Building a 'risk-aware' all - remote culture

We are witnessing a socio-political-economic transformation driven by Covid19; the transformation spans across multiple demographics and boundaries around the world. Being a cybersecurity professional and business risk advisor, as I interact with my clients, business partners and fellow business advisors, I realise how we are undergoing the said transformation.

Once the forbidden fruit, 'work from home' is the absolute mandate now and a key business enabler.  We are reading multiple articles released by industry experts on how to secure such arrangements. Businesses are on an 'innovation spree' to effectively and efficiently deliver their products and services, while providing adequate assurance to end customers & regulators. Enterprises of all sizes and scales are thinking about operating in newer, faster and resilient ways - while remote working is the new must, certainly shifting part of the critical workloads to cloud environments is being considered, and more.

There is a parallel realm of cyber pandemic working its ways in, to cause wreckage - while we are consumed in taking #Covid 19 precautions and mourning over the losses, the dark actors in cyber world are spreading out gradually, finding opportunities of injecting #malware and causing ravage to businesses. Interestingly, we are definitely keeping a track of the Covid 19 infections, deaths and recoveries, but, we have little idea of how many systems have been compromised in Covid themed malware, what percentage of business operations have been impacted and how many systems are breached (not even known or traced yet). IBM X-Force has observed a 4,300 percent increase in coronavirus-themed spam. 

While businesses drive transformation in the ways they operate, it is imperative to drive risk awareness across the board. As an advocate of building a risk aware culture for enterprises, I want to offer a few ways of driving security risk awareness:

1.     User profiling: Cyber criminals find their paths through end users, taking advantage of their psychological make up, in terms of what they work in and how critically they would think about possible attacks. For example, an application development intern in the organization would focus more on learning and delivering her part of code - she might not have a secure coding alignment and this might leave an open path for future application security hacks.

It is important to identify the various profiles of users in the organisation supporting critical and non-critical business functions across verticals and horizontals. This would result in identification of what level of security awareness they would need and how frequently, based on their usage patterns and exposure.

2.     Behaviour driven awareness program: Business and end users are already occupied in coping up with the new normals, forming new business strategies and facilitating delivery & operations. Understanding their attention span and thought patterns is important - think about new ways of awareness. This could be interesting pop-ups, infographics, small quizzes, mock campaigns, short video clips that is not too extensive or stretches the attention span too much. It would be particularly helpful to engage the established security awareness content providers to help deliver effective content.

3.     Engagement, Inclusion and Agility: We have been doctoring various tools and techniques to drive technology and process innovation like design-thinking, co-creation, agile and DevOps. Time to harvest the fruits of all - identify the various players in the value chain, identify their roles, profile the information, data-sets & environments they are exposed to. The next step would be to set up security awareness champions in each group of players to proctor security practices to their groups and provide continual inputs. This would encourage "co-creation" of designing security controls, updating processes and newer secure mechanisms based on changing business and risk landscape.

The fight against cyber criminals has been fought since long, only now there are newer variants and mutants of the threat actors, hacker, crackers and attackers. And in this sudden forcibly induced need for digitization, data driven existence in virtually connected economy driven by remote workforces, we can take well-thought, strategic and agile steps in ensuring that transformation is protected from larger risks.