The pandemic has upended the way we work, collaborate and do business - this is unprecedented disruption. It's easy for good cyber security posture to slip when you're distracted and under pressure.
As Kordia’s Chief Information Security Officer (CISO), I know first-hand that it can be an intensive task to communicate the importance of good cyber security while we’re in the office, behind the safety of the corporate firewall and reinforced by the watchful IT department. But it’s much more challenging to make sure those good habits are brought into our employees’ living rooms, spare bedrooms and other makeshift home offices, as our staff work from home.
If you don’t have a CISO in your organisation, or you’re looking for a check list of things to implement, here are some of the key things I’ve been working on to maintain the right level of protection around our business.1. Adapting the rules
Just because our teams are working from home, doesn’t mean the old cyber security rules are redundant. If you have a robust security policy, there’s no need to reinvent the wheel. Just make sure you remind staff to keep security top of mind through ongoing communications and adapt their usual cyber security to the home environment. Everyone should follow the same protocol – avoid clicking on links, staying away from non-work-related websites, and using secure and unique passwords are some examples. There are simple tweaks you can encourage your employees to do to make the home environment more secure– my colleague at Aura Peter Bailey has written an excellent article on this which you can read here.
2. Alert your staff to COVID-19 themed scams
Unscrupulous cyber criminals haven’t let the pandemic stop them. There have been increased reports of COVID-19 themed phishing attacks, and fake maps are being loaded with malware. It’s important to make sure your employees are aware of these scams and remain vigilant to any emails purporting to be from the health authorities or Government. I’ve shared an alert to all Kordia staff on how to spot these scams, and you can develop similar advisory using the CERT NZ guidance as a starting point.
3. Put cyber security on the agenda for the governance team
As CISO, it’s my job to make sure our information security matches the objectives of our business. That’s why it’s important for me to maintain the respect and trust of our Board of Directors. I’ve worked closely with both our board and our executive team to identify and plan for security risks that have appeared or intensified due to the Covid-19 workplace disruption. Having ‘buy-in’ from the board and being able to manage their expectations during this time makes my job of promoting security a lot easier.
4. Embedding security in new roll outs
Some businesses have had to shift rapidly into the cloud or deploy video conferencing tools at breakneck speed due to the rapid pandemic developments in our country. If you have had to move quickly to roll out new technology, it’s important to make sure people know how to use these tools safely and securely. Not only that, your colleagues need to be wary of the security concerns of other technology being used by your partners and customers. For example, many companies have shifted meetings and events to Zoom over the past few weeks – so even though we don’t use this tool at Kordia, I’ve made sure our staff are aware of good security etiquette when attending externally hosted meetings via Zoom. I recommend working closely with your IT department to support them with embedding security as best as possible through the roll out. Also, if you are making security exceptions for this special environment, it’s important to work out now how you will roll them back once we return to working in the office.
5. Maintain visibility remotely
Maintaining two-way communication and trust with staff is one of my top priorities. I don’t want staff to feel discouraged to report threats by the distance from their colleagues. I’ve always been a passionate communicator of digital culture ideas – and working in Christchurch away from our biggest offices in Auckland and Australia I’ve had plenty of practice sharing thought leadership and security information from afar. Even though I can’t be there in person, I’m using a range of different communication channels to stay connected to my organisation and peers. Be creative, warm and open when you share information – it can be difficult to get the right tone across on email only, especially when dealing with serious topics like security. To make the CISO function more human at Kordia, I’m sharing tips using videos, making regular cyber security updates via an email newsletter and posting articles and notices to our intranet. Externally, I am using my Linked In page to connect with other CISOs and business leaders facing the same challenges, so we can share our experiences and expertise to solve industry wide issues together.