90. The impact of COVID on cyber engagement with Amy Ertan
In Claire’s chat with Cyber Security Fellow Amy Ertan, whose research focus is on the security implications of emerging technologies as well as themes relating to the human aspects of cybersecurity, they talk about her recent findings post COVID lockdowns.
Amy shares the impact of COVID on security behaviours and her research into how psychological safety, company loyalty and culture all play a part. They talk about whether phishing exercises work, and who Amy believes is doing security influence well. Amy's commitment to cyber through her studies and what she gives back to the industry is commendable.
Amy Ertan is a Cybersecurity Fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, an Information Security Doctoral Candidate at Royal Holloway, University of London, and a Visiting Researcher at the NATO Cooperative Cyber Defence Centre of Excellence. Her research interests focus on the security implications of emerging technologies as well as themes relating to the human aspects of cybersecurity. Amy has published UK government-affiliated reports on organisational cybersecurity behaviours, engaging C-suite colleagues with cyber risk management themes, and on the impact of pandemic-driven remote working in organisations. She holds CISSP and CREST Threat Intelligence qualifications and has previously worked in roles in areas including cyber intelligence, strategy and policy research, cyber wargame design and execution, and security risk management.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales, and today I'm joined by Amy Ertan. Amy is a Cybersecurity Fellow at the Harvard Kennedy School's Belfer Centre for Science and International Affairs, an Information Security Doctoral Candidate at Royal Holloway, University of London, and a visiting researcher at the NATO Cooperative Cyber Defence Centre of Excellence. Amy is a well published expert in our industry, including UK Government affiliated reports and papers, and she holds CISSP and CREST Threat Intelligence qualifications. In our chat, Amy and I discussed the impact of COVID on security behaviours and her research into how psychological safety, company loyalty and culture all play a part. We talked about whether phishing exercises work, and who is she seeing doing security influence well. Amy's commitment to cyber through her studies and what she gives back to the industry is commendable. And I really enjoyed this cross hemisphere chat with Amy Ertan
So Amy, it is a pleasure to have you on the podcast today all the way from Estonia.
AE: Thank you so much lovely to be here.
CP: And it's probably an underestimation to say it's been quite a journey over the last couple of years. Everyone calls it unprecedented times. We have seen our staff globally head home. I recall seeing photos of people pushing desk chairs at the streets in Sydney with monitors balancing and we all headed home, haven't quite headed back to the office yet, like we thought we would. We know this has really impacted the work environment. And I really wanted to have you on the podcast to talk about some of the things that you've discovered about cybersecurity during these times of COVID. So how have people been impacted by lockdown? Behaviours of our staff have changed, what have you seen? What did you find through your research?
AE: Absolutely, a lot of very good questions. So the research that I did with some colleagues was to interview a number of security professionals, mostly in UK and Europe, but around the world around exactly this, what happened in 2020 when we suddenly move to remote working when we have pandemic restrictions. What happened to them in terms of their well being, the way they work, and how that spilled into cybersecurity behaviours and aspects as well? As well as, of course, the cybersecurity threats happening at the time. So we got a lot of data on this, which we put into a report and found quite a few findings about the impact of lockdown and COVID on behaviours. So first talking about March/April, when everyone actually went into lockdown, and we had this really sudden shift to remote working. Actually, a lot of organisations were prepared in technical terms. If any organisation had had flexible working or remote working policies in place, they had VPN, they had things like that. So that was largely covered. Some people of course recorded problems, like not having enough VPN capacity, or even your employees not having Wi-Fi that's strong enough, especially that affected me. Of course, we go back to that time we had children being home-schooled, suddenly, you had a lot of people using that bandwidth. So you had a lot of those technical challenges too. Also an awful lot of uncertainty. So more on the human side and people working. Communication became key, it became a lot about what your leadership was saying to employees, were they being reassuring? Did employees know that they were going to have their jobs? 2020 was such a different time, there was actually not too much movement, not too many people left their jobs because they didn't know that they would get another one. And of course, you had this whole dynamic of suddenly your home environment becomes your work environment. You have to adjust your work life balance. You of course, somehow have to incorporate in the fact that you have COVID stress, you have to care for family, loved ones, children, you might have COVID. There were various different disruptions, so many of which your employer might not be aware about. So not surprising, but the main theme of our research actually became the psychological contract, this agreement between the employee and the employer about what that employment is, the trust and what you expect from one another. Now, the research tells us that where you have a positive psychological contract, your employees are happier, they're more likely to comply with security policies, they can see the point of things. In contrast, where you have a low or a negative psychological contract, you might have more people leaving in normal circumstances. You have people that are much less engaged, so less likely to maybe actually follow every single compliance aspect, because the trust isn't there either way from employee to employee. And this is where it becomes really interesting around 2020 and COVID. Because research on lockdowns of remote working, remote working before COVID was generally thought to be a perk, something you could opt into. So the research says you know, it's great, you have more flexibility, you're happier, you can you can choose to do this. That doesn't necessarily hold. We know that doesn't hold, people became very stressed, they couldn't necessarily get away from work. There was a lot of uncertainty around communication around how do you actually collaborate as a team and get things done. And when you think about cybersecurity, you had all these sort of extra challenges around opportunistic cybercriminals. A lot more phishing a lot more spam, a lot more people trying to socially engineer employees, particularly around COVID. Although security personnel that we interviewed did highlight that the scale went up massively, but it wasn't a new threat. So in terms of new security threats, technical controls, like spam filtering, and your secure VPNs could capture a lot. The main concern that security personnel reported to us was insider threat. The idea that now people are working from home, you don't have visibility over their actions. They may deliberately or unwittingly create or enhance a vulnerability. So the idea that actually as a security engineer or security officer in your organisation, you can't see what many of your employees are doing. That was the biggest change. So I feel like I said a lot there. But there was so much impact. And of course, we did this research in January to March 2021. So we were also in lockdown at that point, we were in a repeated lockdown. It's a year on and we still haven't seen all the impacts of lockdown and COVID on these behaviours. There's a lot of research that should still be done about what happened. And of course, the impact of everything that's happened the last few years, we won't fully realise that for some time.
CP: I think going back and re-interviewing some of the same security leaders that you interviewed last time, but then some new ones as well, who now have two years worth of data, and two years worth of opinions and anecdotal evidence would be incredible.
AE: There's so much. So it was interesting conducting interviews on the impact of this in January/February 2021. People reported that okay, in March/April, you had this rush to go home, connect people first, security came second, but largely, as I mentioned, that was in place. And then lockdowns continued and continued. And you started to have to deal with things like employee fatigue, poor mental health, the idea that only you're interacting with people, even having company socials on the same platforms, same online platform, so all these extra challenges. And now you've had another year of that for most people, a lot of people were burnt out at the time we interviewed them. But our research highlights at time there would be a lot of anxiety, bringing people back to the office afterwards, or hybrid working. There was no one size fits all for employee wellbeing. Some people, people more on the extroverted side that were gasping to get back to the office, actually get that collaboration and meet new colleagues I haven't met. You had people that actually were really enjoying being able to spend more time with their family and not commuting. And to have perfectly fine workarounds in their view for working remotely. So it would be fascinating to capture that now. And also, so we interviewed a relatively small number of people, 17 people from different sectors. And we found a really broad range of responses and how different kinds of organisations treated their employees during this period. Some immediately tightened cybersecurity controls, made it quite restrictive. Employees didn't actually view it as very positive. They thought that employees didn't trust them. It wasn't great, wasn't good for the psychological contract, necessarily. Other organisations turned around and said, you're our family if we need to repurpose your device, so you can have a separate network and home-school your kids or watch Netflix, we would do that for you. And that seemed to have a good impact of course on the employees who suddenly felt that trust and could understand why security controls were in place. And reportedly were therefore happier to go along with security things and just were happier in general. So just recognising that employees are different, and that also impacts how they behave in cybersecurity terms as well. There's so many open questions on why one person is more likely to click a link than others. Yes, some research that says gender has an aspect, some research which says it definitely doesn't. Research says if you're more senior, you're more or less likely to do it, depending on if you're knowledgeable, or overconfidence. We don't really know. So at the moment today, I think it's just recognising everyone's different. Different training techniques for work for different people. Some people will love gamified training, some people will love lectures and just having a person to ask. We need to be flexible as security people here.
CP: The onboarding process during the pandemic has been quite problematic for some companies and other people have said it's, you know, it was the best onboarding I've ever had. It was talked about quite a bit in your report. And I'm wondering what was some of the risks and concerns regarding the security of remote onboarding, and having staff understand the security expectations of a business? I'm keen to understand what you learnt through the research because creating that positive security culture in a remote work environment, especially if your staff are new as well. How did that sort of come through in the research outcomes?
AE: That's a really good question. So the idea of the psychological contract actually building that trust, of course, is critical when you're bringing new people in. So the contract changes through the lifecycle of your employment. And interviews actually said, Yes, onboarding was the toughest part, off boarding was fine. Is security terms, just remote like devices or collect it, easy. When people are already there? It depends on your security culture, do you have something that your employees will, for the most part, comply with your security policies and act in responsible ways? When you're onboarding someone, you have to bring them into that environment, show them that the people around them will set that example. And that can be very hard to do when they have very limited interaction, they're isolated. So this was a major pain point. In general terms and getting them into the organisation culture generally, and therefore getting them into that security culture where they'll follow things. And yeah, socially, the fact that normally when you join, you can go meet everyone at the water cooler, of course. You can turn to the person next to you and say, oh, how does this system work? You can't necessarily do that remotely. And the two things that interviewees said to us that helped them or the way that they approach onboarding, from a security perspective was one, giving new employees a buddy. Someone that has been there for a while that can guide them through and be that touch point for queries and things like how do you use the system and training. And the second one is, it has to almost become more formal. Rather than saying to someone who rocked up at an office, just go around, walk around, you'll meet people. Suddenly, you have to almost give this new employee a list of people to arrange meetings within their diary or arrange it for them. So they can methodologically meet everyone that they need to meet. It's not as organic. And this was a wider aspect that we saw. The use of video conferencing technologies became critical for many organisations, was a change for many organisations. It was viewed as being better than nothing, because at least you could get that connection. Of course, it had downsides. You couldn't necessarily collaborate and always feel real. You have people that felt too tired for it. You had interesting dynamics of should you have your camera off or on? For security purposes, maybe yes. For your well being of your employees, maybe no sometimes. So, yeah, coming back to the question. Onboarding was critical. And most of our interviews recognise that you did need to implement extra aspects to kind of build those connections. But ultimately, it does come down to security culture, and convincing your new colleagues that you have security culture in place. So you do need that trust originally. Some of our interviewees, one of them mentioned, well, thankfully, we had an environment where employees trusted each other. So when a new person came in, they came straight into that environment. But they said, if we hadn't have had that dynamic, it would have been a nightmare trying to bring on new people, you wouldn't have had that base to build on.
CP: Some of the findings in your report weren't surprising to me. But that's partly because they're things that we've been trying to achieve in the security industry for a long time. And, in fact, the first recommendation in your report talks about executive leadership colleagues, striving for clear, consistent top level communication. Applying to all communication themes, wellbeing, employee support, best practice policies and procedures. And then specifically around security, for contingencies to increase organisational resilience. As a community, we've really been advocating for this for years, and we'd love to see senior leaders build cyber into the language or the vernacular of an organisation. How is cyber to be consistently part of the executive communication agenda?
AE: So there is some really interesting research about what the role of your Chief Information Security Officer, your CISO, or the equivalent role should be. Of course, that person should understand the implications of cybersecurity and what that means for the organisation. But a lot of it is also around the language, they speak to the C-suite to the executives of the company. They need to be able to speak in business terms, to be able to communicate why this is important for the business. Of course, we know sometimes the security function gets a bad rap as being the department that says no, and preventing profit. But that's not the case. And that that's all about communication. If that message gets through to leadership, then suddenly facilitate this understanding that hopefully can then be communicated down. So our research very much highlighted yes, when your leaders can actually explain why you're doing what you're doing, why there are certain restrictions in place and why that's important for the company and the employees. Suddenly, your employees do not only understand, but they are motivated. And that's quite a big distinction when it comes to complying with something that might be annoying, like not clicking on links, or really, really checking every email. So really, explaining why you're doing something, that's something a leader can do. And also, our interviewees highlighted very positive perceptions of where leaders could speak not in CEO speak, but like a person to their employees. So of course, through 2020, it became a time with a lot of statements and people setting up mental health teams, and you really wanted to feel your organisation was there for you. And in many of the organisations from which our interviewees were employed, that was the case. They felt that their executive leadership had clear, consistent communication across all areas, including security best practice, including employee support. They felt that their leadership colleagues understood the employee needs. Interestingly, it seems that the communication sometimes fell through when it came to middle management. So when it came to actually implementing things like we support you, we will explain everything for you. If your manager wasn't necessarily trained in some of these aspects, so perhaps less than security terms, but in mental health or employee support, then you had inconsistencies in how policy was applied. So when we talk about leadership, we of course, talk about top level leadership and how important that is just to have a clear, unified message to the organisation, that can go down. But I think we also need to talk about how it filters down to make sure that everyone is appropriately trained, so that actually your manager, even if they're not, you know, extremely well equipped, they know how to keep with that unified approach. So one example would be through 2020 a lot of organisations said we will trust you to do what needs to be done, suddenly there was a lot of flexible work. You could home-school your kids at some part of the day and do your work the other, as long as the work got done. You could take time off if you needed to. That was in theory. Sometimes managers would actually use their discretion to deny that or approach it. And of course, we know if that's the case, it's it always depends on your manager. I think it will be very interesting our research focused on senior colleagues, heads of security, to actually interview analysts, people that were less senior at these organisations to see what their experience of COVID was? Was their organisation actually really supportive on a daily level?
CP: And I think now even more people are starting to push back on returning to the office, because they have got these liberties now. They've got time back, and they're not commuting, and they can pick their kids up and drop them off. And they can have maybe a more open network in terms of their computers. And has that gone back, like have we revoked any of those liberties that we gave to people back in 2020?
AE: That's a really, really good point. Because a massive finding through our research was that the organisation had grown to trust that employees would do the job they needed to do working remotely. People talked about security and wider behaviours through spring, they didn't know if it was going to work. If suddenly people moving remote, you went the productivity went down. Well, it didn't, productivity went up. And of course, by spring 2021, this may have been challenged somewhat people were feeling the pressure, the stress of having worked remotely and the pandemic for so long. But by that point, productivity had gone up. And every security leader that we spoke to said, we trusted employees to get the job done. And it really felt like people would be given the option a lot of the time to not return back to work, if they didn't want to, that was the feeling, do what employees wanted. And of course, now it's March 2022, certainly in the UK, people have been encouraged and often forced to go back into the office, at least for a certain percentage of the week, which doesn't necessarily align with the message that our research gave us. So something has changed. It seems like that is a business decision or a culture decision rather than a security or, you know, productivity decision based on the research. But of course, you have different kinds of people, some of which thrive in an office environment, some of which thrive remote. So I'm not sure if I've answered your question there. But a lot has definitely changed.
CP: Yeah, I don't know if we know the answer. And you know, as I said earlier, I'd love to see, you know, time and resources permitting a second round of the research and see kind of what came out of that. Two things I want to pick up on that you said one is, thank goodness that in the UK, and wherever else you're speaking to people, the department of no comes up because we certainly have that here in Australia. And the other one was when you talked about people who understand why I'm more motivated to do the things that they're being asked to do, because they understand their impact. And I want to kind of segue with that a little bit to the topic of phishing because a lot of people get phishing exercises served up to them. They're very busy, they're trying to get their job done. Many people will click on the link and depending on what type of phishing tool you use, will depend on what you then get served up whether it's training or a blank screen or a 404, or whatever the case is. This is what happens is that organisations have been moving towards using this technology to teach their staff how to not get caught by a real phishing activity. What are the hallmarks, what are the key things to look for? When you and I first met, I was fascinated by the fact that you thought phishing exercises don't work. I'd love for you to tell my audience about that because a lot of organisations are using these phishing drills for education, but also because it gives metrics to this kind of how aware are our staff and the listeners can't see my air quotes. But why are these efforts to make staff more aware of the hallmarks of phishing made, in that, how do you know that phishing exercises don't work?
AE: There's some really interesting themes there. The first of which is just metrics. And of course, cybersecurity metrics is what we all want. We want to be able to go to the board and say, yeah, you are more secure because of these numbers. And phishing is a really simple way to show that in a way, to say, you know, fewer people are clicking, but I think those metrics can be misleading if your employees are just dismissing any old email that they don't want to, or example. The interesting thing about phishing is that it can be done well. I think if you make it productive, if you do it at an appropriate time, you don't flood your employees with phishing emails to the extent where they're scared to click on anything. If you don't embarrass your employees when they click on an email, there should be no big red sign. It shouldn't be you know, they shouldn't be the butt of any jokes in the office because they click on something because punishment and embarrassment is a negative thing. It's not going to make someone want to act in a certain way. It's more of the stick. There's a lot of research going on. This is still very open, but one aspect is exactly that motivation. If you can motivate your employees to do it, don't just tell them the rules that make you productive. Tell them why, why this matters to them. Explain if they click on the link what actually happens and the impact of that action. That's much more productive than simply embarrassing someone. That's a few elements. I think it can be done wrong by overloading employees by embarrassing them. But I think there are also more useful ways to talk about security too. Security culture is much harder to measure, of course. You can't just get metrics on the positive psychological contracts and motivation of employees to commit but I think it's too simple to suddenly just offer up and say, well this many people clicked a link, and therefore we are secure. And that's not necessarily the case. And I do think, I've spoken about this before, but it's a bit of a bee in my bonnet that some of these organisations that provide security services, some people that say they provide phishing services, they lean into this idea of oh, we'll give you all the metrics on who your, you know, most your worst performing employees are and who's more likely to do it. And I think that's quite irresponsible. That's, that's selling a product that isn't actually doing what you want it to do. It's not necessarily great for behaviour, it will just make employees feel taken aback, quite annoyed for a little while, they won't necessarily learn the lesson of okay, this is what I should be looking for, and this is how I do it again. You can very much run occasional phishing campaigns, but do with an explanation as to why you're doing it. If someone hasn't passed and explain why and give them actual things to do to correct their behaviour and future. But don't make it a punitive measure. I think we talk about this more now than we did 5-10 years ago. But security is so human focused. And I think it's lazy, that phrase that I hate, the human is the weakest link in cybersecurity. That is so lazy and I think is used to sell products like this. If you explain to someone very well what they're doing and how to do it, and if you make it easier for them, have good span controls, have more controls in place as far as possible, so they don't have to worry about this every day. That's a better security setup. This is my subjective view.
CP: A lot of staff want to understand why the tech can't protect them. A lot of staff talk to me and say, why do I need to not click on a link? Because the link should never come to me in the first place. You know, and why do I need a strong password if I've got MFA? And are you coming across better technology for this? Because can we remove the need for staff to have the healthy paranoia? Can we remove the need for this weakest link side of things and for the securing of data assets to be done by technology? Because that is what CIOs and other staff are asking of me. Why can't the tech protect us better? Why is it that if these targeted attacks come through, it literally comes down to the poor person sitting in the marketing department who happens to click on the leak.
AE: So I think there will always need to be some aspect of healthy paranoia that you mentioned. Technology can do quite a lot, there will always need to be that human aspect, you always need to have this training to let you have that healthy paranoia. As we've seen through COVID, your cybercriminals or whoever's trying to compromise your organisation can be very opportunistic. While spam and phishing went up hugely through COVID, and things like ransomware, as well, a lot of it was captured by spam filters. But some had been crafted only an hour or two beforehand. So your spam filter, depending on how it was trying to filter out, couldn't recognise it as a malicious email/a spam email, so you still need your employees to be aware of that. So they'll always be that training. That said, you have this campaign and academia in policy around people who design security to have human focus, security, usable security. And these concepts basically mean that the human should be, the technology should be designed by what the human wants. You're absolutely right, we shouldn't have to remember 20 passwords, there should be a better system than that. It shouldn't have to be that you need to, you know, have the equivalent of a degree in Information Security to do your job. And that's not the case at the moment, a lot of the time. So there's a lot of work to be done when you're actually thinking about your security policies, your security controls, what burden does that put on your employee? Is that fair? They'll always be an aspect, of course, but there's definitely a right way to do and there's a lot of research going on in this. So I'm optimistic that in the future, we'll have some more of the answers to say actually, what does work? So I can give you a clear answer on the right way to do phishing or the right way to motivate employees. At the moment it's an exciting time. You have psychologists and cybersecurity professionals and organisational leaders that are coming together to do this research actually bringing together different fields of knowledge. It's complicated, it's vague, because we're people and what we're all different and different things make different people comply. But the more research we do, the more ideas we'll have and what actually works and what doesn't, hopefully make life easier for employees
CP: Will hopefully make life easier for security leaders as well!
AE: I live in hope. Yes.
CP: With the theme of this season being about behaviour change and awareness, I've been asking all of my guests what do they do in their personal life, what's the one thing you're a stickler for? What cyber behaviour do you do to protect yourself online?
AE: I feel like my answer isn't very imaginative or original. But I love password managers. If we think about how many different accounts we're supposed to have, I feel like every, you know, if I want to buy a greetings card to send home, I need an account for that. I use password managers all the time. I do have security colleagues that feel quite smug about people keeping all their passwords in one place. And I just think it's completely unrealistic to expect anyone to remember even half the information we're expected to have here. And of course, if you don't use something like that, then you're repeating passwords, unless you have an incredible memory. So I feel very, very strongly about that. Perhaps, maybe the only other thing I've mentioned is, yeah, I don't like giving my email away too much or giving, you know, unless it's completely required. I legally have to give all this correct information about myself. No, don't like that.
CP: Earlier in the season, I had a gentleman on the podcast, Lloyd Evans, who works for a password manager. And when I asked him this question, I said, you can't say a password manager as your answer. Because I think it's the one thing a lot of people do do. And you know, this was not planted by me to ask Amy to say a password manager. But I really feel that it is something that people can do that is simple, a lot of them are free. And they do invest a lot of money into securing these password repositories and encrypting them. But I agree with you, I also know security professionals who hate the idea of putting all their passwords in one place. But it sure beats the people who have them in one place written down on a piece of paper under their keyboard, so we've taken a step forward.
AE: Although I will say that I have family members that are they're not comfortable with computers at all, if they want to put it in a book, I'm okay with that. Ideally, don't label the book 'Password Managers'! But if it's going to be hidden somewhere very inconspicuous in the house, I'm mostly okay with it. I think it's really depends. It's cost benefit. But you know, someone who really isn't comfortable with computers, I think we have to be sympathetic to that and be inclusive, of course, as well.
CP: And maybe we just have to teach these people how to use multi factor authentication.
AE: That would have been my second, yes. That's my sales pitch. Please do that too!
CP: Amy, it's been a pleasure to have you on the podcast. Thank you so much for getting up early for me today and being part of The Security Collective. Thank you.
AE: You're very welcome. It's been a pleasure. Thank you.