What makes cybersecurity training effective in the hybrid workplace?
Nearly 60% of employees have been working in a hybrid model over the past two years, and 83% identify this as being optimal in the future
Hybrid work is here to stay. According to research by Accenture, nearly 60% of employees have been working in a hybrid model over the past two years, and 83% identify hybrid work as being optimal in the future.
Together with the transition to hybrid work, organizations need to take the right precautions and still keep the security impact of this move in mind.
Everyone—business leaders, IT teams and employees, but especially cybersecurity professionals—must be able to trust that they are not increasing the risk of security breaches and downtime by enabling hybrid work.
It is important to recognize that the relationship between the shape of a business and the shape of the technology that supports it is a two-way street.
That relationship is particularly important to highlight, as it explains some of the specific challenges that CISOs face as remote and hybrid working becomes a long-term norm. Through the disruptions of the pandemic, many CISOs and other cybersecurity professionals may have held out hope that the building blocks for a secure stance in this new reality are already in place and well-tested.
Multi-factor authentication, for example, adds a defensive layer to data protection, and enabled identity verification on users’ personal devices in a way which somewhat leveled the security playing field between in-office and at-home working.
Cloud Access Security Brokers (CASB) and Identity and access management (IAM) frameworks implemented to secure remote access to the organizational applications and data.
Zero trust security methodologies emerged in response to rapidly diversifying network architectures and the frictions that can be created by silo and perimeter approaches. Zero trust’s more flexible, always-on approach is particularly applicable in a new reality where network administrators cannot reliably predict when or from where any given resource will be accessed.
In other words, while the pandemic certainly had a decisive impact on the shape of an organization, those changes were prefigured, and partly already underway.
Does that mean advancements in cybersecurity technologies are not suitable in the new workplace reality after all? Or perhaps that these technologies still haven’t seen the whole-hearted adoption needed to manage these new challenges?
A new focus: the human element of cybersecurity
While there may be a grain of truth in these responses, I think that the best place to start in improving the situation involves refocusing on the human element of cybersecurity.
Technology and the business culture it supports, after all, are in a two-way relationship, and a shock on the employee experience side will need to be addressed on the technological side.
Today, IT teams and the users who rely on them exist at a greater distance from one another than ever. Without the watchful (technological and human) eye that comes from physical proximity to IT professionals, users are more liable to develop insecure behaviors.
At the same time, CISOs need to be more acutely aware of the user experience they are establishing: repeated, intrusive authentication may help protect data, but at the cost of ease and productivity.
Secure but unhappy users are no more beneficial to a business than vulnerable systems.
Proactive cybersecurity requires continual, relevant training
What all of this points to, is the need for effective, impactful security training. Particularly as norms around how and where we use data change, it’s important to establish best practice which lines up with the organization’s technological cybersecurity posture.
A Labs report found that 44% of organizations did not provide employees with cybersecurity training that focused on potential threats of working from home leading to remote employees causing security breaches in 20% of organizations.
Training efforts should go beyond the well-worn paths of password policies and phishing identification. A shared company-wide concept of cybersecurity which rests on pillars of visibility, identity, authentication, and authorization, gives employees a mental framework for understanding risk, rather than simply mandating certain behaviors without explaining why.
Recently developed Innovative training platforms allows the use of cyber ranges and virtual training environments to create a real-world cyber security and operational scenarios that gives the cyber security and IT professionals a firsthand experience of cyber crisis leveraging their capabilities to handle the real ones as they come.
Those closely monitored and sometimes gamified environments allow the CISOs to access budget-friendly high-grade training tailored to the team needs and gives visibility to the team capabilities, training progress, and the team knowledge gaps.
Similarly, while any large organization will now have established cybersecurity training schemes, CISOs shouldn’t assume that the true outcomes of these programs are the same as the apparent outcomes.
The ground truth of the situation can often be quite different from training scores. Taking independent paths to understanding how staff behave, including measuring incident rates and conducting user testing and research programs, will indicate real-life behaviors and highlight actual risks.
Ultimately, as the knowledge and skills of the employee base are raised, the tools we now have available to manage and secure distributed working environments will only become more effective. The CISO’s remit has to be to see both sides of this coin.
About the authors:
Charlie Doubek is VP of Managed Collaboration and Communications at NTT LTD UK.
Moshe Karako serves as the Chief Technology Officer of NTT Innovation laboratory Israel whose mission is to leverage Israel’s cutting-edge technology to support the evolution of NTT and customer businesses and promote innovation and digital transformation.