Reinforcing Security Norms During the Coronavirus Crisis

This blog was co-written by Joanna Huisman and Aimee Laycock. We have all seen an increase in the amount of advice and guidance from the healthcare sector and others since the start of the Coronavirus crisis. The latest recommendation I’ve heard is that washing your hands with antibacterial soap to the tune of “Happy Birthday” allows the right amount of time for disinfecting to take place. Amongst adults, washing our hands frequently is the normal, expected, and socially accepted response to a flu outbreak, but is that enough?

With heightened concerns, it is imperative that everyone understands what is expected of them, and therefore the advice has become more directive than tacit. Best practices have become policy. This is because when policies are clearly communicated and accepted by the group, they help consolidate such pronouncements into normatively acceptable behavior. 

Such methods can be used to improve security awareness and modify employee behaviors too. Behavior can be difficult to change, but not impossible. Human behavior is strongly affected by culturally transferred norms and values. Norms by definition generally tend to be unwritten, unspoken social rules. However, with effective communication, norms can be positively reinforced using written rules and implementing procedures. 

Other techniques proven to drive cultural change include: acknowledging concerns, celebrating achievements, and exemplifying behaviors by sharing examples of correct and desired behavior. These methods work by positively influencing our attitudes towards the desired outcome and normalising desired behaviours through effective communication. 

Norms are widely understood to be one of the most important mechanisms that influence human behaviors, thus a key element of security culture. Just as norms in general help people negotiate their daily activities, organizational norms guide people in their daily conduct in their workplace environment. 

Once we start to see positive behavior change, a key factor in building a sustainable, positive and strong security culture is through organizational norms. Although norms are relatively stable social structures, they too can be changed and improved. 

So, when it comes to information security, what are the desired security practices that we need all employees to follow now more than ever?

1. Strong, unique passwords – Create strong passwords by using passphrases or numbers, letters and symbols. Use a password manager to keep track of them all. If a criminal figures out your personal password, and it is the same as your work password, they may be able to access the company’s systems (and vice versa).
2. Watch your personal information – Do not share any personal information including social security number, credit card or banking information unless you know it is a confirmed, secure source. 
3. Lookout for red flags – Don’t click on anything without first checking for red flags. Criminals take advantage of times of crisis to do their dirty work. We will see an escalation of mischief. Therefore, phishing emails, smishing SMS/texts, and vishing calls will be on the rise. Before engaging with any communication, take caution and stop to ensure that it is from a secure, known party.
4.  Use secure WiFi - Trust only known and secure WiFi connections when dealing with sensitive data like financial info. If using unknown/unsecure WiFi is really unavoidable, always make sure you have a VPN installed and turned on.
5. Ensure mobile security - Don't let your guard down because you're on a mobile device. Be just as careful as you would on a desktop! Some ways to stay safe are to not respond to voicemails or calls asking for your financial info, or to not trust text messages that attempt to get you to reveal your personal information.

If you have been doing the right thing by your company and employees, and providing them with frequent and relevant security awareness training, these helpful hints are already security practices they follow. 

As we push through the uncharted territory of a Coronavirus pandemic, we are seeing an increased number of targeted threats aiming to take advantage of our heightened health concerns. Plus, more office employees are working from home. It is never too soon to put measures and training in place that will help guide people on the correct procedures to follow.  

The need for useful, effective and engaging training is greater than ever. Stepping your employees through new-school security awareness training offers an effective way to reinforce positive norms during the Coronavirus crisis.