Imagine the following.
Imagine that all of sudden, a situation you were used to, changed without you having any control over it. The way you work, the way you interact with colleagues and peers, everything. It would make you a little anxious and stressed right? Now what if you also did not know when you could get back to your old routine, how would that make you feel?
Well that’s what a lot of people are facing right now.
We’ve been thrust into working from home / remote only modes. We need an office or working space, for some they need to be full-time at home parents and teachers, with a need to constantly be switched on. Oh and we’ve got to carry on working and being productive whilst surrounded by all this uncertainty.
The effects of working remotely
For most IT and InfoSec folk working from home or remotely isn’t a big adjustment. However, what if you’re not tech savvy, what if you’re not used to working from home, what if your environment doesn’t make it easy to do. You may not even have a space where you can lay out your temporary office each day to do any work, without children, partners, housemates distracting you. That’s got to be stressful, that’s got to make you a little anxious.
Phishing Simulations – Good or Bad ?
Now imagine that you’re all set up and managed to get things going and are slowly adapting to your new routine. You start a routine of video conferencing colleagues, you get work done by adapting to your new lifestyle, and finally feel that you’ve established a routine and can have some certainty in what you are doing. Then you notice an email that’s asking you to log into your personal HR page to sign up for COVID-19 working from home benefits. It’s not unusual, since starting this new mode of working from home, you have received many emails from your company about your new arrangement from what software to use, to how to ensure you stay healthy and motivated. So, another email from your company doesn’t seem out of the ordinary, so you go ahead and click on it.
You soon realise that it’s a phishing simulation from your security team, you see a video telling you what you’ve done wrong and what signs to look out for next time.
How do you feel right now? What do you think about your company sending this when you have so much to tackle?
I know how I’d feel “Grrrr” and that’s putting it lightly. I asked a few of my non-tech friends how they’d feel and they, well lets just say a few expletives were uttered.
Here’s my professional opinion – I don’t think that security departments should be running any phishing simulations right now.
Why?
One word…..trust.
Trust is still hard to build in many an organisation and the “department of no” image still lingers for many security departments. However, right now, no security department can afford to lose the trust they have built with their organisation. Whether you’ve been fortunate to be on the right path to building it or start off on the wrong foot if you’re seeking to build it.
3 easy steps to build trust and avoid data breaches
Instead, step back and look at the current situation for people.
- Use messaging to let people know what to look out for and how to report it. This needs to be as easy as possible, and you should be supportive in your approach. If it’s not, you need to adapt your processes now.
- Engage with staff to find out how you can make things easier for them to work from home. Start listening and stop broadcasting, don’t tell employees they can’t use a video conferencing or file transfer software if that is what they have to use because of partners or external suppliers. Start a dialogue but listen first. Don’t assume, find out what the reality is. If staff are saying they need to use this software or process, understand why and then respond.
- Deliver on the feedback. There is nothing worse than saying you will listen and then not responding to what you have heard. If your staff are telling you this process or software which was perfect in the office environment doesn’t work in the home environment, then respond with a solution not with more of the same.
Think outside of your InfoSec bubble. Think of security culture.
We talk about empathy, well now is the time to show it. Now more than ever you will engage with staff, who may never have had to deal with the information security teams before, on a regular basis, so make sure you leave the impression that you are the enabling department.
The investment you put in now will return in multiples down the line.