risks to the organization’s employees, assets, reputation, and goals; available resources; and the roles and responsibilities of participants.
“Programs based purely on content and delivery will often fail,” the standard said. “Planning and careful consideration of audience and messaging are essential. Additionally, organizations should recognize that ensuring organizational relevance, establishing policies and procedures, providing ongoing communication and training, and engaging management are key factors to program success.”
For example, at Kearney & Company, Hampson and his team enlisted key partners to assist in promoting the security awareness sessions in high-level meetings and with different departments. In addition, the security function sent email reminders, shared virtual posters, and leveraged internal messaging to promote the virtual program. The goal, Hampson says, was to launch a security PR campaign that was professional, polite, and not too overbearing.
Communication needs to go two ways in any successful security awareness program, Newfield says. It’s the responsibility of leadership to provide guidance, and it’s the responsibility of employees to ask questions, he adds. One way to encourage this interaction is to keep security education light, nonpunitive, and engaging; humorous vignette videos, lunch-and-learns, or coffee hour education sessions can be great entryways into the security conversation.
“Don’t just focus on fear, uncertainty, and doubt—there’s too much stress in the world already,” Newfield says. This lighter, friendlier tone can also help mitigate the risk of security fatigue, triggered by an endless barrage of emerging threat information, especially when presenting security issues to nonexperts.
“These different areas are pretty complex, and we have to be able to explain how to thwart efforts at attacking our company, our people, our systems, and our laptops by these threat actors,” Hampson says. “What we have to do is we have to find the right instructors.”
In Hampson’s case, that meant searching through recent publications and information from associations like ASIS International, asking peers for recommendations, and turning to trusted partners like the U.S. State Department’s Overseas Security Advisory Council (OSAC), among others. However, security leaders should not ignore the subject matter experts within their organizations—internal security personnel can be valuable participants in security awareness programming, as much for their expertise as building personal connections between employees and their colleagues within the company’s security department, particularly during times of remote work.
Several of Hampson’s security team members presented during the weeklong program, and the exposure of those internal subject matter experts to the rest of the company helps employees know who to ask about security issues and builds connections for future learning.
“Even though we have all this technology, we still have to have the human angle—you have to connect with employees,” Hampson says. “Even though we’re using Zoom, Skype, Microsoft Teams, and all these other ways of connecting, it’s not as personal as we all think it is. We need to make that extra effort.”
Want to learn about another awareness plan in action? Read about the converged security awareness program at Mastercard.