One of the headlines in this morning’s newspaper, “local school district shuts down in person teaching and returns to online instruction only”.
As a former Chief Information Officer, this type of the scenario sends chills up my spine. It’s difficult enough to secure a network and networking environments for on-site instruction, but a whole new can of worms when securing networks for virtual instruction. This shift to remote work in the face of the COVID-19 pandemic has changed viewpoints of security and cybersecurity significantly. The best equipment, the best software, the best IT department, the best of everything may still not be enough to prevent significant cybersecurity breaches in the face of working remotely. WHY? Simply this, the weakest link in any cybersecurity chain involves the human factor. Those individuals working remotely must be significantly trained in cybersecurity hygiene and not just those working within the IT department.
A report posted on the Ponemon Institute’s website used the term “accidental insiders”. They were referring to employees who unwittingly create issues and inflict harm by not practicing proper cyber hygiene such as clicking on malicious links, violating policies and procedures are simply being careless. The report goes on to indicate that the cost of “accidental insiders” is approaching $5 million.
COVID-19 has changed the way we work … probably forever. Fortune 100 companies has shifted to teleworking for all employees to address this pandemic and many have indicated they won’t return to the office. In a recent Gallup poll, over 50% of the American workforce indicates that they have participated in some form of teleworking since the pandemic began. The same poll indicates that over half of those new teleworkers will probably not return to an office in the near future.
This will change how IT professionals secure the workforce. Those types of changes usually require significant planning time, pilot and beta testing, lessons learned and changing of process and other time-consuming efforts; but, we didn’t have time for this. IT Executive Leadership had to make spot decisions quickly to accommodate the pandemic. Many learned that their IT workforce wasn’t prepared. They lacked the appropriate expertise, budget wasn’t available or planned for and that governance was breaking down.
Many of my customers provided VPN access for select employees needing that access but had to make the decision to open VPN access for all employees to accommodate the teleworking environment. Without the proper time to plan and test, most learned that the infrastructure to manage the VPN connectivity lacked the accommodations to manage the volume of connections required to support teleworking. Snap decisions to expand VPN connectivity were made and unfortunately security wasn’t a priority in implementing the VPN connectivity and tunnels required. The “need for speed” pressed IT officials in relaxing security to improve performance.
Even when VPN connectivity was established to adequately provide service, the reality that home networks just weren’t designed to accommodate the requirements of the teleworking individual. Videoconferencing presented bandwidth challenges that just were not anticipated. On top of that, VPN requirements overwhelmed those simple home networks. One of my customers realized that teachers did not have adequate computers to work remotely and had to issue emergency purchases to provide the needed infrastructure for teleworking. This took time and in the interim, many employees at home utilized personal devices without proper policies, virus protection, malware prevention and other protocols put into place to prevent breaches and cybersecurity. This created additional support issues that literally overwhelmed IT departments and helpdesk staff. This is not a pretty picture and currently one that is still prevalent even after six months.
There was still an issue of “securing the human” that is demonstrating significant difficulty in overcoming. We just didn’t take cybersecurity training that serious before the pandemic. Staff received initial training with little follow-up mainly to satisfy compliancy issues rather than modification of performance behaviors. We scrambled to put together impromptu training programs but who was concerned about security when they were trying to survive and convert their day-to-day processes into teleworking processes. Especially school districts with teachers just now learning how to conduct classes using videoconferencing and other tools. Security is just not a priority at this point; survival is.
So impromptu training programs were initiated, employees went through the training quickly while they were trying to accommodate teleworking and videoconferencing but the “accidental insiders” were still creating issues leading to breaches in security that in many cases were difficult to overcome. Security and cybersecurity is not something done in an IT vacuum. The culture of proper cybersecurity hygiene is essential for all employees. Everyone must make cybersecurity practices a core competency of the work environment. This has to happen from the top (C-suite or Superintendent) all the way through the organizational chain even to the bottom. When a potential breach in security occurs, it cannot be swept under the rug and must be reported for proper security incident response. This requires training. This requires scenarios. This requires consistent education in order to be successful. Employees can no longer just hope that IT will take care of security problems.
To be successful, cybersecurity training must occur regularly, the ongoing, be assessed for success in modified to accommodate inconsistencies. Okay so what kind of training is needed? There should be four (4) topics of ongoing cybersecurity training available for all employees and all employees should participate in the training and demonstrate proficiency.
Those areas are:
- How to identify potential cybersecurity attacks through suspicious emails, phishing, malicious websites and chat/text messaging. In addition, since we are now working remotely, everyone using the network at home from spouses to children two roommates should also be subjected to some type of cybersecurity training.
- Multifactor authentication (MFA) should be introduced for all teleworking environments and enforced. This process combines something that the user knows such as a password with something that the user has such as a fingerprint or a security token (code sent through text messaging).
- Password selection should be emphasized requiring complex passwords or password management.
- Techniques of securing home networks by implementing security applications (firewalls) to protect those home networks and devices from attacks.
The bottom line is that cybersecurity presented challenges before COVID-19 and those challenges have only escalated. Cybersecurity hygiene is EVERYONE’s responsibility and job; not just the IT department and staff. Non-technology personnel must step up to the plate to help reduce the risk; but it’s going to be the employer’s responsibility to ensure that everyone is properly trained.