The way we work changed in response to COVID-19. The “new normal” is here to stay. Today, ensuring security for remote workers is more critical than ever. Organizations across the globe must rely on the IT department to lead them towards new technology solutions, especially as it relates to remote work.
During a recent virtual forum hosted by SIM San Diego, four CISOs and one Director of Cybersecurity discussed how their organizations are ensuring security for remote workers during the COVID-19 pandemic. Their insights reveal timely trends in cybersecurity best practices and compliance among technology teams. Their feedback can help you gauge how your team is handling business continuity measures in this new-normal world of virtual collaboration.
Trust Your Communication and Self-Help Documentation
Source: Gary Hayslip, CISO, Softbank
Gary Hayslip explained that Softbank was 100% cloud when COVID-19 hit. Aside from partnering with HR, their IT processes remained intact — business as usual. Most employees worked off a laptop and used Saas tools in the office, so preparing for the work-from-home environment wasn’t too tricky.
As a cloud-based company, initial action included using desktop apps for IT support. Employees with a laptop needed nothing more than login credentials. This feature connects remote workers with live help and immediate information to combat potential security issues.
Gary’s tech team also deploys self-help documents, which they regularly push out to staff. The dual-action approach decreases support tickets and reduces fatigue among the IT team, allowing them to focus on more important projects.
A cybersecurity leader for Softbank, Gary continuously educates the company on critical security threats, such as highly-targeted phishing attempts: malicious parties hide behind COVID-19 emails, a fascinating subject in anyone’s inbox. So Gary’s team engages staff members to demonstrate what to look for when spotting risky emails — it’s a game of education and constant communication.
Gary believes that communication is the most essential factor when ensuring security from remote workers. Open and easy-to-use tools empower people to seek help in potentially harmful situations. Tools such as Slack and video conferencing are a must for any security team.
Embrace the False Positive
Source: Gary Martino, former CISO, AMN Healthcare
Similar to Softbank, AMN Healthcare’s biggest challenge was user adoption, not technology deployment. Gary Martino shared that his team experienced a significant increase in requests from field workers, mainly about using new tools and processes. So their first responsibility was to educate the workforce and facilitate the adoption of new tools.
From a security perspective, Gary’s priority included asking what he could do differently while addressing the primary vulnerability — email attacks. He partnered with security vendors and prepared for a large increase in email volume. Tactical decisions included writing custom rules for email filters and withholding individual emails in repositories for review to ensure they were safe for employees’ inboxes.
In response to the increased security threat brought on by COVID-19, IT moved to protect the end-user and the company at all costs; this meant accepting more false-positives from security filters.
Enforce Strong Information Security Standards
Tina Lovoy, Global CISO, Encore Capital Group
From a security standpoint, Tina Lovoy faced the challenge of re-imaging technology equipment for thousands of employees. Moving from a highly regulated office environment to the home office required a new way of thinking.
The IT department provided critical support to over four thousand employees. Ensuring security for remote employees meant establishing strict processes and procedures for employees to follow at home.
Tina emphasized the importance of strong security standards and the criticality of enforcing those standards in response to COVID-19. Her team strategically secured employees and their environment, continuously patching off-prem devices.
Additionally, Tina attributes her success to upholding effective communication with her team. Throughout the crisis response process, IT and information security teams communicated, early and often. Their collaboration reduced the upstream and downstream consequences of changes made to the business.
Lastly, information security is using this time to improve performance around operating controls and key capabilities. The proactive mindset is the new normal.
Increase User Awareness Training for Personal Security
Robert Yaus, CISO, Generali Global Assistance North America
Improving user-awareness training was the first initiative for Robert Yaus. His company’s response to the pandemic included remote work for most employees. Consequently, Robert’s team had less network visibility and managed devices to monitor.
Given the increased presence of IoT devices in the home, IT had to account for higher threat levels across the company. Essentially, all primary security measures required a new strategy for the remote working environment.
In response to the new working constraints, Robert emphasized the importance of user awareness training, but he approached it differently to accommodate the remote environment. He focused on ensuring personal security. Through protecting individual communication and data first, he educated people about how to use safe practices — and how those, in turn, protect the company — a win-win for everyone.
A little training goes a long way in making employees a viable defense against cybersecurity threats. Good advice from the CISO level includes ensuring that all platforms and tools used by employees tie into federated services authentication platforms, enforce single sign-on usage, and enabling multi-factor authentication on all or most devices.
Prepare for the Worst and Hope for the Best
John Caruthers, Director of Cybersecurity, Illumina
John Caruthers summarized the group’s response to ensuring security for remote workers by accepting the widespread use of malicious email filters and, therefore, more false positives. Security nets captured thousands of emails daily once COVID hit, increasing from two to four hundred.
To prepare employees for extraordinary times, Illumina runs themed cybersecurity campaigns. As the Director of Cybersecurity, John recognizes his captive audience and uses his stage to increase awareness at every level.
John attributes his success to continuous messaging and openness to educating as many employees as possible. We look forward to hearing about the company’s next COVID-themed cybersecurity training campaign. Awareness scores have increased, and he’s already planning the company’s next COVID-themed cybersecurity training campaign.
Closing Statement
Ensuring security for remote workers is no easy task. Security executives from five San Diego companies gathered to discuss their strategies and lessons from the mass migration to remote work. A common theme surfaced among the group of security professionals — user awareness training.
All participants agreed that employees must remain educated and vigilant when connected to work devices in the home. Similarly, the group agreed with their CIO counterparts on the critical topic of communication. Whether people use slack, teams, Zoom, or all the above, everyone must voice their concerns and experiences daily.
Concluding statements from the group embraced shared learning experiences and adaptation. Additionally, each leader vowed to come out of this period stronger than before, echoing, “we will get through this, but the new normal is here to stay.”
