Much of this book was written before the COVID-19 pandemic swept across the globe in 2020. At a time when many organisations have the majority of their staff working from home and social distancing is the norm, the concepts we have discussed here – security awareness, behaviours and organisational cultures – can seem disconnected from the reality we are experiencing at the time of writing and the cybersecurity challenges we face.
However, these concepts are more meaningful than ever. As individuals come to terms with working from home using new IT, new software and becoming more reliant on their own judgement when it comes to cybersecurity, the ABCs assume a new and more important role. For many individuals, if they click on a link or download a free app from the internet, they may find their sole source of work and income – their IT – is taken away from them. There is no IT department to call for help or someone who can ‘pop up and take a look’; such help is delivered remotely, through the very IT that has just been compromised through their actions. Cybersecurity incidents are no longer someone else’s or the business’ problem. Incidents are personal.
Remote working throws up a number of challenges, but there are many technical solutions that can be implemented to provide a reasonable level of protection to remote IT equipment. But aside from the technology, the only other level of protection we have is the individual: what they can remember from awareness training, the habits and behaviours they have adopted (or adapted) when working from home, the habits and behaviours they remember from the office and their judgement. In sum, the bits of the organisational culture they remember and apply when they sit down in front of their laptops.
Organisational culture113 can be a strong influencer as people adopt to the different ways of working that are now being practised, as it can give them a sense of belonging, a sense of normality and guidance on their work behaviour outside their usual work environments. We can build on those remembered behaviours, through clear and simple messaging. Whereas our audience for culture change was the team, function or organisation, we know now it also has to be the individual or the small group. Our messages have to become less formal, less ‘do not’ and much more engaging, more about ‘how to’ and, in some senses, ‘carry on’.
And that is what we suggest you do: carry on. Use the guidance, tools and insights we have presented here to help you improve people’s knowledge, behaviours and judgements through the ABCs.