Skip to main content

teissTalk: Building a security culture in a remote and hybrid working world

teissTalk host Geoff White was joined by John Scott, Head of Education, Cyber Security Division, Bank of England; Dora Ross, Global Information Security Culture Specialist, DAZN Group; and Fahim Afghan, Senior Product Marketing Manager, Egress.

Views on news
The UK’s financial regulator, The Financial Conduct Authority (FCA), has released new guidance for organisations in the sector to help them transition securely to hybrid working practices.

It also warned that financial sector firms must prove that “the lack of a centralized location or remote working” doesn’t increase the risk of financial crime. FCA’s new guidance is addressed at a wide range of financial institutions, therefore its wording is rather general. What it asks in simple terms is whether a particular financial organisation has adapted to remote and hybrid working arrangements 18 months into the pandemic.

WFH and BYOD arrangements have far-reaching implications on the way the FCA is to investigate security controls. As your location and private laptop is becoming part of your security posture as an employee, does that mean that they can come into your home and scan the device that you work on? Also, business continuity plan requirements will pose new challenges in a remote working environment. How do you run pen tests on private devices?

Is onboarding, induction and security training delivered more effectively face to face?

According to the ad hoc poll conducted by teissTalk, 64 per cent think that security training is more effective when done F2F. Panellists have different approaches to training.

At DAZN, where remote work has been a natural arrangement even pre-pandemic, imparting small chunks of knowledge in micro-modules works best alongside with nudges given to staff in the form of emails and blogposts. Strictly regulated organisations such as the Bank of England need to switch back from virtual to F2F checks and trainings as soon as they can to meet legal requirements.

ML has increasingly been used in email security to some very impressive results. When the algorithm identifies unusual patterns in user behaviour, for example, an email to an external organisation is not addressed to the same person as before, a prompt comes up on the screen asking the sender to confirm the addressee. As a result, staff will in several cases realise that the email they responded to was a scam, and back away from sending them. As John called it, this can serve as a speed bump implemented to prevent incidents.

The latest breed of ML will not only prompt you to think twice before you fall victim to a threat but will also explain what the risk is about. JIT (just-in-time) training is about leveraging these states of teachability, when a real-life situation makes employees more receptive to learning. A function that requires the user to classify emails according to their risk levels can also invite alertness rather than letting staff go around their online business in autopilot.

Panellists’ advice
Induction is not the same as training but should be about welcoming new colleagues on board. Don’t overwhelm them! The take-away from the first one or two days shouldn’t amount to more than 3 items. Tell them who they can turn to for help, what the specific security features of the organisation they are going to work for are and how they can become good “citizens”.

JIT training provided by ML software can only augment structured training programmes, not replace them.


All rights reserved Teiss Recruitment Ltd.