According to a recent report, nearly 50% of businesses say that work-from-home policies have hurt their cybersecurity practices. Companies are finding it difficult to adjust to this significant change in working style and pay the price for it. As the pandemic rages on, companies are sticking to the remote working model, and in countries where the pandemic is more or less in check, companies are switching to a hybrid approach.
In these tumultuous times, Right-Hand hosted a webinar with the topic ‘Building Cyber Culture in a Hybrid Work Environment’. This session went live on April 29, 2021, and was moderated by our CEO and Co-Founder, Theo Nasser, and featured Dick Wilkinson, CTO of the Supreme Court of New Mexico, and Matthew Rosenquist, the CISO of Eclipz. They both gave deep and meaningful insights on the topic.
Here are some of the highlights from the session:
Managing security expectations in a work-from-home environment
In a poll run during the webinar, 88% of participants said they were working from home full time, and 12% said they are working in a hybrid setup.
With this new working arrangement, a whole new slew of cyber risks and threats that the organizations must account for arises.
Dick shared details about a solution he created at the beginning of the pandemic, a whitepaper he wrote which contained the logistics and technology aspects that such a change would bring about. He then presented this material to the CISO, who explained to their stakeholders how to adjust to the changes.
Matthew agreed with Dick’s approach. He proposed a similar approach wherein he incorporated the same elements as Dick’s, namely the logistics and technology aspect, but also incorporated some aspects relating to security, as he felt that should be the main focus as a CISO. Furthermore, he believes;
“For any organization, their cybersecurity policy is the manifestation of what the acceptable risk is, as long as you’re in the bounds, you’re okay. Security is a matter of early collaboration.”
Challenges and Opportunities when Building Cyber Culture During the Pandemic
Dick shared that he had initially seen this change as an opportunity for the organization. It allowed him and his team to have talks and discussions with the employees about cybersecurity policy that they otherwise would not have had. As a result, it created communication points that previously hadn’t existed. On the other hand, he has noticed some security threats as well. Dick mentioned that since employees are working at their homes, the environment will be more lax, and people would be more susceptible to cyber-attacks.
Matthew pointed out that employees no longer being dependent on any single place to work allows for greater flexibility. However, in terms of drawbacks, Matthew agreed with Dick that the relaxed environment is not conducive to cybersecurity growth.
The Importance of Security Policies when Working From Home
The fact that employees weren’t coming down to the office anymore brought about a chance to enhance the policy compliance aspect in the organization for Dick. The IT department could expose the other employees to the more “backend” matters they deal with. There was also communication between IT and other departments that hadn’t existed before, which significantly improved the policy compliance aspect.
In addition, a significant challenge to look at is the change in behavior from when you work in the office to when you start working from home. When employees are at home, they tend to feel more comfortable and take a more relaxed approach to work, making them more prone to cyber risks. Due to this, elements that weren’t particularly heeded in the cybersecurity policy will take the spotlight. It is up to the CISOs and CTOs to cope with the change. As Matthew puts it;
“The Best CISOs and CTOs are constantly adapting, and they see new changes as an opportunity to change your policies, and you always have to be static, dynamic and flexible cause once you’re static, you’re outdated.”
Considering the challenges mentioned above, Theo asked for some tips/tricks that other CISOs could use when developing a new policy for the work-from-home environment.
Dick had mentioned that it is essential to communicate with the employees on the changes made to the existing security policies and how they could help IT leaders implement them. Policies must also be written concisely and clearly, and they shouldn’t have any aggressive undertones as then the employees would be too scared to freely communicate with you if they’ve made a mistake.
Empowering the Employee
It is essential to respect and appreciate the employee for cybersecurity matters as, for most of them, it’s the first time they are dealing with cybersecurity-related issues. Matthew shared that he does all the cybersecurity training himself, for whenever a new employee comes into the firm. He does this to build a rapport with the employees and help them understand that the responsibility of cybersecurity falls on every single one in the firm.
Employees need to develop a cohesive mindset. They must understand that their actions affect the final product as a whole. Matthew also makes sure to thank the employees for reporting something they thought looked suspicious, even if it was a false positive, as that means they feel safe to approach him and his team on these matters. When an employee makes a mistake, it is essential not to pin all the blame on them. Mathew puts it eloquently,
“The employees are the eyes and ears of the company, and if they can report suspicious activity, it is a sign of good trust.”
Building Cyberculture in a Hybrid Work Environment
When asked by Theo about tips and tricks to building Cyber Culture in the workplace, Dick mentioned that it is important for employees to feel safe and not feel overwhelmed with the knowledge they are exposed to. The cybersecurity team should be seen as a helpful and guiding team rather than something employees should be afraid of. He said,
“If the employee reported that they had a pleasant experience when they communicated the problem, they would be more willing to talk to other people in the company about their experience, and this is how culture is developed.”
Click here to access the entire conversation and watch this webinar on-demand. This truly meaningful and insightful session was received with a ton of positive feedback from our audience! We want to extend our gratitude to Dick and Mathew once again for coming down for this session.
Also, access our events page to keep up to date about your future webinars!
