Tierney - stock.adobe.com
The exponential increase in remote work has given hackers a buffet of vulnerable endpoints.
While remote work isn't new, the percentage of people working remotely is unprecedented, said Daniel Kennedy, senior research analyst at 451 Research, a part of S&P Global Market Intelligence, based in N.Y.
Boosting employee awareness is key to making the company an unattractive target and thwarting any cybersecurity breaches. And HR leaders and their teams -- working with IT -- have an important role in that awareness.
Here are six strategies HR teams can follow to accomplish just that.
1. Understand HR's role in security awareness
HR teams need to fully understand the dangers that working from home can bring to their company.
"Attackers will take advantage of endpoint software vulnerabilities, web exploits, email phishing and other forms of social engineering to compromise endpoints," said Heidi Shey, principal analyst of security and risk at Forrester.
HR's involvement is crucial for boosting employee security awareness, which is vital for thwarting cybersecurity attacks.
"While companies can take measures to protect endpoints, data and network access, it's not enough," Shey said. "They also need to help guide employees to understand the risks of working remotely."
2. Adapt personal device security policies
Times of crisis call for new, stronger security measures.
HR and IT should work together first to create a clear and consistent policy for the use of personal devices, Shey said.
"Communicate clearly to employees what it means if they are to use a personal device for work purposes," she said. "It may mean that employees are required to download and install specific software for IT to manage the device or that IT is able to remotely wipe their device."
Workers may make different device decisions when they understand that using personal devices for work means ceding certain privacy and control rights to their employer.
"Some employees may wish to maintain a separation between their work and personal life and opt to not use a personal device for work purposes as a result," Shey said.
3. Stay updated on cybersecurity threats
Hackers are always improving and improvising their attack modes. However, IT can continually monitor the threat landscape and uncover preferred methods before an attack. IT and HR can keep an open line of communication so HR can immediately increase employee awareness.
Two of the most common threats that are likely to persist for the foreseeable future are phishing and network intrusions.
Phishing emails deceive workers into revealing their passwords, access codes and other user-identifying information, which attackers use to access company data, money and systems.
"[While] I don't consider [phishing] a new threat, new variations targeted at the working-from-home employee are popping up, and some are quite effective," Kennedy said.
"For example, think of an email that references contact tracing," he said. "It contains all the characteristics of a good phishing scheme -- [it's] timely [and] urgent, and [it] generates a response based on concern or fear."
However, it's not just email that is granting attackers egress to endpoints.
Home networks are fundamentally different than corporate networks and, therefore, are more vulnerable, Kennedy said.
An example of a weak endpoint is home routers with easily accessible management interfaces through default or weak passwords, he said.
This can expose services not usually allowed by a corporate firewall.
"The Wi-Fi network may not be protected as effectively, and the behavior of other users on the shared network is different," Kennedy said. "For example, most of your office co-workers are likely not playing downloaded games after they finish the day's work, but [their] children are."
IoT also presents a different array of endpoints and poses a bigger threat on home networks than on business networks. Smart TVs, mobile phones and smart appliances are all examples of devices connected to home networks.
The average person has six connected devices, Shey said.
And that means more opportunities for hackers.
"Even before the pandemic, we saw how consumer IoT devices were increasing the attack surface," Shey said.
However, there are things companies can do to effectively mitigate these issues.
"HR can work with the [chief information security officer] to brainstorm a number of security strategies, from increased security awareness initiatives to taking another look at endpoint controls on employee laptops," Kennedy said.
4. Tap expertise of PR and marketing
Cybersecurity works best when everybody in the company cares and understands exactly what it is and how to boost the company's effectiveness. That means HR and IT might want to reach out to other departments for help in raising security awareness.
In particular, PR and marketing departments have skills to help boost messaging effectiveness.
"A firm's marketing and public relations folks spend much of their day thinking about how to craft messages that drive attention," Kennedy said. "Some of the best awareness campaigns look like advertising campaigns."
Don't be afraid to engage these experts in the program to help craft the messaging, he said.
5. Focus on HR and IT collaboration for security control rollouts
HR and IT will need to work closely together to improve security without overburdening employees.
"The most important thing HR can do at this time of uncertainty and stress for employees is empathize and focus on the employee experience," Shey said. "A major [security] risk for companies in this climate is how they treat their employees as financial distress, fear of layoffs and disgruntlement toward employers create a perfect environment for insider threats."
Heidi SheyPrincipal analyst of security and risk, Forrester
For example, a bad employee experience can motivate employees to fight the changes, rather than accept them. One of the more common responses an employee may have is working around controls or not being supportive of the controls. That lack of support will open the company up to more cyber attacks.
"Employees are sometimes given short shrift when it comes to the rollout of security technology controls," Kennedy said. "The thought process is that they are subject to whatever the enterprise implements; however, [employees] generally have more agency than people realize."
This means IT really needs to rely on HR's insight into the employee experience when rolling out new security controls.
"HR and IT [should] think of the rollout of these controls as -- while not quite at the level of rolling something out to a customer or client -- closer to that level," Kennedy said.
There are ways to foster user adoption, Kennedy said. Here are a few ideas that can help:
- Test the usability of any security control carefully before rollout.
- Thoroughly explain the reasoning and what the control is meant to address, such as with awareness training.
- Be open to feedback on the friction a control is creating or how it's making users' jobs more difficult.
- Weigh that friction against the risks being mitigated, and decide whether it should be continued or whether the control should be adjusted.
6. Appeal to personal interests
A primary rule of marketing is to understand the audience and appeal to their concerns. Since security issues can feel distant from any personal concerns, HR needs to work doubly hard to tie security to something the audience cares about.
"There are many ways to educate employees about the importance of cybersecurity and how cybersecurity works," said Charles Russman, employment and cybersecurity attorney at Clark Hill, an international law firm. "The two most critical are personalization and engagement from executives."
Personalization means explaining to employees that cybersecurity is critical not only to business continuity, but that it also protects their own data and the data the company has about their family members, such as those on the company's health plan, he said.
Employees are more likely to be vigilant when they understand their safety and their family's safety is at risk.
Explaining why employees must take specific security actions -- and the harm that can result from not doing them -- tends to be more effective than simply issuing instructions on how to take various security precautions.
"Ensure that employees understand the why behind the security measure, what they are expected to do and who to contact if they have issues or questions," Shey said.