The rush to leverage technology at the start of the pandemic has meant many businesses may not be as shielded from cyber-risks as they should be. One in ten organisations have experienced a cybersecurity incident as a result of increased technology usage to support remote employees. Unfortunately, employees are a consistent weak link in any cybersecurity programme.
The problem is exacerbated by employees working from home, without colleagues to turn to, and feeling potentially stressed, working longer hours, or suffering from a host of everyday distractions, it’s easy to make a mistake. It’s therefore critical that employers do all they can to mitigate this risk.
Our research shows that while 28 % are investing in new security solutions, almost a third (31 %)are proactively communicating the risks to staff. Some 17 % are implementing new policies around the use of work technology and 19 % are providing additional employee training.
Anne-Laure Périès, partner at Capstan Avocats, Ius Laboris’s French firm, agrees companies have, so far, been slow off the mark to implement training and education or put in place formal policies for employees working from home. However, with the realisation that remote working is here to stay comes the need for formal cybersecurity education and training. “We are now at the beginning of the process,” says Périès. “Now this question is on the agenda, as people realise working from home is going to be permanent and they do have to address the security issues.”
Caroline Smith, deputy general counsel, international, at background screening company HireRight, says: “There have, of course, been many other priorities which human resources has had to deal with, but nevertheless risk should be up there alongside culture, health and wellbeing. If you’re not sure who out there might be gaining access to critical business data, that should set alarm bells ringing,” she warns.
So how best can organisations support employees to ensure good cybersecurity and mitigate the risks posed by increased remote working? Dr Lee Hadlington, senior lecturer in cyberpsychology at Nottingham Trent University in the UK, says that too often the potential consequences of not following the rules surrounding information security are couched in ways that make employees defensive.
These could be negative consequences and threats associated with non-compliance. “An alternative approach is to explain why following the rules is important and making sure it’s done in a way employees can understand and relate to, such as explaining you want to make sure the company is safe, not create unnecessary work for their colleagues and keep customer data safe,” he says.
Kristofer Karsten, head of HR, UK, Ireland, and Europe, at software vendor Ceridian, concludes: “HR is an organisation’s behavioural science unit that knows how to encourage best practice. They’re an important weapon in any arsenal and should be used as such.”
At the start of the year, cloud contact centre firm Content Guru was a predominantly office-based business. With around 300 staff members across five countries – the UK, United States, Germany, Netherlands and Japan – all but one employee worked on the premises. But by January, it had become clear the COVID-19 pandemic would soon mean organisations everywhere would be forced into remote working.
By then, the company had already begun to implement a remote-working strategy. Content Guru saw widespread remote work would pose several potential specific risks to the company, particularly regarding information security. In physical terms, people working from properties that Content Guru was not responsible for meant there was the risk of stolen or compromised equipment. There was a digital security risk in the quality of connection to the corporate network that staff would be accessing.
Remote working also posed a risk to confidentiality and compliance, as staff had to be both much more vigilant when sending and receiving emails, and aware of the possibility for phone conversations with colleagues to be overheard by people outside the organisation. “I was conscious you have to instil the need to be vigilant because people can have an inflated sense of safety in their own home. But I was equally aware that information security awareness should not scare or be burdensome on the team,” says Andi Janes, chief people officer at Content Guru. “We issued clear guidance and policies for our colleagues on what was considered secure, making sure it didn’t place unreasonable expectations on anyone that would stop them doing their job effectively and efficiently.”
The human resources department pulled together a comprehensive document for staff that covered all policies and guidance for working from home, both in terms of security and wellbeing. While the company needed its staff to remain vigilant, it acknowledged the need to strike a fine balance between drawing employees’ attention to the risks of working from home and not overly frightening them about the possibility of making mistakes. Content Guru needed the team to still feel empowered to do their jobs.