Cybersecurity Awareness Month: Four Things We’ve Learned In 2020
The huge shift to remote work this year has presented many new challenges for IT teams—not least of which is the issue of securing the organization when large numbers of employees are now working at home. At PagerDuty, around a fifth of our employees were already based remotely, but the impact of COVID-19 meant that hundreds of other Dutonians had an almost-overnight switch to working away from the office.
Our technical operations and security teams had to act fast to make sure all our employees could safely access the networks, applications, and resources they need to keep doing their jobs. So, since October is Cybersecurity Awareness Month, what better time is there to reflect on the things we’ve learned about managing the shift to remote work safely? Gary Dowler, our Senior Manager of Technical Operations, had the following four pieces of advice.
1. Secure your hardware. There’s been a big jump in the amount of hardware in use—both company-issued or otherwise. Technical operations and security teams should assume that said hardware is now being used on unsecured networks and can be a significant vulnerability. Securing that hardware is critical and requires a couple of steps:. First, encryption to a high standard is needed and second, use remote management tools to monitor activity at a high level so quick action can be taken if needed.
2. Balance privacy and oversight. No employee wants to feel like Big Brother is watching their every move. This requires a fine balance between keeping an eye out for threats and leaving employees to get on with their work productively, wherever they are. Policies and rules are important, and they are there for everyone’s protection, but draconian measures like using key-logging tools or monitoring individuals’ website visits should be avoided. Instead, monitoring tools should alert security and technical operations when, for example, a phishing email sends an employee to a Russian bot farm.
3. Make lives easier. At PagerDuty, we have regular safety briefings, security training, and user education initiatives to let the whole organization know about new features and tools that will keep them safe and productive. It’s also important to ensure that you provide applications with not just a high standard of compliance and security baked in, but that are also easy to use. Choosing user-friendly applications means people will be less likely to look for a risky alternative or a workaround.
4. Communicate early and often. As Aristotle once (almost) said, security, like nature, abhors a vacuum. It’s vital that you keep staff up-to-date on potential new risks or threats. Early communication is also key and is even more important when teams are dispersed. For example, we send out comms on hardware and software updates at least two weeks in advance of any changes and then follow up with regular reminders. An information vacuum will leave staff open to greater risk from threats.
As this year continues to throw challenges at businesses, we’re expecting the next hurdle for many will be managing the number of employees connecting in over public WiFi hotspots as society gradually begins to open back up. Where coffee-shop WiFi was once mainly used to only check email or messages, we likely are going to see these public connections increasingly used by employees to do their core work as an alternative to working from their home.
Keeping security top of mind among the remote workforce will be critical as the nature of work continues to transform. To help other businesses navigate these changes, we open sourced our internal PagerDuty employee and engineering security training. It contains all the public materials for our courses, including PDF exports of the slides, and the original files so you can adapt them easily for your own teams. We hope it helps you and your business stay secure in 2020 and beyond.