While working from home is more common after the global coronavirus outbreak, companies need to help employees understand the risks associated with the new arrangement besides ensuring stronger technology controls, said McKinsey & Company recently.
The added stress many people feel can make them more prone to social-engineering attacks, according to the consulting firm.
Some employees might notice that their behavior isn’t monitored as it’s in the office and would choose to engage in practices that open them to other threats, such as visiting malicious websites that office networks block, the firm added.
Building a “human firewall” will help ensure that employees who work from home do their part to keep the enterprise secure, said McKinsey which also suggested the following practices.
Communicate creatively. A high volume of crisis-related communications can easily drown out warnings of cybersecurity risks, McKinsey & Company pointed out.
Firms will need to use a mix of approaches to get their messages across, the consulting company advised.
These might include:
- setting up two-way communication channels that let users post and review questions, report incidents in real time, and share best practices;
- posting announcements to pop-up or universal-lock screens; and
- encouraging the innovative use of existing communication tools that compensate for the loss of informal interactions in hallways, break rooms, and other office settings.
Tell people the dos rather than the don’ts. Telling employees not to use tools (such as consumer web services) they believe they need to do their jobs is counterproductive, the consulting firm said.
“Companies must explain the benefits, such as security and productivity, of using approved messaging, file-transfer, and document-management tools to do their jobs,” McKinsey pointed out. “To further encourage safe behaviour, firms can promote the use of approved devices—for example, by providing stipends to purchase approved hardware and software.
Raise awareness of social engineering. Coronavirus–themed phishing, vishing (voice phishing), and smishing (text phishing) campaigns have surged, according to McKinsey.
Companies must prepare employees to avoid being tricked, said the firm.
Notifying users that attackers will exploit their fear, stress, and uncertainty is not enough.
“Companies must consider shifting to crisis-specific testing themes for phishing, vishing, and smishing campaigns,” the consulting firm advised.
Identify and monitor high-risk user groups. High-risk users include those who work with personally identifiable information or other confidential data, pose more risk than others, said McKinsey.
These users should be identified and monitored for behaviour (such as unusual bandwidth patterns or bulk downloads of enterprise data) that can indicate security breaches, the firm said.