Safe as houses? How to build a culture of security with a remote workforce

Technology never stands still. Anyone running a company has to accept this fundamental truth if they want to stay on top of cyber threats and run their business as securely as possible. New products emerge, workflows develop, and habits evolve along with them.

The COVID pandemic has rapidly accelerated that rate of change. Businesses had to shift radically when suddenly employees could no longer physically come to work. A lot of them will not be coming back. As restrictions have eased, many businesses have shifted to hybrid working models, forcing IT departments to rethink how to keep company data secure.

World-wide, 44% of employed people are now working – at least partly – from home, according to Global Trends survey published by Dynata in October. That’s a 52% increase on pre-pandemic levels. The UK (at 54%) has a higher percentage of people working from home than the US (at 50%) and far exceeds the global average.

There is a lot that a strong IT department can do, such as implementing an identity and access management solution, a corporate VPN and, to close any gaps not covered by these tools, a password manager. But this approach is not enough on its own. In fact, it’s really only half the battle.

Everyone working within an organisation has a responsibility too. All of us that want our businesses to be as cyber-secure as possible must realise that the culture we create is just as important as the systems we have in place.

Culture is crucial

Building a culture of security is crucial because it’s impossible to perfectly control and monitor your business for security threats. A lot of the risks are caused by poor cyber security habits outside the office  – corners get cut, often because people are focused on productivity and other concerns take a back seat. Although most people in the UK use password protection at home, many still consider using unsecured Wifi, in a coffee shop for example, if there is not a secure option easily available.

Forwarding work emails to a personal address, to make completing a task quicker or easier, is a common habit. As is going outside of your company IT system in order to download software that you think will help you do your job better although your company has not authorised its use. The reverse is also an issue – using a work email address for personal matters, such as registering on an online shopping site, opens up risk as well. The list goes on. And on.

Collective responsibility

If you foster a culture of security, however, you can rest easy knowing that your employees have the knowledge and desire to make smart, secure decisions while they’re working outside of your company’s purview.

If you want to build a new kind of culture, start with your senior managers. Once you’ve explained the situation, they’ll be aware of what needs to change and can remove any roadblocks for the team leaders beneath them. They’ll also become early ambassadors for the new culture and help influence other employees at the company.

Next, meet with individual teams and discuss what they can do to help. Your HR team, for instance, should craft an onboarding experience that emphasizes good security tools and habits. The documentation team, meanwhile, can write a security manual that outlines basic principles and policies that are easy to follow.

These conversations will instill the idea that security and culture-building is a collective responsibility. It will also create a supportive environment that encourages everyone to be more secure at work. Instead of one voice pushing for change, it’ll be many in unison. Keep this up and a culture of security will start to take root at every level of your business.

Security is everyone’s job

At the same time, you should focus on employee education and training. Explain why your company’s policies are important and how to spot common cyberattacks, such as phishing emails and system intrusion. The more your employees know, the better their decision-making will be.

Consider software, too. The right tools will empower employees to practice good security habits. A password manager allows everyone to protect all of their accounts with strong, unique passwords. They can do this on their own, which will give them a greater sense of control, ownership and responsibility. It also gives IT and security teams oversight of all the accounts your team is using, even those that aren’t covered by existing security tools.

Keep the conversation going

Cyber security is not something that you can ever solve and then forget about – it has to be a constant consideration, and employees should be engaged in keeping the conversation alive. Give them a clear process for reporting any suspicious activity. Reward them for speaking up, too. At 1Password, we have an “Eyes of the Month” award that recognises people who have spotted and reported potential security issues. It’s a small gesture that goes a long way to reinforcing our security culture.

Speak to your IT department, too. It’s important that they have an open and honest relationship with everyone else at the company. It will ensure that employees feel comfortable coming forward and requesting a new tool. If both sides are frank and accommodating, they’ll come to better conclusions that strike the right balance between productivity and security.

Commit for the long term

If you take these steps, there’s a good chance that your company will successfully adopt and embrace a culture of security.

It won’t happen overnight. That realisation can be frightening because a cyberattack can happen at any time – criminals won’t wait until your organization feels adequately prepared. But it’s worth putting in the time and effort because when a culture takes root, it becomes infectious. New hires pick it up quickly and existing employees check to make sure they’re setting a good example. It’s a cycle that’s truly transformative.

I can’t promise that your company will never be breached. I can say with complete confidence, however, that nurturing a culture of security will make your business harder for attackers to infiltrate. That, in turn, will lower the chances of your business being involved in a costly and embarrassing breach.