• (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    Importance of security awareness trainings during the pandemic

    COVID-19 has changed the way people work all around the world. The need for social distance has made professional interactions less physical and more virtual, and working from outside an organization’s grounds is now commonplace. Such changes in business scenarios may cause new cybersecurity risks to rise, or known risks to change, and organizations need to ensure that their employees know what needs to be done in these situations.

    How to improve the security awareness of employees during the pandemic:
    • Identify the most relevant information security risks your employees are exposed to;
    • Identify legal requirements the organization must fulfill regarding protection of information;
    • Consider how to deliver your message and how the content must be elaborated;
    • Define the target groups’ profile;
    • Develop the security awareness plan.

    But how should you provide security awareness? And about which topics? Inadequate approaches, as well as too much or too little information, will only confuse people and complicate things.

    This article will present how ISO 27001, the leading ISO standard for information security management, can help organizations provide security awareness training for their employees, with optimized effort and costs, in a way that allows people to receive proper and useful information on how to identify and handle cybersecurity risk situations.


    What is security awareness training?

    In short, security awareness training is any activity with the purpose of making people understand why security is needed. For example, it does not explain how to perform the backup; rather, it explains why backup is important for a company.

    Its main characteristics are:

    • it does not go deeper into processes and methods (when needed, it includes references to policies, procedures, or other materials that may be consulted later);
    • the content / duration is brief (e.g., a one- or two-page document, or a five- to 10-minute presentation);
    • it focuses on specific situations in each session (e.g., social engineering, malware, backup, phishing attacks, acceptable behavior, etc.).

    Read more about the benefits of security awareness training here: What are the benefits of security awareness training for organizations?

    Security challenges during the pandemic

    From an information security point of view, work changes due to the COVID-19 pandemic (e.g., the introduction of remote work, an increase in web tools usage, etc.) have brought or increased challenges to the protection of the confidentiality, integrity, and availability of information, such as:

    • control of organizations’ information on personal devices (e.g., laptops, smartphones, tablets, etc.);
    • access control to internal systems from locations that organizations have little to no control over (e.g., employees’ homes, hotel rooms, etc.);
    • provision of enough capacity for required communications services (e.g., for video conferencing, secure remote connectivity to systems, etc.);
    • support of employees with different information technology and information security skills.

    While the first two bullets are mainly treated by means of technological solutions, and the third one by means of proper internal capacity planning or security clauses in contracts or service agreements with providers, the last one mainly relies on security awareness training, because it the employees’ behavior that needs to be shaped.

    How to improve your remote employees’ security awareness during the pandemic

    ISO 27001 mandates that people who can affect the performance of information security need to have the proper knowledge, skill, and experience. Additionally, according to ISO 27001, security controls must be based on relevant risks and applicable legal requirements.

    Considering that, in order to improve the security awareness of employees working remotely (e.g., working from home, or working from other places, like hotel rooms), you first need to identify the most relevant information security risks they are exposed to, as well as any legal requirements (e.g., laws, regulations, or contracts) that the organization must fulfill regarding protection of information.

    For example, the most common risks related to remote work are social engineering, identity theft, and device theft. To learn more about the threats and vulnerabilities to keep track of when working from home, download this free Checklist of cyber threats & safeguards when working from home. As for examples of legal requirements, we can mention the EU General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). This way, you will focus on the most relevant issues and optimize your resources. To learn more, read this article: Is the GDPR applicable to our company?

    After the identification of the issues to be covered, it is necessary to consider:

    • how to deliver your message (e.g., by email, through the organization´s web page, etc.),
    • how the content must be elaborated (e.g., as a document, a video, a live presentation, etc.),
    • the target groups’ profile (e.g., managers, developers, financial staff, employees in general, etc.).

    By considering these factors, you increase the chances the content will be understood and accepted by employees.

    The following table shows a summarized example of an awareness plan:

    Security awareness trainings: How they help during the pandemic

    To learn more about GDPR-related privacy risks, watch this free webinar: How to make work from home compliant with GDPR.

    Effective security starts with good awareness

    The pandemic has made work from home practically mainstream, requiring workers with all sorts of information technology skills and Internet behavior to meet through video conferences, access systems through VPN, and communicate through messenger applications.

    This new way to do business has increased the attack opportunities for cybercriminals, and organizations need to work to ensure the organization’s security rules are also followed by people working outside of offices, increasing the importance of security awareness trainings.

    However, awareness training needs to be taught systematically, to ensure that the proper information is sent, increasing the basic understanding on why it is important to handle risks, and avoiding the loss of information in the flow of daily communications. And for this, the systematic approach of ISO 27001 can help organizations to deliver the right information with optimized costs.

    To improve the security awareness in your organization, enroll in this free security awareness training – a series of videos that can be understood easily by any employee in your company.

    Advisera Rhand Leal
    Author
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.