WP How to build a security-first culture with remote teams | Imperva

How to build a security-first culture with remote teams

How to build a security-first culture with remote teams

If recent world events have driven an increase in the number of remote workers in your organization, you are now confronted by even more security challenges for already stretched security teams and busy IT departments. Sixty-one percent of CISOs are more concerned about security risks targeting employees than they were pre-COVID [IDG], and much of that is due to staff working remotely.

It’s important to get all employees – remote and on-site – to understand the benefits of following company-wide security directions and the pitfalls of not sticking to them, even if they are working from the apparent safety of their dining table. While there are many elements on the journey to best practices, helping remote workers stay safe from data breaches is foremost a matter of education.

Simple routine behaviors, like clicking on a link or email attachment, can invite security risks. Compromised accounts that have been taken over by cyber attackers are a very real threat for remote teams. Everyone in your organization should be aware of the main tactics used by malicious hackers and the consequences of ignoring them. Common risks include malicious social engineering, like phishing for malware distribution. The first steps to mitigating security risk are creating a draft security document and adopting a broad policy that security is everyone’s responsibility. These are key to making cybersecurity a company-wide and collective effort.

Not knowing company policy should never be an excuse

Each employee must (initially during onboarding) complete an awareness exercise in your working-from-home group security policy. This could be as simple as watching an internally created slide deck/video or being asked to read a standardized document, with a short questionnaire at the end to ensure understanding. Awareness and the importance of security is something everyone needs to embrace. This exercise must outline the security obligations with which you expect your staff to comply. For clarity, you should communicate in simple plain language and avoid acronyms or technical jargon. You should include the consequences and ramifications of non-compliance. It should be possible to complete any security training or awareness exercise remotely and inclusively, preferably conforming to WCAG 2.0 or WCAG 2.1 standards. If you are introducing this across your company after onboarding, then each member of staff should be given a window of opportunity, during work hours, to familiarize themselves with your documentation, complete any compliance documentation, and ask any questions. When your colleagues have formally agreed to this policy document, it’s then your job to enforce it.

Actively promoting security by default

Employees shouldn’t have to be constantly worrying about adhering to best practices – best practices should be easy for them. Security, while their concern, is not their job – it’s up to the business IT security team to champion the right hardware, software and systems so that others can carry on with their jobs with the least interference and with maximum safety. Our colleagues should have the right anti-virus software in place already, and the right 2FA authentication process to get easy network access. They should have an easy-to-use VPN and a robust password management system. Devices should (ideally) be standardized and optimized. These aren’t things they should have to worry about.

No unsecured Wi-Fi networks should be permitted and all Internet connections must be thoroughly secure. People who work remotely won’t necessarily be glued to one IP address or sitting at home every day, but if colleagues are using a communal space the use of a company VPN should be compulsory.

The use of varied, strong, and compliant passwords should be mandatory. A staggering 4 out of 5 company security breaches are due to poor passwords. Changing them regularly and setting high standards for password naming conventions is critical. Companies often blacklist common password choices, but there is a balance between maintaining productivity and best practices for security. Passwords should be long (to help mitigate against brute force attacks), strong (containing a mix of letters, numbers, and symbols), avoid any personal information (15% of the people commonly use a pets’ name as a password), and should be changed frequently (at least every 3-months). Personal accounts are far more open to compromise, but 53% of users admit that they reuse the same password for personal and work accounts meaning unique passwords are critical for the workplace. Most people think they are far better at online security than they are.

You may wish to consider a single sign-on systems or password synchronization as an alternative to multiple passwords, and limit access of individuals only to the data they need to do their jobs using a suitable database security tool – it’s possible to grant different levels of permissions to users, with assisted permissions detection for ease of implementation, based on the level of visibility each user needs. Using an authorization and authentication policy – making the most of best practices and historical information to recognize which user accounts and business applications should have access to sensitive data. Adopting a “zero trust” policy (a phrase coined by Gartner in 2010) is an ongoing policy of “never trust, always verify” with a mission to secure all users and all devices, anywhere, anytime.

“Zero trust is a way of thinking, not a specific technology or architecture.”
– Gartner Fellow Emeritus in Gartner Research, Neil MacDonald.

Zero Trust means strict verification systems like multi-factor authentication and contextual access, but having the likes of a friction-light 2FA (or other recognized standards) in place across the enterprise soon becomes part of the daily staff routine and is generally seen as a common, valuable, and necessary practice.

Companies may use BYOD (bring-your-own-device) mobile phones, tablets, or laptops. While this does offer increased flexibility and team mobility, and can boost efficiency and productivity, it doesn’t promote standardization and comes with a unique set of security risks. Personal devices may use unpatched virus software, connect to old and unsecured legacy networks, or may not meet password protection standards. As such, strong regulation or removing these from the equation should be considered, while replacing them with employer-provided devices over which you would have tighter control.

It should be noted that, while employee monitoring isn’t anything new, the recent increase in enforced home-working has meant it has become far more widespread. It may be suggested that the implementation of an employee monitoring solution become a part of enforcing your employee security policy document. The General Data Protection Regulation (GDPR) in Europe, and other standards in other territories, clearly states there must be justifiable reasons for any data collection and any tracking of staff activity during working hours. If this is an approach your company wishes to take, employers must notify the “data subject” (the employee) that they propose to collect any monitoring data. This must be done verbally and through written communication, plus offer a legitimate business reason. Factors like gender, cultural background, and context, will affect how staff will respond to the overall concept of employee monitoring. Some may be more receptive to this if it is for security reasons rather than productivity monitoring, but monitoring can suggest a lack of trust and potentially reduce employee morale. Consideration should be given to what message employee monitoring sends to staff about trust, and the value of monitoring against employee confidence.

Find time to address the important things

A third of security breaches are caused by unpatched vulnerabilities. It’s important to arm any system or company remote device with antivirus software, spam filtering tools, firewall software, etc., but it’s equally important for an IT security team to keep those systems up-to-date, including regularly updating any network security systems. Put simply, this is an IT security team’s job, and by ignoring (or not having time to address) potential risks and developments in cybersecurity, which includes essential patching, you can be putting your business at risk. It’s you and your team vs the bad actors of this world.

It will further be the IT security team’s responsibility to answer questions, put minds at rest, offer a smooth path to transition, and show best practices and the pitfalls of not sticking to them. Much of the successful adoption of remote working security best practices is down to staff education and getting everyone, across all departments and disciplines, on board with the mantra that security is everyone’s responsibility.