2020 was a wake-up call for more than healthcare pandemic preparedness. It also exposed some huge security and privacy vulnerabilities, which many cybercrooks have exploited thousands of times throughout 2020 for remote workers. And not only work-from-home (WFH) employees have been affected, but also those mobile workers and all the contracted workers and supply chain workers who have largely been going under the radar of CISOs and information security departments for the past two to three decades. Will cybersecurity and privacy professionals heed the lessons learned from the awakening?
If organizations addressed at least the following three issues, they would dramatically reduce their cybersecurity threats and vulnerabilities, reduce privacy breaches and information security incidents, improve compliance with their legal responsibilities, reduce successful cybercrime attempts, improve employee awareness (resulting in increased employee satisfaction), and also be viewed as a more trustworthy organization—one where employees want to work and stay working because privacy and cybersecurity for employees are as high of a priority as cybersecurity and privacy compliance is for the organization.
1.Training must be more frequent and go beyond covering phishing and passwords
In the past 5-10 years, privacy and information security training vendors have moved to narrowing focus to largely phishing awareness and password security. Phishing and passwords are certainly important and should be covered with effective training. However, there are many additional areas where all employees need to be aware. Not only do more topics need to be covered, but organizations also need to provide more than just a general privacy and security training offering to all employees, which certainly is important and needs to be provided, but is not sufficient on its own.
Organizations must also provide privacy, along with associated security, training to work teams who have responsibilities that require specific and unique types of activities to be in place to provide sufficient privacy protections. For example:
- Call centers and help desk staff need to have training to understand how to use identity verification procedures, and how to identify social engineering attempts by those who are calling in.
- Marketing and sales staff need to have training to be taught what is and what is not allowed with regard to using customer data during their sales activities, and how to secure the personal data they collect during their sales activities.
- Executives need to have training to be able to spot spear phishing attempts, and how to protect the computing devices and associated data they have with them while working remotely or traveling. I've found over the past three decades that executive training is typically most effective when given in person (including during online virtual face-to-face meetings), so you can answer the inevitable questions they will have, and frequently in short timeframes (e.g., 15-20 minutes).
- Add many more business teams, departments, etc., here as exist within any organization doing training planning.
Many different types of privacy and security training, to many different targeted learners, needs to occur on an ongoing basis to increase effectiveness of training to stem insider threats, as well as to improve overall security protections.
2. Vendor/third-party security and privacy oversight must be improved
There is still a one-time-before-contracting and checklist mentality in most organizations when it comes to vendor/third-party and supply chain security and privacy management and oversight. 2020 has demonstrated that organizations cannot just tootle along with the same old status quo vendor oversight practices. Not only does due diligence—incorporating assessments and research—need to occur prior to engaging vendors and other types of third parties, but other steps need to be taken on an ongoing basis as long as you have a relationship with each third party.
Organizations need to set up regular meetings to cover what's new: if they have new systems or applications, or have experienced organizational changes, such as acquisitions or divestitures, or if they have moved to remote working for their staff that used to perform activities within business facilities—activities performed on your organization's behalf. These provide insights to where new risks to the personal data you've entrusted to each of them might come from.
For example, if a third party has laid off staff, ask the representative of the third party if any of the staff had access to the data that they stored, collected, processed, etc. for you. If they answer yes, then go deeper; ask what they did during offboarding to ensure their ex-employee no longer has access to your organization's data or systems. If a vendor's employees are not working from home offices, ask them about the security and privacy controls they are using, and how they are ensuring no unauthorized access to your organization's data, applications, and systems are occurring from those home offices where others (family, friends, roommates, etc.) share living space. Your questions to them in response will depend upon the answers they give to you.
3. Remote working requirements must be updated to address current realities of today's employees
Many organizations are still using the exact same remote and mobile working security and privacy policies today as they were in December 2019. Many more organizations still have not created documented remote and mobile working security and privacy policies and procedures that are customized to fit each of their own organization's unique business environments. And way too many flawed assumptions are being made about remote workers (employees and contractors). Consider just a few questions:
- Think your organization doesn't have to worry about the security implications of 5G because you've not implemented it? If your remote workers are using it, then you now have parts of your business systems environment where it is used.
- Think that IoT is not an issue to address in your organization? If you have remote workers, I'd bet a bundle that you have a large number of IoT devices that are within their home wireless networks, and/or in their work area vicinities, that are now incorporated by default into your business systems, where they are bringing threats into your organization and creating vulnerabilities for which you are not aware.
- Believe that you have no AI use to worry about? Think again if your remote workers have apps on their computing devices connecting to clouds that use AI, and/or have IoT devices that incorporate AI within their functions.
I'm currently finishing my twentieth published book, "Security & Privacy When Working from Home and Travelling," which will be released by CRC Press in a few months. The privacy issues, and also security issues, I researched and wrote about fill 750+ pages of small-font, no-spaced lines in my rough draft! I'm cutting and condensing now. But when the issues are looked at closely, many organizations will be astonished at how many new risks they now must address.
Three actions will dramatically improve security and privacy
If each organization makes these three actions a priority to perform in the coming weeks, they will substantially reduce their security and privacy risks, particularly for their remote and work-from-home employees; and as a result, they will also reduce their privacy breaches and security incidents.
This will be a great beginning. But organizations must not stop here! They've only just begun. Organizations then should identify the additional actions to take to further improve their information security and privacy management program maturity. Privacy and information management are not destinations; they are ongoing processes that must be followed for as long as business activities occur.