We just adopted a rescue puppy. He is the sweetest, most beautiful Mountain Cur Hound with a gorgeous brindle coat, and we named him Henry. We fell in love at first sight. He whimpered a bit when we drove away from his foster mom, but he bonded to us within 24 hours. We had no idea whether he was housebroken (he was, but not without some early drama) and we had no idea how much training he had. Turns out, not much. So, we dutifully signed up for a back-to-back-to-back set of classes – 18 hours in all over four months – to go from “we don’t know” to a pooch that would pass the Canine Good Citizen test with flying colors. And then, we were told to shelter in place and all non-essential services in San Diego were postponed until further notice. Now what?
Most of our cybersecurity programs have modest to extensive investments in cybersecurity education for our workforce. We envision a well-trained workforce that never clicks on PhishBait and checks all the boxes when working away from the office for safeguarding sensitive information. But in the blink of an eye, we are now faced with work from home on steroids that includes many who have never had to safeguard sensitive data on their own, and we’re asking them to do it while their health and their family’s health is in jeopardy. Oh, and we cannot provide as much equipment or know-how as we would like, or that they need.
We have to act fast, and we need our new work-from-home workforce to learn a bunch of new tricks quickly. They need to protect sensitive corporate data and themselves while they navigate WiFi routers and videoconferencing tools with which they are not that familiar. And they may have to do it without as much support from HQ as they (or we) would like.
So how do we do that? Well, like Henry when we have him out for a walk, we’re not going to get their attention through all the Coronavirus distractions vying for mindshare using the same old approach of mandated training and “thou shalt nots.” With Henry, we have to take the distractions away. We get his attention by touching or eye contact, speaking softly, and making sure he knows we’re talking to him with love. For our workforce, we need to put their needs first. We need to make sure they feel safe and they feel confident that their family is safe. Then they can be more receptive to what we need them to do for us. We’re not going to get their attention when they are focused on figuring out the optimal time to go grocery shopping or are spending five hours a day shopping online for baby wipes.
We have to remember that stress is one of the key ingredients for successful scams. Scammers and con artists have relied on behavioral psychology for years because they know if they talk fast, if they create fear, and if they strike when we’re distracted with new stimuli, they have more success. As documented in a study published by the CDC, when we are under stress, we think differently. Our focus narrows, and we alter the way we assess data, often rejecting data that does not fit known patterns. When this happens, we can miss key cues that would normally alert us to a problem. Trending PhishBait and malware is designed to exploit this. The FTC reports a jump in consumer complaints related to Coronavirus targeting people’s desire to be informed, and the FBI has detailed assaults on teleconferencing and videoconferencing — going hard after tools essential to the new work-from-home paradigm.
So, the first thing we need to do is put our employees’ needs first. Help them figure out how to be safe, and how to get their basic needs met. I recommend that CISOs sit down with their Human Resources counterparts and model out with them the basic needs; food – ordering and delivery is extremely challenged in some communities, and basic supplies – not just toilet paper, but cleaning and sanitizing products, healthcare and personal care, even pet supplies are all in short supply or difficult to find and order, and perhaps other needs specific to your workforce.
If they remain on your payroll it is not likely that money is the key issue (though some two-income families may be short an income), it’s the logistics. Consider turning your HR helpdesk into a community ombudsman. Can you help your employees with information and, when you have the personnel, can you offer shopping and delivery services? Can you use your third-party relationships to your employees’ benefit? Do you run a cafeteria? If so, can your cafeteria staff develop meals to go that your team can deliver? This might be especially helpful to workers with young children that aren’t currently in school.
The second thing we need to do is take away as many decision points as we can. Hopefully you’ve been able to issue company equipment or are in the process of doing so. As you know, properly configured and continually patched and updated equipment is essential, so configure those global policies before putting the equipment in employees’ hands. The fewer complicated instructions you need them to follow, the more secure you and your network will be. And please remember to configure conferencing applications with appropriate security settings. Incidents of zoombombing are on the rise and bad actors are focused on this as an attack vector.
And finally, now that you have their attention, are helping them de-stress, and have taken as many difficult decisions out of their hands as possible, you can begin to push out to them regular updates designed to allow them to keep up on cyber safety. Avoid making your messaging too complex, and try to combine it with regular updates from your leadership to continue to manage those stress levels. Proactively talk about the company’s status, and how you are helping your customers deal with the Coronavirus crisis. Don’t let fears of layoffs or destructive rumors take hold. Provide ample time for questions and answers. Be as transparent as you can be, provide the best information you have.
It is a heartening that the same services that make the modern corporate campus so inviting can also help provide the foundation for the work-from-home workforce to feel safe and confident. Just as on-campus services provided employees with options and backstops to ease the burden when projects demand many hours over long stretches of time, so too they can now help employees keep themselves safe and help them safeguard the sensitive data they must protect for your company to continue to deliver for your customers.
And Henry? Well, while he waits for his 18 hours of treat-based training, he is currently getting six walks a day and more play time than he knows what to do with. Who’s a good dog?