Communication in a Time of Crisis

As a security practitioner with 30+ years of experience, I am not sure if anyone’s plans foresaw business operations sending the workforce home for months at a time.

What is less clear are the new risks that are created by the implementation of this plan and how to manage those new risks over time. Often during a crisis plan rollout, communication is limited to official information from the communications team, and other departments are restricted from access to employees because of a fear of overwhelming them with information.

This presents a real problem for security professionals because this change in the operating model brings new risks for the organization. Assuming the new risks are assessed and understood, what about communications relating to the increase in cyber threats, that grow over time, to our remote corporate workforce?

While scams, business email compromise, and phishing attacks are nothing new, people often need gentle reminders of what to watch out for in times where their normal routine is disrupted.

In short, when people are distracted they often make mistakes or move too quickly and pay less attention to the small things:

Indeed, the past few weeks have felt like being under attack from scammers for some employees who work from home. Reported cases of Phishing and Business Email Compromise are up, in some cases dramatically, and are showing no signs of slowing down.

Combined with this increased volume of attacks is a workforce that is nervous, to say the least, and, in some cases, desperate, or even scared. Concerns for job security, family health, financial capabilities, and increased childcare all drive stress at home, and when home is the workplace, a new paradigm of normal has been created.

Another interloping issue may be that your corporate endpoint controls are not fully enforceable when your remote workforce is off your network; while there are many variations here, ensuring the protections afforded to the device or staff access to organizational/customer data remain in place is critical. Whether it’s insider threat, protection from hackers, malware defense, or run of the mill data loss, ensuring the right controls stay in place is key.

Even though you tell employees to protect themselves and the company all year long, it’s important to remember a few basic points in times like these.

Take the time to assess the at-home risk of remote workers in a formal way – conduct the full risk assessment and consider all the risks – role play from the bad guy's view. This information will be helpful in advocating for more frequent communications.

Scammers are opportunists and scams always increase when times are difficult. There has been a large uptick in scam attempts against computer users since the global pandemic began:

Attacks against home internet routers are up – a new campaign against Linksys and D-Mark routers has been observed active since March 18th. This is important because these brands are very common in in-home internet use and may be what remote employees are using to connect to the office network.

Under normal operating conditions security awareness & training have proven to be a very cost-effective method for reducing some amount of Cyber Risk.

In this heightened period of risk, effective communication to those staff members working from home becomes table stakes for those hoping to manage the increased attack surface of having hundreds and thousands of employees at home. During these times, frequent communication with your staff teams about the cyber threats that face them while working remotely is integral.

Learning science tells us that people learn in different ways and hearing a message from multiple sources repeatedly increases the chance that they will understand the information.