Rebuilding your security culture as employees return to the office

The return to work allows security teams to refocus on areas of their insider risk management program that may have been swept under the rug while working remotely. As employees reunite for the first time in a long time, it’s a good opportunity for companies to rebuild a stronger office security culture between employees and security teams – one that comes from a place of positive intent.

Set the stage for success

Whether employees have been with the company for seven years or seven months, when they return to the office they should be treated as if it’s their first day at the company. All members of the team, no matter how veteran, should go through a refresher on security practices.

Your security team can do this by teaching or reminding staff how to properly manage and move data within its appropriate environment to minimize possible data exposure. This promotes healthy security practices and provides regular and customized training for the entire team.

If your company is moving to a hybrid workforce approach, ensure your employees are set up with the right knowledge and/or equipment they need for dual offices to minimize data loss. For instance, encourage use of company drives to access data from both locations rather than porting data via thumb drives.

Create a positive intent security culture for your office

People need to move data to get their work done, and it can be a natural instinct for security teams to respond negatively to data exfiltration alerts. However, Code42 research shows that most data leaks happen unintentionally. One example of this could be when someone accidentally exfiltrates data when they connect a personal drive to their work device, unintentionally synching work files onto their personal cloud. Instead of leaping to the conclusion that employees are stealing data, investigate to find out more.

Often, they are simply trying to get work done or collaborate with a colleague or partner. Use these moments as an opportunity to educate them on more secure ways to share data, always beginning the conversation with positive intent. For example, start with “We noticed this… did you see it, too” rather than starting the conversation with an accusatory tone. Doing so will position them as security allies instead of security enemies, and that’s a better way to encourage them to work together with your security team.

Find new ways to communicate about cybersecurity

Emphasize the importance of security and why it matters to all employees as they return to the office. Your insider risk management program should start when employees do, so make security conversations part of company onboarding practices, even if you only talk about it for a few minutes. This will allow you to set the appropriate tone, inform employees that your security team isn’t trying to be “Big Brother”, and show them that you need their help to protect company assets.

For security messages to be as effective as possible, be sure to tailor them to meet employees’ needs and situations — know your audience and what information and delivery will resonate with them the most. Work hard to keep employees engaged by using repetitive, sticky messages. You cannot expect employees to know how to react to a security risk in real life if you don’t make a concerted effort to include security conversations at multiple points in their employee experience.

Be transparent with your employees and encourage them to do the same

Build trust with your employees and encourage them to feel comfortable about speaking to your security team about their online actions. Remember, they’re just trying to get stuff done.

Transparency can go a long way. At Code42 we ask our employees to be as transparent as possible and they expect the same from our security team. For example, before employees leave the company, they often give us a heads up if they are moving personal files like photographs from their work computer to a personal one.

Ultimately, proactive behavior is helpful to security teams because it shortens potential investigation times and allows the team to suggest more secure transfer methods, such as an encrypted drive.

There will be a flood of stressors when returning to the office, but if a culture of positive intent is established and employees put their teachings to use, business executives should be able to breathe a sigh of relief.

Educating employees on insider risk management best practices and establishing a positive intent security culture will help everyone feel like they are on the same team when it comes to protecting the organization.