A New Workplace As the COVID-19 pandemic emerged, more than three quarters of business leaders worldwide developed plans for remote work. Gartner now projects that 48% of employees will continue to work remotely in the post COVID-19 world. This means that in terms of security awareness, the remote worker has become indispensable. We need to learn to reach people wherever they work, be it an office, a hotel, or at home. The truth is that many tools of the security awareness trade no longer work. We can't do displays in the lobbies of buildings. We can't put up posters. So what can we do? Reinventing Tools Maybe we can't put up posters, but how about desktops? How about backgrounds for video calls, or login screens for company computers? Posters help us use physical space. As security awareness practitioners, we should start thinking about how to fill virtual spaces with security messages. Security And Team Building For many employees, security is just another box to check. It doesn't have to be that way. A better approach blends security with team building. Managers are always looking for materials to use for team building. This is an opportunity for security awareness practitioners to step up and offer fun, accessible team building materials with a security theme. This can be as simple as building security focused team building quizzes on apps like Kahoot. It could be more complicated, involving a full quiz or a digital escape room. The work you put into preparing these options will pay off when managers come looking. Workers at Home How do we engage remote workers with security messages? Aren't they too busy trying to help the kids connect to online school and helping their loved ones connect on Skype? Actually, this time of learning may be the opportunity you need. The fact is, security that is good for adults is good for the whole family. This is a time to engage with remote workers by showing them how to apply principles of security that matter at work and at home. Employers often struggle to explain the danger of an information leak. Our mission is to help employees understand that the situation is not so different from goofy or inappropriate photos posted online that can be there forever. If employees are securing online communication tools for keeping in touch with family, we should help them understand that the same security principles apply for their work devices. There's no better way to learn than to teach. We have an opportunity to empower employees to help their loved ones stay safe online. Travelling Safe
Why worry about travel safety? Different travelers have different levels of risk tolerance. Some people just trust good karma to keep them safe. But if you're like me, you probably want to be a little more prepared than that! Travel safety is about taking steps to avoid problems in the first place. When travelling, you may not understand how everything works. There may be legal or social differences from the way things are at home. The point of travel security is to avoid problems before they happen. The good news is that you can take five important steps to make your travels more secure before you even get to the airport. Choose your Hotel Floor When you book a hotel room, it's tempting to ask to be high up in the clouds so you can enjoy an amazing view of a new area. But did you know the safest rooms, experts say, are between the 2nd floor and the 6th floor. Don't book a room on the ground floor, where the lobby is located. The lobby is where disturbances, including terrorist activity, are most likely to occur. Being one floor up helps to mitigate that danger. Experts recommend not being any higher than the sixth floor. The reason? In case of a fire, even extra long ladders only reach about six floors up most buildings. Smoke Hood One of the most common risks you may face while travelling is fire. And the reality is that in a fire situation, the real killer isn't the fire itself, it's smoke. Fortunately, there's a simple, practical solution. It's called a smoke hood. These are disposable hoods that can be tucked in a pocket or travelling bag and opened up in emergency situations. The smoke hood will allow you to breathe smoke for a fixed amount of time, giving you a window to get to safety, or for emergency crews to arrive. Flashlight The last tool a safe traveler needs is a flashlight. A blackout can leave you in the dark. Smoke can also obscure your vision. In a dark or smoky environment, it is easy to get disoriented. That is why a powerful, led flashlight is a good tool for a safe traveler. Plus, as a bonus, a flashlight can also be used to disorient attackers in an emergency situation. Door Jamb Once you get into your room, you're secure. Or are you? Others may have the key to your door. That's why the door jamb is such a handy security device. It's a jamb that slips under the door to wedge it shut. For an extra layer of security, consider an electronic door jamb that will hold your door shut and sound an alarm if someone tries to push it open while you are in the room. The alarm will be enough to deter many would-be intruders. Reduce the Flash Factor So far we've seen four things to do. The last tip is about something not to do. The best way to stay secure is not to be a target. Do you wear a lot of jewelry? Consider traveling without jewelry, or tucking visible jewelry inside your clothes. You have a brand new iPhone? Consider keeping it out of sight while in public places. If you're carrying a lot of cash, don't pull out a wad of bills. Just take take out what you think you will need. A little bit of security can go a long way, and these five tips will make you a more confident and safer traveler. What do we actually do in Security? When you provide the absolute best security to a client, what is the result? What changes for that client? The answer is: nothing. Think about it. Security stops bad things from happening. When we as security practitioners do the best job possible, there's no result to point to. Maybe that is why those who value security the most are those who didn't follow security rules - and got burned. The fact that when security works, nothing happens, is a problem. Management doesn't always know what we do. Even worse, employees often don't understand what we're asking them to do. Five Security Areas That's where the concept of five areas of security comes in handy. Vigitrust came up with the five pillar approach, and while my own approach is somewhat different, I want to give credit where credit is due. It's a great, simple way of explaining what security is about. The five areas of security are:
Some people have more or less wordy ways of expressing those five areas, but these are the key areas. So let's go through them now. People People are our most important asset, so it's appropriate that they be first on the list. For most employees, their first brush will be with people security. They'll be screened (even if it's a simple reference check) to see if they would make a good employee. And if there are ever any concerns about an employee's behavior - well, that's people security too. IT If you've worked in Security for a long time, you might remember the pre-computer days. Back in those days, it was all about files and briefcases. Computers changed the world. Today, IT security is probably our most important tool. Key business records are now stored digitally. That makes IT systems a constant target. Usually a phishing message will open up a way into those systems. The result can be theft, fraud or ransomware. Phishing and IT fraud is always evolving. You need to train employees in security critical thinking: the art and science of making smart security decisions. Space Everyone works somewhere. Your workspace may be your home. It may be an office. It may be one hotel after another. Wherever you work, there are going to be security considerations. You can think of security in a traditional office using the nesting doll idea. The biggest doll (the one the others fit into) is the least secure. We add more layers of security with every doll. The doll at the center is thus the most secure. When building an office space, it's best to add security as part of the design. That could mean hardening the exterior of the building, or it might be as simple as hiring someone to work at a front desk. If employees are working from home, they will have to help add layers of security. Do they have sensitive files? Then maybe they need a secure container. Is the desk right next to a window? Maybe they need a privacy screen for their laptops. One good way to do this is to create a security checklist for different environments. Information You might be wondering why information isn't part of IT. For one thing, information isn't always IT related. Prototypes can contain sensitive information. Conversations between employees can contain sensitive information. So can documents, spreadsheets, project plans, text messages, video calls and phone calls. Human beings are natural information sharers: we're social beings. That's why it's so important to set boundaries on what can share and what we can't. The tool I recommend is the Traffic Light Protocol (TLP). It's a tool to help employees understand when it is and isn't OK to share information. In order, the levels are:
Emergencies Standard security rules prevent things from going wrong. What happens when they go wrong anyway? Security in an emergency is about two things. First, it's getting your employees through the emergency. In the case of a fire in a building, that means having a clear command structure and an evacuation plan. In the case of a corporate hack, that means having an IT Security lead ready to spring into action. The second aspect of emergency security comes into play after employees have been helped. At that point you have to get your business through the emergency and keep things going as much as possible. This is often called Business Continuity Planning. A business continuity plan details exactly what you need to do to keep your business functioning. It also tells you how long processes and employees can be offline before business is impacted. I like to think of the first part of Emergency planning as getting employees out of the building with the fire in it. The second part is about getting them back to work, somewhere else. How the Five Areas Can Help So what's the benefit of thinking of security in these five areas? I actually think it can help in three important ways. It's simple There's a lot going on in security. The five areas show clients and employees that following security rules is easy. It builds the security team In a big security team, the IT shop may not realize how crucial the security of space shop is. (Hint: your servers are in a workspace.) Understanding the five areas can help security practitioners work better with their coworkers. It shows that you can win Learning about threats can be scary and overwhelming. Breaking security into five simple areas shows that we can achieve security at work - and it's not even that hard. How should we create policies for the COVID-19 era? One danger is security policies that are reactive, which can cause problems as well as solve them. I dig into the dangers here for IFSEC Global.
|
AuthorHugh Hunter is a writer and communicator. ArchivesCategories |