Four practical cyber policy considerations for safer remote collaboration
24 March 2021
The pace at which remote teams are working and collaborating digitally has accelerated as the pages of history turned over to the 2020s. The need for relevant cyber security policies and risk response plans have become necessary for both compliance with privacy legislation and as online threats have increased in parallel.
Keep in mind that South Africa has the third highest number of cybercrime victims worldwide, which results in a loss of about R2.2 billion each year to cyber-attacks, according to the South African Banking Risk Information Center (SABRIC).
When it comes to collaborating remotely while keeping cyber security a top priority, we know that definite and practical steps are needed. If implemented correctly and as per a defined policy that employees are familiar with, these steps have the potential to empower employees with the appropriate behaviour, tools and frameworks to do the right thing in any given situation that requires action intended to safeguard the organisation and personal information.
1. Create security awareness from the inside
An organisation’s cyber policy offers a very important guideline for its employees, but if not communicated correctly in-line with change management best practice, their behaviour won’t change as the organisation or policy requires.
We have found that the phrase ‘cyber policy training’ rarely achieves the required input and commitment to the policy in order to be implemented efficiently. Ultimately, the goal is to get the organisation’s employees to do the right thing at the right time – in this case following a risk response plan correctly as and when a threat appears. To achieve this goal, it is important to offer staff a sense of ownership and input in the early stages of policy consideration by:
- offering the draft policy on a public platform before the policy takes formal effect (preferably, not just a PDF document) and for the Information Officer to receive comment privately;
- communicating feedback on a public FAQ page, to maintain trust with staff. Note how their input or feedback has been considered in policy updates; and
- letting employees know as many needs as possible have been considered. This goes a long way in promoting policy adoption even though it won’t be possible to accommodate every individual's needs.
2. Bring your own device (BYOD) parameters
It has become more prominent, especially in an environment where teams collaborate remotely, for team members to connect their personal devices to organisational systems and platforms. While it is important that the organisation’s cyber policy makes provision for the use of personal devices as part of the BYOD section, there are perceptions that should also be addressed and clarified early on from a change management perspective:
- Establish trust with the employee. For BYOD policy requirements to be effectively implemented, differentiating between what BYOD is and what it is not is equally important. Specify the ‘why’ behind certain policy sections and what level of access the organisation has to the device. For example, organisational access might perhaps only be restricted to certain applications or services which allows IT teams to wipe away data in the event that the device is reported lost or stolen. Employees may be distrusting of an organisation’s access, which is why trust should be built by clearly stating ‘we can’t read your personal text messages.’
- Be clear about responsibility. It goes without saying that a device, especially a personally owned device, that has access to organisational or client data, needs to be password or passcode protected. Devices without appropriate security are significant risks to organisational security, which means basic security behaviours will be enforced on personal devices. Make it clear that this digital hygiene practice not only protects the organisation, but also protects the employee.
- Clarify the boundaries. Clearly stipulate what behaviour is expected or accepted and what is not. For example, no employee is obligated to respond to calls, instant messages or emails while driving, and that pulling over to respond to any work-related communication is required. Often policies fail due to ‘what is not stated’ or behaviour expectations are vague or ambiguous.
3. Password setup is less about choice and more about password hygiene
As system security requirements have become stricter, so have standardised password requirements. Systems can now be set up to only allow certain password combinations which enforces a high level of standard security. This means inadequate password creation poses less of a risk combined with multi- or two-factor authentication (which should ideally be enforced on all system access).
The more practical cyber policy inclusion is to practice password hygiene – storing and sharing passwords. An organisation’s cyber policy should be very clear about the behaviour it wishes to encourage and discourage. Passwords should not be allowed to be stored on a note or document, shared with others or even hinted at. The organisation’s IT department can assist with resetting forgotten passwords, but we recommend capping it at three resets every six months with a penalty applicable for more frequent requests. We’ve found that enforcing penalties promotes employees actually making an effort to remember their passwords.
Empowering employees to adopt effective password hygiene is one of the best ways to establish accountability and reiterate the importance of secure system collaboration.
4. Regular stress testing of the Risk Response Plan (RRP) encourages vigilance
All too often we’ve seen the effects of having a great RRP, but one that was poorly communicated during implementation. In the moment that a cyber security breach event occurs, employees don’t know what to do or who to contact as appropriate behaviour has not been sufficiently ‘rehearsed'.
In addition to the first point above speaking to creating sufficient internal awareness, we also recommend the regular stress testing of the organisation’s RRP. Knowing that their knowledge of and response to the RRP might be tested at any moment leads to employees acting much more vigilant and with awareness.
For example, as part of a stress test on request of a client we’ve facilitated a hacking attempt on a client’s system in conjunction with IT support. We monitored who responded correctly and followed the RRP. For the selected employees, it was important to actually experience a simulated cyber security event and to default to RRP actions, so they are not overwhelmed by a flight or fight response. Needless to say, they were given credit on the client’s internal public forum for following the plan and taking the appropriate actions.
Finally, Privacy by design should be central to any IT or compliance roadmap, as it is not effective to only fit privacy considerations onto the system or policy retroactively. Taking a proactive approach allows for privacy controls to be built into the system and then change behaviour accordingly when it is communicated and facilitated well, and in tandem with policy requirements.
In light of the Protection of Personal Information Act (POPIA) that comes into full effect on 1 July 2021, there has never been a better time to address your organisation’s need for vigilance, awareness and the mandatory requirements of a cyber policy and RRP.
In association with the Technology, Telecommunications and Media department at ENSafrica, our multi-disciplinary team focuses on a holistic POPIA approach where we facilitate an initial systems gap and legal analysis. The recommendations following from the identified privacy compliance gaps are tailored to take into account the organisation’s size and respective employee compliment.
Reach out to us at firstname.lastname@example.org for more information.