Kiersten Todt, managing director of the Cyber Readiness Institute. (New America)

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday launched a free “Telework Essentials Toolkit” designed to help businesses to adjust to the realities of working from home during the COVID pandemic.

DHS teamed up with the Cyber Readiness Institute (CRI), Global Cyber Alliance and other partners to add these resources to the agency’s dedicated telework product line, which launched last May. The CRI’s primary focus is on small-to-medium-sized enterprises (SMEs), many of which are falling short of the funds and staffing they need to properly secure their remote workforce. This new toolkit could help these companies compensate.

The toolkit contains resources to help IT pros execute six key tactical and technical actions, including patching and vulnerability management, implementing approved teleworking apps, and ensuring email security. It also advises teleworkers how to shore up their home networks, and provides executive leaders with strategic recommendations as well.

“Telecommuting is no longer an experiment or temporary option for the majority of businesses, organizations, and government,” said Bryan Ware, assistant director at CISA, in the announcement. “With expanded telework being the ‘new normal’ for many, it is time for organizations to take a comprehensive assessment of their expanded enterprise to ensure or establish a long-term, strategic cybersecurity posture.”

Kiersten Todt, managing director of the CRI and executive director of the Presidential Commission on Enhancing National Cybersecurity, talked to SC Media about CRI’s latest partnership with DHS, and addressed where SMEs continue to struggle under work-from-home conditions, and what their top priorities should be.

You’ve previously partnered with CISA on other efforts to help small businesses stay secure. Refresh our memory on some of your previous collaborations.

When CISA… started looking at how to provide tools for small businesses, I had connected with them, essentially, about the work that we were doing, with the discussion that ‘You don't need to reinvent a lot of this. A lot of us have focused on this specifically…’ And so it was just clear that by just collaborating, they could be, even more effectively, a repository of all these tools that are out there, and they could become that one-stop shop.

And so early on, we just started partnering with them on tools for small businesses, and how to create the most accessible way to get small businesses to use the tools, to understand what they are, and to focus on, particularly from our perspective, the human behavior side. 

And as a result of that initial relationship, in the earlier part of this year, as we were looking at ransomware, CRI reached out to CISA and said, “Hey, we'd love to do a ransomware playbook with you.” And what we ended up doing was developing the playbook and then they helped with the distribution.

[We're] continuing to collaborate on these toolkits for small businesses… And hopefully, their user base is just increasing as a result of that and CRI.

But then Covid came along and rocked the world of small enterprises. So how did this ultimately result in this newest toolkit?

Pretty early on, we released our first guide on the remote environment on March 13. [I said], “We need to get this out, because the small businesses are all going to be scrambling, and their safety net is in many cases nonexistent. So, very quickly: How do you make sure that in this pandemic, in this crisis mode, you're giving them the basics on what they should be following, as they're figuring out how to move workforces remotely, and what they should be paying attention to?

And in fact, if we look at over the course of this year of the pandemic, those issues that we have focused on – phishing, human behavior – those have been the greatest vulnerabilities. We're seeing a huge uptick in phishing. So [we’ve been] helping to create that foundation and working with CISA on the work that they're doing to give them content.”

What is the specific content that you're providing?

We're providing links to very specific policies on phishing, passwords and USB use. So obviously, guidelines for file sharing in a remote work environment becomes really critical. So their [DHS’] toolkit now provides links to our recommendations and our tips for those core issues.

But then, also, we've created a series of guides – we're up to about nine right now – on different remote work issues. And most recently, we just did a guide on the hybrid work environment. I think that this hybrid work environment is going to create many more security challenges. Because while it's not easy to have a solely remote workforce, you at least know where everybody is. But when you have some people working in the office and some people working from home and then switching back and forth, what they're doing with their policies all needs to be looked at more closely. 

So the new [DHS] telework document links to the remote work guides that we've produced since March on data sharing, tips, do's and don'ts, and now, this first in our series on hybrid working environments.

It's been more than half a year since the pandemic first started significantly affecting U.S. businesses last March. In that time, have SMEs regained any of their footing and security posture after having to suddenly switch to a remote working model?

Small businesses – and really all businesses – are realigning and remembering and highlighting how important the basics are…. The strength of passwords, software updates, how you're file sharing. Those elements are critical, regardless of whether you're in a pandemic or not. But the pandemic has highlighted those. And I think that's a positive, because what you're seeing is organizations, companies, making sure that those policies are sound and making sure that all their employees know what those policies are.

I would say on the downside, we're seeing a real uptick in phishing and ransomware… A large global company [that CRI has been talking to recently said] that they have a lot of small businesses in their supply chain that are getting hammered by ransomware…

It is the premise of why we created CRI, which is: Small businesses are critical components of global supply chains. And so working with them on the basics in security is critical. So while the ransomware playbook we did with DHS before the pandemic, it's something that we're using a lot in the pandemic because we talk about what to do to prepare for ransomware, but then also what to do to respond to it.

What’s the question that CRI has been asked most frequently by smaller businesses that have sought guidance during the COVID ordeal?

If I'm only a few employees, or if I'm small, the first question is: “Am I really a target? And then the second one is: “What do I need to be thinking about?” We’ve started to see a little bit more specifics like: “What should I be doing about phishing and ransomware?” 

But it’s also: “How do I get my workforce on board with all of these policies?” So a lot of what we're focusing on is the human behavior side.

It’s just basic communication: Have an issue every week that you're talking about, remind your employees of what a strong password looks like, remind them to click on auto software updates on their computers, and make sure you've got a cloud based file-sharing system, particularly now with the hybrids so you’re not USB-ing in a physical space and then going back to your home and using the USBs. So it’s how we can make those basics palatable and understandable.