Almost all of us are dealing with the unprecedent migration of enabling our workforce to work from home. For many organizations this is a huge challenge as they lack the technologies and processes to enable this to securely happen. But even more challenging is for our employees themselves, many of whom may have never worked from home. For them this is an overwhelming time of confusion as they deal with new technologies, new processes and even new working environments. Add to the chaos of change is many employees are also supporting working at home spouses or even kids eLearning at home.
To successfully secure such a workforce we have to keep in mind just how difficult this change is for people. Any new security behaviors, processes or requirements we want to teach have to be as simple as possible. In academic terms we want to avoid what is called choice overload or cognitive overload. The human brain can only process and learn so much during a certain period of time, and in many ways people are already overloaded with all the recent change. As such, we have to teach people as little as possible.
This may sound counter-intuitive to many, especially security professionals who feel we have to address every new risk, which implies we have to communicate and train on as many security behaviors and policies as possible. But we quickly hit the point of overloading our workforce, basically they dump everything you told them and simply move on. The key is reducing what you need to teach people to the absolute bare essentials, and then communicate those fundamentals in a super simple way for anyone to understand. For example, for people working at home the three fundamental risks we recommend you focus on are
You: People have become the primary attack vector (phishing email, phone call and text messaging scams, etc). Teach people what social engineering is and the most common indicators of such an attack. Especially with WFH workforce - people, and not technology, are your best defense.
Passwords: Teach not only what is a good password (hint: passphrases) but how to safely and securely use them. Remember, both password complexity and password expiration is dead. Make passwords simple, perhaps even provide password managers for your workforce.
Updating: The most secure devices, programs and mobile apps are updated ones, make sure people keep their systems updated and current. Promote automatic updating when possible.
Regardless of what you communicate or how, attempt to keep it as short and as simple to consume as possible. We highly recommend working with your communications and marketing teams, they are experts at this.