News & Views
IT staff fear isolation
As remote working remains the norm and ‘lockdown fatigue’ sets in, the biggest concern IT and cybersecurity face in working from home are feelings of isolation over 30% of respondents to Infosecurity Europe’s (www.infosecurityeurope.com) latest Twitter poll.
In particular, staff isolation is causing more worry than employees sharing devices with other household members where the top concern for 26.4% of respondents is reduced vigilance (24.9%), and the risk of clicking malicious links (17.7%).
“The results illustrate that the welfare of employees – and the impact ongoing remote working is having on their security behaviours – is currently top of mind. Being isolated, while juggling work and all the other competing pressures generated by the pandemic, is likely to be affecting people’s mental health,” says Nicole Mills, Exhibition Director at Infosecurity Group.
“Working at home also potentially distances staff from company security policies and the support of the IT team, making them more susceptible to letting their guard down, being overly trusting, or simply losing motivation. IT and security leaders must find ways of keeping employees engaged and firmly anchored in the company security strategy.”
Awareness training is key to sustaining connections with employees, according to Infosecurity Europe’s poll, with 39.2% of respondents believing awareness training is the best way of mitigating remote working risk. This is followed by web and email security (28.1%), endpoint protection (19%) and identity and access management (13.7%).
“I would suggest that understanding where your risks are is more important than jumping into ‘solution mode’ with endpoint protection, for example,” says Steve Wright, CISO of Privacy Culture and Former Interim DPO Bank of England.
“Organizations have not carried out a proper assessment about the whole impact of working from home, with respect to data, IT and general operations. This will differ by business operation, role and function, in addition to people’s home circumstances – such as whether they’re in a shared flat or their wifi speed. Once assessed, the necessary policies and procedures should be updated, and training and communications carried out to staff. Refresher training delivered via short videos and animation is necessary for the whole workforce. As well as easily accessible awareness training and guidance employees need more automation and dynamic support, with messages that say for example ‘this looks like it’s confidential, go here to protect it’.”
Maxine Holt, Senior Research Director at Omdia, echoes the importance of addressing the human factor: “Organizations need data protection, but also to ensure that the remote working environment is as secure as it can be. Remote employees don’t have the same ‘mindset’ as they would in the office – they walk away from laptops without locking them, set easily-guessed passwords on routers, or don’t apply updates to equipment. We’ve seen IT and information security functions provide great regular hints and tips for staying secure when working from home, improving awareness and education. This can also include support for mental health, as security may well decline if an individual is suffering. There’s definitely evidence of the boundaries of responsibility between information security and HR merging – and this is for the better.”
On the other hand, Mark D. Nicholls,CISO at Chime Group, believes organizations should adapt controls to be more data-centric, starting with visibility. “We need to know what people are accessing, and what they’re doing with it. Do we truly know what’s going on with an employee’s home broadband network, and the personal devices being used to access corporate data? Our controls must also be truly device and location agnostic. It’s important to leverage cloud solutions that enable agile working along with good security controls. We mustn’t forget about basic hygiene, either – for example enabling multi-factor authentication (MFA), and ensuring employees know how to create strong passwords. It’s no longer easy to just walk down the corridor and speak to someone if there’s a security issue, so IT helpdesks should be empowered to use remote management tools where possible to fix issues.”
More than half (52%) of respondents to Infosecurity Europe’s poll believe that unsecured personal devices pose the biggest security threat within the remote working environment, followed by unsafe VPN/wifi connections (30%). Unapproved cloud apps (10.6%) and collaboration tools (7.3%) are seen as relatively low risk.
“Security threats have evolved as the pandemic has advanced. Attackers are ready to strike at the weak points that emerge as new ways of working and living continue to affect employees’ behaviours and mindsets,” comments Mills. “One particular area we all need to guard against now is the rise of ‘fearware’, as criminals seek to trick remote workers with ransomware and phishing scams, often linked to messages about COVID-19. Training undoubtedly has a major role to play here.”
The conference programme for this year’s Infosecurity Europe event (Olympia, Hammersmith, London, 8-10 June 2021) will feature a number of sessions focused on addressing how to better anticipate, detect and respond to threats. Readers can register and find out more information about Infosecurity Europe at www.infosecurityeurope.com