The corona virus hit the business world almost like a biblical plague, within weeks the world as we knew it was gone, business was halting to a near complete stop. People are going home, and staying there. To get work done, organizations from banks to healthcare providers to software developers suddenly find themselves in their homes, doing work. There has been a blitz digitalization during the pandemic, in every type of organization. We are taking a look at what that means for cybersecurity and leadership.
Remote work has been here for a long time but this is different. The general anxiety around the pandemic hurts our concentration. The sudden change has caused a complete change in routines for many workers, and they are suddenly left to do their work with limited communication and feedback from peers, perhaps inadequate equipment. Not everyone has a quiet space with an ergonomically well-adjusted desk and chair for office work.
So how does this affect cybersecurity? Social engineering is a big part of the problem today as it was 20 years ago. This means that a big part of our defense against cyber attacks is the ability of workers to avoid being fooled by social engineers. This is a lot about gut feeling, and being attentive to signals that something is not quite right. If we are overloaded with tasks, under a lot of stress and struggling to keep the mood up, we are much more likely to fall for social engineering, scams, such as a phishing attack.
What leaders should do when digitalization came fast
If your company has suddenly shifted to a remote only organization without proper planning, your role as a leader has suddenly got some new challenges that relate to performance, collaboration, and cybersecurity. The security vendor Digital Shadows published an interesting blog post on a threat model for the remote worker in March. They then go on to suggest security controls, or things organizations can do to counter those attacks. Most of these suggestions are technical in nature, such as including link protection in email services and using always-on VPN to mitigate man-in-the-middle attacks.
Since they published this blog post in march we have seen some trends in the threat landscape. We track developments closely through our threat intelligence service, and what is very visible is:
- There is a sharp increase in the number of successful ransomware attacks, including attacks using so called “double extortion” to make companies pay high ransom payments.
- People are receiving more phishing emails than usual, with campaigns using information about remote work, COVID-19 in general or masquerading as Zoom or Teams meeting links.
- Websites continue to be attacked with injection of malicious scripts, such as Magecart.
So what can you as a leader to to help counter attacks like these? What these attacks have in common is that they seek to exploit human vulnerabilities, and fast digitalization during the pandemic has increased those vulnerabilities in every organization. People need to function well to avoid making more errors than usual, to recognize that something is a bit off. This is where good leadership comes into play. Here’s the playbook!
- Make sure everyone receives, or at least has access to, training on how to use new tools in their jobs. If someone has never used videoconferences in their day-to-day work, they may be confused by this. Make sure to show them how to use the technology they are given, and good practices for making remote meetings actually work. Digitalization is not only about tools, even in a pandemic. Changing the culture to work well with these technologies is important and requires training and time to learn.
- Make an effort to have more one-to-one meetings with everyone. This way it is easier to pick up if someone is not feeling OK, and offer help and empathy. This can make a big difference in difficult times, and help reduce anxiety and improve quality of work outcomes.
- Facilitate ability to socialize with colleagues. Exaggerated focus on tasks will hurt creativity and collaboration. Make sure people meet regularly on your videoconferencing platform to discuss things, including the weather, that new Netflix show and the soccer match from last Saturday. If the social glue evaporates collaboration will be hurt, and so will security performance. If possible, arrange actual face-to-face social meetings now and then, such as a walk in the park (with sufficient distance) or eating at a restaurant (using every other chair).
- Keep an eye on health and safety issues, even when people are working from home. Update HSE risk assessments, provide solutions for unhealthy situations. Ergonomics, noise, air quality: those are still important even if people are not in the office.
- Keep track of the threat landscape for your organization and understand how this affects your employees, how the risks relate to the different roles. This way you can provide the support people need to focus on getting the job done, together. You should be a role model and promote awareness training and updates that relate to how the threat landscape changes.
If you are a leader, you should be able to get support from your security team on what the current threats are, and the messages and cybersecurity trainings to promote. Remember that when we are pushing digitalization quickly in an exceptional situation as the COVID-19 pandemic is, challenges in providing support are bigger than usual. Cybehave provides both threat intelligence and e-learning for security awareness that can help.