business
‘‘
TALKING
////////////////////////////////////////////////////////////////////
protection regulator in your country. If you
want to be able to claim that you took the
right precautions, and thus that the breach
can be disregarded, you’ll need to produce
evidence – the regulator won’t just take your
word for it.
Make sure your users can do what
they need
If users genuinely can’t do their job without
access to server X or to system Y, then
there’s no point in sending them off to work
from home without access to X and Y.
Make sure you have got your chosen remote
access solution working reliably first – force
it on yourself! – before expecting your users
to adopt it.
If there are any differences between what
they might be used to and what they are
going to get, explain the difference clearly –
for example, if the emails they receive on their
phone will be stripped of attachments, don’t
leave them to find that out on their own.
They’ll not only be annoyed, but will
probably also try to make up their own tricks
for bypassing the problem, such as asking
colleagues to upload the files to private
accounts instead. If you’re the user, try to be
understanding if there are things you used
to be able do in the office that you have to
manage without at home.
Make sure you can see what your
users are doing
Don’t just leave your users to their own
devices (literally or figuratively). If you’ve set
up automatic updating for them, make sure
you also have a way to check that it’s working,
and be prepared to spend time online helping
them fix things if they go wrong.
If their security software produces warnings
that you know they will have seen, make
sure you review those warnings too, and let
your users know what they mean and what
you expect them to do about any issues that
may arise.
Don’t patronise your users, because no one
likes that; but don’t leave them to fend for
themselves, either – show them a bit of
cybersecurity love and you are very likely to
find that they repay it.
32
INTELLIGENTCIO
“
TRY TO BE
UNDERSTANDING
IF THERE ARE
THINGS YOU USED
TO BE ABLE DO IN
THE OFFICE THAT
YOU HAVE TO
MANAGE WITHOUT
AT HOME.
Make sure they have somewhere to
report security issues
If you haven’t already, set up an easily
remembered email address, such as
security911@yourcompany DOT example,
where users can report security issues
quickly and easily. Remember that a lot of
cyberattacks succeed because the crooks try
over and over again until one user makes an
innocent mistake – so if the first person to
see a new threat has somewhere to report
it where they know they won’t be judged or
criticised (or, worse still, ignored), they’ll end
up helping everyone else.
Teach your users – in fact, this goes for
office-based staff as well as teleworkers –
only to reach out to you for cybersecurity
assistance by using the email address or
phone number you gave them. (Consider
snail-mailing them a card or a sticker with
the details printed on it.)
If they never make contact using links or
phone numbers supplied by email, they are
very much less likely to get scammed or
phished.
Make sure you know about ‘shadow
IT’ solutions
Shadow IT is where non-IT staff find their
own ways of solving technical problems, for
convenience or speed.
If you have a bunch of colleagues who are
used to working together in the office, but
who end up flung apart and unable to meet
up, it’s quite likely that they might come up
with their own ways of collaborating online
– using tools they’ve never tried before.
Sometimes, you might even be happy for
them to do this, if it’s a cheap and happy
way of boosting team dynamics.
For example, they might open an account
with an online whiteboarding service –
perhaps even one you trust perfectly well
– on their own credit card and plan to claim
it back later.
The first risk everyone thinks about in cases
like this is: “What if they make a security
blunder or leak data they shouldn’t?”
But there’s another problem that lots of
companies forget about, namely: what if,
instead of being a security disaster, it’s a
conspicuous success? A temporary solution
put in place to deal with a public health issue
might turn into a vibrant and important part
of the company’s online presence. So, make
sure you know whose credit card it’s charged
to and make sure you can get access to the
account if the person who originally created
it forgets the password, or cancels their card.
So-called’ ‘shadow IT’ isn’t just a risk if it
goes wrong – it can turn into a complicated
liability if it goes right!
Most of all, if you and your users suddenly
need to get into teleworking, be prepared to
meet each other half way.
For example, if you’re the user, and your IT
team suddenly insists that you start using a
password manager and 2FA (those second-
factor login codes you have to type in every
time) . . . then just say ‘Sure’, even if you hate
2FA and have avoided it in your personal life
because you find it inconvenient.
And if you’re the sysadmin, don’t ignore
your users, even if they ask questions you
think they should know the answer to by
now, or if they ask for something you’ve
already said ‘No’ to because it might
very well be that they’re asking because
you didn’t explain clearly the first time,
or because the feature they need really is
important to doing their job properly.
We’re living in tricky times, so try not to
let matters of public health cause the sort
of friction that gets in the way of doing
cybersecurity properly. n
www.intelligentcio.com