Is it too early for lessons learned or are we still learning lessons?
I think we’ve learned that we can secure our remote workforces and, at the same time, they can continue to be productive. As for myself, I now have a much clearer picture of where my organization’s cyber weaknesses are, and I have started planning on the future workforce. What that might be? I’m not sure anyone has that answer but I do know you need to plan for any and everything.
For every person who says remote working has been a success I hear another person say they can’t wait to get back in the office environment. Too many distractions at home or too much isolation are just some of the reasons. This will be a challenge for our leadership teams to address.
It all comes down to being flexible and changing your culture. Organizations cringe sometimes when they hear those terms. You might hear it as “transformation” or “process improvement,” but they all mean the same thing. I like to use the term continuous improvement.
Just think about the threat actors and how quickly and easily they adapt to change. I was reviewing some malware code the other day and identified that the malware was originally detected back in 2017 and had been modified 17 times to circumvent security systems. Talk about change! But, hey, at least now we have the security systems that detect/block/monitor the malware; we’ve just had to change our processes a little and be just a little more diligent.
Change can be difficult, but it doesn’t have to be
One of the biggest changes I’ve been a part of was replacing USB/flash drives. At a prior job, almost everyone in our organization was using them. They are very inexpensive, can hold a lot of data and can be used to easily transfer files. We had legal teams using them as well as loan officers, IT staff, accounting, etc.
Then along came data privacy concerns and then the ransomware/malware attacks that were spread through the use of these devices. Whole networks/companies shut down because someone attached a malware-infected device in the corporate computer.
But the transition was hard. You can explain the threats and risks all day long and even come up with viable more secure alternatives, but there will always be some persons who just don’t want to change. But it’s not a knock against them, it’s just human nature for some.
How do you handle this group? I had an old boss tell me, “you love ’em, hug ’em, squeeze ’em.” Start by getting buy-in from the executive team. They have to understand the risks you’re trying to address and then you come up with the solution that is going to mitigate the risks or improve the process. And then you train, train, train.
As we continue to fight this Coronavirus battle, start looking at ways to be more efficient and more secure. If printing documents at home is a risk to the organization, then find a solution and address it with management. If not using two-factor authentication is a risk to your organization, find a solution and address it with management.
If your third-party service provider is not incorporating good cyber hygiene in protecting your data, address it with them; if you are not satisfied with the response, address it with management. Third-party service providers, above all others, should be constantly looking for ways to make their products and/or services more secure and efficient.