Almost all of us are dealing with the unprecedent migration of enabling our workforce to work from home. For many organizations this is a huge challenge as they lack the technologies and processes to enable this to securely happen. But even more challenging is for our employees themselves, many of whom may have never worked from home. For them this is an overwhelming time of confusion as they deal with new technologies, new processes and even new working environments. Add to the chaos of change is many employees are also supporting working at home spouses or even kids eLearning at home.
To successfully secure such a workforce we have to keep in mind just how difficult this change is for people. Any new security behaviors, processes or requirements we want to teach have to be as simple as possible. In academic terms we want to avoid what is called choice overload or cognitive overload. The human brain can only process and learn so much during a certain period of time, and in many ways people are already overloaded with all the recent change. As such, we have to teach people as little as possible.
This may sound counter-intuitive to many, especially security professionals who feel we have to address every new risk, which implies we have to communicate and train on as many security behaviors and policies as possible. But we quickly hit the point of overloading our workforce, basically they dump everything you told them and simply move on. The key is reducing what you need to teach people to the absolute bare essentials, and then communicate those fundamentals in a super simple way for anyone to understand. For example, for people working at home the three fundamental risks we recommend you focus on are
- You: People have become the primary attack vector (phishing email, phone call and text messaging scams, etc). Teach people what social engineering is and the most common indicators of such an attack. Especially with WFH workforce - people, and not technology, are your best defense.
- Passwords: Teach not only what is a good password (hint: passphrases) but how to safely and securely use them. Remember, both password complexity and password expiration is dead. Make passwords simple, perhaps even provide password managers for your workforce.
- Updating: The most secure devices, programs and mobile apps are updated ones, make sure people keep their systems updated and current. Promote automatic updating when possible.
Regardless of what you communicate or how, attempt to keep it as short and as simple to consume as possible. We highly recommend working with your communications and marketing teams, they are experts at this. In many ways SANS has already done the work for you by releasing the Work From Home Deployment Kit, a strategic planning guide and hundreds of commercial training videos and resources we have released for free, and in over 30 languages, which you can use. Finally, if you want to learn more, we highly recommend you consider the two-day MGT433 Security Awareness or the MGT521 Security Culture virtual courses which you can take at home.
Remember, security may be simple for you and me, but can be complex, overwhelming and confusing for the rest of the world. The key step to helping secure your workforce is to make security as simple as possible. And quite often, that is not that simple.