Out of office, out of mind

Cinema owner Dan Paine works on his laptop in the vacant cinema foyer in May 2020 in Auckland, New Zealand. (Fiona Goodall/Getty Images)

Bathrobe chic has become the new business casual and no one arrives late because of traffic anymore. People like working from home, and for some, it offers improved productivity and quality of life. However, others struggle to compartmentalize competing demands from their professional and personal lives. 

At the organizational level, abandoned office spaces and free-range employees are testing security operations. Overnight, people logging in safely within corporate security perimeters, transitioned into people working on unmanaged devices via less-than-secure home networks. Businesses must adapt, but many are falling behind on addressing security demands of the remote workforce. While technology solutions for addressing emerging threats are critical, taking a human approach can also mitigate the risks of cybersecurity threats.  

Information security leaders must understand the unique challenges facing remote workers to establish systemic organizational support bolsters the ever-growing human perimeter.

New normal

People are creatures of habit, excellent at identifying patterns and changes in the environment, especially threats. That’s why we spot strangers in the office, but fail to greet a coworker in the grocery store. Offices are full of familiar faces and routines and strangers stand out, while grocery stores are a sea of strangers where familiar faces are rare.

Most of the time this works to our advantage, but false familiarity can create issues. It becomes accentuated when abnormal seems “normal” because of environmental context. For example, vishing attacks, where hackers target remote workers by phone who are unfamiliar with new security protocols or processes. Attackers know that remote workers are in a new environment, and that it’s difficult to determine what’s really “normal” when discussing access to unfamiliar IT systems.

What’s normal at home doesn’t always align with what was normal in the office, and capitalizing on that discrepancy has been highly effective for attackers in recent months.

Balancing boundaries

Working from home has been ideal for some, but eliminating boundaries between work and personal lives has become stressful for many.  

Traditionally compartmentalized roles no longer have any separation. Additional stressors because of the breakdown of traditional work-life boundaries, such as children needing attention during work hours and lengthy periods of time spent in isolation, can adversely impact productivity. Technology also contributes, as remote workers depending on substandard equipment and software can become frustrated, resentful, and careless.

Employees in early stages of establishing work-from-home habits may also struggle with splitting their attention between home and work tasks. They may spend too much or too little time on work, with either imbalance contributing to anxiety or burnout. 

Stress and burnout contribute to making mistakes, decreased work quality, and even social withdrawal and apathy. Ultimately, employee health contributes to the organization’s operational success and cybersecurity risks. 

Action strategies

There’s no quick fix for supporting remote workers to improve security outcomes. However, organizations can take the following steps to build workforce resiliency:

  • Communicate.

Talk to employees at multiple levels. Use one-on-ones and larger meetings as opportunities to discuss cybersecurity topics. Make security visible by modeling positive behaviors and sharing experiences—even experiences in which fellow colleagues have been duped or made a poor decision.

  • Decrease uncertainty.

Take the guesswork out of employee decisions around cybersecurity. Banks and other organizations constantly remind us that they won’t ever ask for our log-in information or account numbers. Give personnel the same peace of mind and explicitly state what the company will, or will not, ask for in regard to their personal information and credentials.  

  • Keep learning.

No one has mastered cybersecurity. Today’s climate has only highlighted how much more we all need to learn. Develop plans for continuous education. And call attention to immediate threats and promote cyber hygiene practices such as updating software and using multi-factor authentication.

  • Invest in home offices.

Supporting workforce performance means investing in equipment and productivity tools. Substandard equipment can increase risk, not just because the technology becomes more vulnerable, but because people with inadequate tools are less productive and make more mistakes.  Consider stipends that deliver more comfortable working conditions for remote workers, like new monitors, improved internet service, and even better chairs and desks.

  • One size does not fit all.

Every organization may have a different distribution of new WFH employees, different security needs, and different types of expertise. Craft strategies tailored to people’s needs, not just what the company needs. For instance, implementing flexible work hour policies may be extremely helpful for employees but not show an immediate advantage for the organization.

Remember that employees are just as much a part of the company’s cybersecurity defenses as corporate firewalls, web gateways, and data protection solutions. Keeping the team tuned up, trained, and on alert will bolster the company’s cybersecurity posture.

Margaret Cunningham, principle research scientist for human behavior, Forcepoint

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.