Productivity vs Security: Part 2

As much as we all hope that things will go back to “normal” when the threat of this pandemic ceases, there are some things that won’t – and one of those is the mobile workforce. In part one, we focussed on the problem, here in part two we’ll focus on the solution.

Evolving Productivity into Security

As we discussed in part one, being technically secure is not enough. In order for any business to be secure in the current environment, the workforce must be educated to understand how to work securely. This is especially important in a small business where familiarity among the staff often leads to a more lackadaisical attitude towards security.

Some of the biggest problems we see are:

  • credential sharing
  • computer profile sharing
  • remote users using public WiFi
  • the assumption that home networks are secure

Before we can get into discussions of threat recognition, we must get past these first hurdles.

The first two, credential sharing and computer profile sharing, are a big problem with audit logging and accountability. This all comes down to one simple fact of human nature – if you can’t be held accountable for your actions, you are far less likely to care. When it comes to cybersecurity, user awareness is a critical component. In businesses where this type of sharing occurs, there is typically an attitude of productivity over security, significantly increasing the chances of a data breach.

And the other two problems, public WiFi and home network security, are examples of a lack of understanding of the basic tenets of cybersecurity. Because many mobile devices have a data cost associated with their plans, free WiFi is typically seen as something to be celebrated. Except that free WiFi almost always means insecure WiFi – allowing others to monitor where you go online and what you do. Home networks are not often much better. Because they’re used by the entire household, you can never know if someone went to a website that got hacked or opened an email with a virus. Doing work from these types of insecure networks put the business at risk also significantly increases the chances of a data breach.

It’s not enough to be technically secure. There must be a balance between productivity and security, and that means finding ways to work with security rather than trying to work around it.

End-User Training

Does this seem familiar?

Manager: “Okay everyone, read this email about Phishing.” ***checks cybersecurity training as complete***

This is not enough. Adding a monthly video for end-users to watch is still not enough. These are examples of sleepwalking through the steps to check a box. In order for security awareness training to be worthwhile, it must first answer the questions of why it is important, not only to the business but also to the workforce.

This type of training starts with the decision-makers in the business. Buy-in starts at the top – if owners and managers show concern for and an understanding of security awareness, that attitude is far more likely to be adopted by the workforce.

Security awareness must be reflected in the policies, processes, and procedures. Yes, it is far more convenient when front desk workers can move between computers without having to logon and logoff to cover one another’s duties, but it is also far less secure. Establishing a Computer Use Policy that requires everyone to use their own login/password on each computer for which they use, and backing that up with trained procedures will set the proper expectations. This same thing is true for a Work From Home Policy, Mobile Device Policy, Password Policy, etc.

There must be accountability. Once everyone signs off on the policy or is trained in the processes and procedures, the workforce must be held accountable to follow it. This means looking for security violations and taking corrective actions when necessary. In a small business setting, where people have worked together for years, this can be challenging. Then again, recovering from a data breach is also challenging, and – considering that 60% of small businesses go out of business after a data breach – it’s worth the effort.

Doing these things will bring about a culture of security in the business where productivity works in harmony with security instead of against it. Once you have that, providing ongoing awareness training in the form of email alerts and videos are far more effective.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments