When states began issuing stay-at-home orders in March 2020, the number of employees working from home (WFH) surged from 9% to 77% in a matter of weeks, a transition that more than half of the firms surveyed by Iometrics and Global Workplace Analytics acknowledge they were unprepared to make. Recognizing an opportunity to exploit the crisis, cyber criminals quickly launched a massive spam and phishing campaign. Between the second and third weeks of March, email scams and phishing attacks spiked by an unprecedented 436% and breaches increased by 175% over the year before.
Yet, despite the chaos and confusion that followed, some firms have adapted to the new normal better than others, quickly establishing work from home operations that have proven to be both secure and productive. The reasons for their success, and the lessons they hold for less-prepared organizations, are the subject of a new SANS Institute white paper sponsored by BlackBerry, Making and Keeping Work at Home Operations Safe and Productive.
This white paper explores themes ranging from how the bad guys are re-purposing their phishing attack templates, to the communication skills security professionals will need to master if they hope to instill safe computing practices among newly-remote employees.
The paper begins by outlining how inflection points in computing often present opportunities to raise the security bar with little or no impact on security budgets. This is only possible, however, if security teams possess the skills and focus needed to move up the secure work-at-home maturity model by increasing the strength of user authentication, the rigor of privilege management, the focus on application security, and the frequency of software updates and critical backups.
As important as they are, none of these upgrades will produce a safe and productive WFH operating environment if employees find them so onerous and intrusive they feel compelled to find workarounds. Password policies, for example, can be undermined by workers who chafe at requirements to regularly update their passwords or use the same passwords for their business and personal accounts, a practice reported by 51% of the employees responding to a Ponemon Institute survey. Behaviors like these are particularly problematic when workers are using their personally-owned (BYO) devices at home to access business networks and resources.
SANS Director of Security Awareness Lance Spitzner suggests that resistance to practicing good security hygiene is often rooted in the ways that security policies and procedures are communicated to employees. Instead of focusing on the technical aspects of threat management, as security professionals are wont to do, he suggests utilizing the “Golden Circle” approach popularized by Simon Sinek in his book, Start With Why. He also describes how the institute responded to the shutdown and provides links to several essential books on security culture that have influenced the institute’s approach to security training.
The Making and Keeping Work at Home Operations Safe and Productive white paper concludes with a case study on Virginia Tech, which examines the rapid response to the shutdown spearheaded by CISO Randy Marchany to support the university’s 33,000 students and 8,500 faculty and staff. Among other milestones, the white paper describes how he and his team converted roughly 4,500 university classes to a 100% online format by March 22, a scant week after the security office went remote and entered reduced operations mode due to COVID-19.
No matter what tier your organization occupies on the secure work-at-home maturity model, you won’t want to miss this essential SANS Institute white paper. Click here to download a copy.