For many IT and security professionals, the transition to remote working at an organizational level was very much a baptism by fire. The decision for employees to work from home came in the midst of an abundance of uncertainty, many under the impression that things would be back to normal in a few weeks; this new working style was seen as a reprieve of sorts, a break from normal day-to-day operations.
When it was clear that employees would be working from home for the foreseeable future, organizations had to make a flurry of resources available and solidify key decisions. It was suddenly apparent that the key players in the protection of each organization against cybersecurity, the employees, were seemingly on their own.
With the transition to working remotely occurring overnight, cybersecurity was often not top of mind. According to a study conducted by HP’s Wolf Security division entitled “Rebellions & Rejections,” 76% of the IT respondents stated or shared that their organization’s security sometimes took a backseat to its business continuity needs during their Covid-19 response. Cybersecurity seemed to hold lesser weight in business continuity plans.
Organizations made it their mission to focus on the needs of their employees, and try to make things feel “normal.” Everything from chairs, to mouse pads and new monitors were delivered to homes, all in the effort to ease the transition but also to encourage operations to continue with few hiccups or hang-ups.
However, there was something that many organizations did not account for: fear fatigue. The pandemic wore on and remote work became the standard.
Fear fatigue is defined as the “demotivation to follow recommended protective behaviors, emerging gradually over time and affected by a number of emotions, experiences, and perceptions,” and it reared its head during this time. More employees started more careless behavior and threatened their organizations’ cybersecurity.
The bombardment of new recommendations and mandates combined with a purely online work environment forced many organizations’ hands. Something had to give and for some organizations, it was their dedication to cyber safety.
Fighting Fear Fatigue and Phishing
While much of the focus was rightfully turned to employee wellness during the pandemic, both security wellness and the assigned protectors of it, found themselves struggling to keep up.
To add to the stress IT and security professionals already felt, the predicted increase in ransomware and phishing during the pandemic came to fruition. During the height of the global pandemic, phishing incidents rose 220% compared to the yearly average. This meant that not only were employees lax on their cybersecurity efforts, they were now being targeted at an unprecedented rate.
Many IT and security professionals reported that their company responded to the changing times and took the necessary steps to update security policies to account for working from home. On the flipside, employees shared that those updates were never properly communicated or reviewed, which explains their lapse in cybersecurity hygiene.
Though digital transformation and increasing productivity are important priorities for organizations to have, those initiatives prove useless when a social engineering attack corrupts invaluable information. It’s the responsibility of an organization to outfit their employees with the appropriate training and technology to protect their cybersecurity outside of the office. The true task for organizations, then, is how can they adapt their cybersecurity measures to a more remote workforce.
- Set clear company security standards.
As we mentioned earlier, many organizations adapted their guidelines as remote work permanence became clear. The key second step is to communicate these standards with the workforce regularly, and be available to answer any questions that may come up.
- Educate employees on the threats they face.
â€Now we aren’t saying to scare anyone, but it’s important for each employee to understand the role they play and what they need to be aware of. Provide examples of past phishing and social engineering attempts and review how to respond, or in this case, how not to respond.
- Make this a normal part of day-to-day operations. â€
Cybersecurity shouldn’t be a once-a-year hour long mandatory training, it should be practiced every time a device is used. Some thoughts on how instill the practice is to send reminders to team members routinely, celebrate Cybersecurity Awareness Month company-wide, and congratulate those who flag the most phishing attempts. Standards are useless if they are not communicated effectively and if efforts are not recognized accordingly.
- Provide a Virtual Private Network (VPN) for employees.
VPNs provide your employees with a secure network to use to communicate and effectively complete their responsibilities. Using a VPN eliminates the fear of any information being compromised either through an unsafe public wifi connection or a possible hacker. It’s an additional cost to a company, but the security and peace of mind it provides proves priceless.
- Update company devices regularly.
â€Make sure that your team members are using the latest version available for their internet browsers and general operating systems. Encourage automatic updates or regularly checking to confirm their devices are up to date. This is yet another simple yet effective step to make sure employees are taking to increase their security.
- Utilize multi-factor authentication (MFA).
â€MFA is usually made up of three common credentials: what a user knows (password), what the user has (security token), and who the user is (identify verification). This level of security provides better control over who has access to your organization’s files and other sources of information, meet regulatory requirements, and takes away the risk of only having often duplicated, rarely changed, passwords.
A BCP Without Cybersecurity is Just a Plan
Working from home is not going away. The practice is projected to increase in popularity, with an estimated 22% of the American population working from home by 2025. Cybersecurity is an ongoing process and effort, one that must be continuously taught to and practiced by employees.
It’s time for businesses and organizations to re-evaluate the efficacy of their existing cybersecurity measures, the communication efforts that are made, and maybe most importantly, incorporate it as part of their business continuity plan. No longer should there be a decision of whether to give one up in order to move forward with the other; a business continuity plan that doesn’t prioritize maintaining cybersecurity wellness is an incomplete one.