If 2020 has taught us anything, it’s that anything can happen. Honestly, how many of us had, “I will do my best to avoid a global pandemic,” as a New Year’s resolution for 2020?
That said, the chances that 2021 will be even more unpredictable are slim. So, we might as well indulge in setting some solid, achievable cybersecurity goals for 2021. Let’s dive in!
Stay Vigilant About WFH Cybersecurity Policy
Working from home (WFH) was the standard for the vast majority of companies throughout 2020. The situation will likely remain the same for the better part of 2021.
But as we learned in 2020, remote staff makes for a very messy virtual environment that introduces far too many potential attack vectors. These include:
- Previously airtight VPNs need to be accessed from all over the place, sometimes from private devices that don’t even use the most basic antivirus software.
- New, non-vetted software is introduced in spades because it helps people more effectively collaborate remotely.
- Fresh, Zoom-interviewed-and-onboarded employees are thrown into this ecosystem without proper cybersecurity training.
And the list goes on.
Fortunately, it does not have to be this way. A comprehensive WFH cybersecurity policy, and its unwavering enforcement, can put a stop to such behavior and allow your organization to operate smoothly, remote-first, without unnecessary risks.
Your policy should cover topics such as:
- Compliance adherence
- Access control and level-sensitive multi-factor authentication
- Security infrastructure (security software, updates, maintenance, etc.)
- Vendor vetting standards and practices
- Employee onboarding processes
- Employee education and training processes
- Processes and practices in case of threats and breaches
- Clearly defined roles and responsibilities
It’s important to reiterate that it’s not enough to merely come up with a good WHF cybersecurity policy – it has to be enforced religiously, and updated regularly, if you discover potentially risky behavior that is not covered.
Provide Continuous Education and Training
Early in 2020, CybSafe published their analysis of the 2017-2019 data made public by the Information Commissioner’s Office, the UK Government’s public body that deals with data protection, GDPR, PECR and more. They discovered that nine out of 10 data breaches in that period could be attributed to human error, in one way or another, as opposed to software or hardware vulnerabilities.
In other words, cybersecurity starts with the people in your company. Unless they’re aware of the potential risks – and the proper behavior to mitigate those risks – the strength and sophistication of your security infrastructure doesn’t matter.
That’s why continuous staff education and training must continue to be a priority in 2021, especially considering the complex WFH ecosystem your company has probably adopted. This means regular cybersecurity awareness webinars, team meetings and briefings, individual talks, phishing simulations and introductions to new concepts such as voice phishing, for example.
This means not merely reading a prepared script once or twice and hoping that some of it sticks, but continuously evaluating your employees’ knowledge and awareness, as well as updating your training to best respond to new threats.
Stay On Top of Your Supply Chain
A huge contributor to the increased complexity of remote work arrangements is the software supply chain. New devices used to access your company’s network and new software introduced to help people do their work can be rife with vulnerabilities. It’s your job to make sure they don’t pose an actual threat.
For one, all new software introduced needs to be vetted rigorously before it’s allowed to be included in your company’s stack. That’s especially true if users expect to use it in a way that could expose your sensitive data, or create a new point of access to your secure network.
In the work-from-home reality, your supply chain will expand in terms of hardware, as well, starting from your employees’ private devices. Namely, because private devices are often not well-secured enough to be given access to your networks. Even something as inconspicuous as a webcam can be a potential threat vector that can be exploited by malicious actors.
In addition to these three goals, you could add another: I will not let my guard down as people start returning to the office. The chances are that many companies will welcome their employees’ return a bit too exuberantly, and ease up on the new measures and practices that they adopted during WFH.
You’ll do well to avoid this. This new vigilance should be a standard for years to come. After all, why wouldn’t you make security a primary goal?