The COVID-19 work-from-home reality has created a buffet of cybersecurity vulnerabilities -- and hackers are moving in for the feast.
Now, more than ever, is the time for business managers and executives to come together and truly lead. In the context of information security -- and specifically remote work security -- that means as an HR leader, you need to partner with IT and other business leaders to ramp up information security policies, practices and communications. Hackers have already taken this vulnerable time to create more phishing scams, target vulnerabilities and carry out 'Zoombombings.'
Here are five ways you can help boost remote work security.
1. Understand why HR must be an information security partner.
Having worked in IT for over three decades, one of the security missteps I see is where organizations' HR teams aren't involved in IT and security oversight. Technical professionals will often make others think that they have everything under control, including the human side of their efforts. But they need outside help, especially for establishing buy-in among users, setting expectations and properly communicating the messages. IT and security professionals must establish an open dialogue with management outside of their departments, including HR, in order to make this work. Unless and until a functional and cohesive committee is responsible for the human factors that contribute to information risks, security gaps will remain.
As an HR leader, it's your responsibility to help make this happen. You not only need a seat at the security table, but also a voice among your peers to ensure that the people side of remote work security is properly addressed. Without it, security is nothing more than an indefensible façade -- a risk that the business can't afford to take on. With the coronavirus work-from-home reality wreaking havoc on information security, your involvement in security is more important than ever.
2. Reach out to information security stakeholders now.
Given the cybersecurity risks associated with remote workers, HR, IT and security teams have some of the most important jobs as the coronavirus outbreak disrupts business as it was. Some organizations have strong connections between HR and information security, but others have struggled to get information security initiatives off the ground. It's critical to address those issues now.
The right people must come together now -- and do so very quickly -- to document, implement and enforce policies and procedures affecting the mobile computing and a remote workforce. As an HR leader, that means you need to partner with stakeholders at the highest levels of IT and security oversight such as the CIO, CISO or CTO. If your business doesn't have those roles, then work with managers or director-level staff in charge of IT and security. Wherever information security rules are made and enforced, your team should be involved.
That means you need to meet with members of your existing IT governance or security oversight committee and discuss the current status of remote work, specifically the operational side as it relates to setting user expectations and controlling user behaviors, as well as awareness and training initiatives.
3. Review information security policies.
Work closely with top leadership and your security oversight team. Review existing policies and guidance contained in your employee handbook and elsewhere as it relates to acceptable computer usage, remote access and related areas impacting your mobile workforce. If such documentation does not exist, is unclear or hasn't been properly communicated to staff, determine the appropriate ways to edit these documents and get these messages out now and periodically for the foreseeable future.
4. Review remote work information security awareness.
In terms of remote work security awareness: What is the organization doing well? Where are the security gaps? What should you be doing more of? Less of? What value can you add from an HR perspective in terms of security oversight?
5. Revamp training materials for the COVID-19 outbreak.
Develop security awareness and training content that contains both creative and inspiring messages. Now is not the time to execute the same old boring internal phishing campaigns and subsequent shaming. The focus should be on education right now, not testing. As an HR leader, you can add an employee-friendly spin to these content campaigns. Your involvement in online training sessions and periodic messages about security sent via email lend credence to the overall message and help ensure user buy-in. You could also include these messages in your HR-specific communications with employees. The important thing is that these messages are pushed out consistently over time to keep security on the top of everyone's mind.