As we approach the 18-month mark of operating in a pandemic environment, it has become quite clear that the key to securing networks with a remote workforce isn’t just about technology. Engagement is also a vital part of the process. Now, don’t get me wrong. Best-in-class technology still serves as the engine that powers network security. People, however, are the drivers that steer it in the right direction to avoid any potential roadblocks along its path.
Many organizations are beginning to implement a hybrid workplace structure that intermixes in-office and remote work. This transition will require us to again adjust security measures, especially amidst the heightened prevalence of ransomware attacks that have wreaked havoc on organizations across the country. Ensuring the hybrid workplace is protected from ransomware is contingent upon promoting a culture of cross-company cybersecurity engagement. For CISOs, engagement must be a top priority.
There are three foundational pillars to fostering a cyber-engaged workforce: employee engagement, executive leadership engagement and peer network engagement. Commitment and following through on each pillar of engagement is critical to sustaining agility and business continuity essential for successful network security in a hybrid workplace environment.
Individual Employee Engagement
Engagement at the employee level requires CISOs to provide consistent communication and transparency to each individual member of the workforce. Most employees are likely feeling cybersecurity fatigue at this point of the pandemic, making them prone to relaxing their habits or taking occasional shortcuts. This complacent attitude is exactly what successful adversaries look for, and now more than ever, we cannot afford shortcuts. Engagement helps combat that fatigue by generating collective “buy-in” to follow security measures and protocols, awareness of the potential threat and a healthy vigilance - even if those measures and protocols create additional work.
From high VPN usage and two-factor authentication to maintaining alertness to business email compromise and browser extensions, CISOs should actively educate employees on the importance of following the security “best practices” while settling into a hybrid work structure that works best for your organization.
This type of personal leadership engagement also calls for CISOs to be readily available for any questions or concerns. Employees should feel encouraged to reach out for help, knowing that there’s no such thing as a dumb question. Frictionless and responsive incident reporting should be a cornerstone with the reinforced understanding that if they report suspicious activity, it’s not only our job to investigate it; we also need to communicate that their concerns are being addressed in a timely manner. Making sure your staff knows their concerns are valued with thoughtful and timely responses (not just canned or automated responses) encourages the reporting of suspicious activity in the future. Extending your reach through valued employees improves your sensor network and serves as a vital component to defending against ransomware and other threats. Without that trust, employees will be less inclined to communicate potential threats reliably and with a similar urgency to prevent an incident or potential network breach.
Executive Leadership Engagement
Collective “buy-in” at the executive leadership level is ever more critical to maintaining network security within the hybrid model. Culturally for some organizations, this is easier than others and most of today’s executives just get it and have seen or at least have heard of the catastrophic business losses they could face. But to be effective, employees need to know the commitment starts from the top down. CISOs should engage fellow company executives and provide them education, opportunities and materials to demonstrate observable support and focus relevance for how each department can bring value to the organization’s network security. If the ownership of information security is the sole dominion of one team, you will forever be fighting an uphill battle.
The IronNet 2021 Cybersecurity Impact Report, an independent study that surveyed 473 security IT decision-makers from the U.S., United Kingdom and Singapore, revealed that 86% of respondents experienced a cyberattack in 2020 that required an emergency meeting among their executive board. In times of crisis, executing an “all-hands-on-deck” incident response plan is reliant on swift action at the executive level, where everyone understands their roles and responsibilities.
Engaging with executives beforehand to clarify their roles, validate procedures, and challenge assumptions in the wake of a relevant crisis establishes transparency and accountability that quickly trickles down across the entire organization. Where organizations fail is when they don’t question, anticipate communication gaps, or consider undetected threats that could cause significant damage or delays to the mission or business.
For example, the Kaseya ransomware attack could have been prevented had the company’s leadership taken further steps to address staff reports of dangerous security flaws - such as outdated code, vulnerable encryptions and product passwords, as well as negligence in meeting basic cybersecurity patching requirements. The concerns were never fully addressed, causing some employees to quit in frustration with the inaction. And as a result, the company fell victim to the largest ransomware attack in modern history.
Peer Network Engagement
There’s a false sense of (cyber)security among many U.S. companies as it pertains to network protection. IronNet’s 2021 Cybersecurity Impact Report found that while 92% of respondents expressed confidence in their current security stacks, nearly half cited a rise in incidents over the last 12 month months.
From a CISO standpoint, overconfidence is a liability - those who believe they are untouchable will leave their organization vulnerable to all sorts of breaches. No new network security strategy or business continuity plan is foolproof and rarely survives first real-world contact. In turn, being a responsible CISO involves engaging with industry peers on best practices for hybrid workplace security and real-time intelligence sharing that enhances the visibility of the attack landscape. Much like IronNet’s Collective Defense model of defending together instead of alone, CISOs can leverage strength in numbers as well.
The traditional operational structures, where 80-90% of employees worked inside the office, are well in the rear-view mirror. As we adjust our network security measures to align with the new norms of a hybrid workplace model, prioritizing the three pillars of engagement will be key to a safe and seamless transition.