Hybrid work is emerging as a norm, especially for companies who have a mix of workers whose job requires coming into the office, and those who are able to accomplish their work at home. This hybrid workforce is expected to become more prevalent as 75% of workers want to retain flexibility over their schedule beyond the pandemic. To get some insight into how security executives executives can implement consistent security practices for the new hybrid workforce environment, we spoke to Michael Borromeo, Vice President, Data Protection at Stericycle, the provider of Shred-it information security services.

Security: What are the challenges of implementing consistent information security practices for hybrid workers across the physical workplace and the home office?

Borromeo: One of the major challenges of implementing consistent information security practices for hybrid workers is that many companies simply don’t have information security policies in place that adequately address requirements when working remotely. Just over half (53%) of C-suite executives (C-suites) and 41% of small business owners (SBOs) state they have remote work policies in place that are strictly adhered to by employees working remotely. A lack of governance and policies is concerning as 75% of employees also say they print work-related documents while working from home.

Even if policies do exist, another key challenge is the enforcement of these policies. Training plays a big role in ensuring employees are following security practices whether working on-site or remotely. Thus, businesses should establish consistent employee training and awareness programs on their information security practices to ensure their data is protected.

Security: What are some effective security practices that can be adopted for a hybrid workforce to include in businesses information security policies?

Borromeo: A clean desk policy is a key information security practice that can be easily adopted by employees whether they are working on-site or remotely. Keeping employee workspaces clear of confidential or sensitive information is an important aspect of protecting data. However, since only 7% of C-suites and 18% of SBOs operate in a paperless environment, this can potentially be a daunting task.

To help employees comply with a clean desk policy while working remotely, ensure they have the necessary resources, such as access to a lockable storage cabinet to safely store their documents until they can be properly shredded by a National Association for Information Destruction (NAID) certified shredding service provider. The policy should advise remote employees to store physical documents and devices in a locked cabinet while at home, then bring them to the workplace to dispose of when working on-site. Alternatively, companies should provide employees with access to secure drop-off sites to ensure safe disposal.

Additionally, companies should implement appropriate technical safeguards, such as requiring the use of a VPN to remotely access networks and a set of approved tools for securely transferring data. To minimize confusion, these processes should have the same steps regardless of work location.

Security: What are best practices to train employees in cybersecurity?

Borromeo: When it comes to cybersecurity, even the best security technologies can fail if employees are not trained and equipped to protect against security risks. Since 24% of C-suites and 54% of SBOs reported having no regular employee training for information security, the first step for many businesses is to implement a training and awareness program for all employees. For maximum effectiveness, the program should be promoted by executive leadership to provide “tone at the top” so that everyone understands its importance to the organization.

In today’s digital world with continuously evolving threats, delivering an annual information security training course for employees is not enough. Training must be supported by a continuous awareness program that helps employees build “muscle memory” for how to identify and avoid scams, report suspicious activity, and exercise good judgement. 

Continuous reinforcement is crucial for teaching complicated concepts, as only an educated workforce can build and maintain a culture of information security and privacy compliance within an organization.

Security: What type of training works best to build employee cybersecurity awareness?

Borromeo: Cybersecurity awareness is an important aspect of training, however, the number of organizations that regularly train employees on how to identify common cyberattack tactics, such as phishing, ransomware or other malicious software, declined 6% for C-suites (from 88% in 2019 to 82% in 2020) and 7% for SBOs (from 52% in 2019 to 45% in 2020).

Employees can be a company’s greatest strength but also its greatest weakness when it comes to information security. When provided with the right training, employees can protect the company from data breaches by serving as another set of eyes and ears for the IT department, identifying and reporting phishing scams or other suspicious activity so it can be properly tracked and investigated.

Companies should also consider providing scenario-based content to teach employees how to apply what they’ve learned on a regular cadence. For example, companies can deploy simulated phishing emails, “how-to” videos, or in-person/virtual sessions to run “What if…” drills. Overall, the most effective training is that which is specific to a company’s industry or business model to allow employees to relate and better absorb the content.