In this economic environment, InfoSec might be one of the last things on anyone's mind. However, security is critical now more than ever in the wake of numerous phishing and charity-related scams born out of the COVID-19 crisis. These five ways to improve security awareness will help everyone in your org stay even more secure and not break the bank (you can save the bank breaking for more important endeavors like hoarding toilet paper, baking ingredients, and all the meat):
1) Turn virtual happy hours into monthly security AMAs Chances are your company has already been getting together virtually for drinks and relaxation. And by no means are we suggesting you turn fun work events into pure work events, but you might as well kill two birds with one stone (but do avoid the Rickyism) in this situation. Internally, your security lead could ask everyone in advance to send her/him questions about security practices, suspicious emails they've gotten, or even news and stories on the latest scams ensnaring people, and then set aside 15 min to discuss those during the virtual happy hours.
2) Get free resources from SANS and the U.S. government The SANS Institute (a portmanteau of SysAdmin, Audit, Network, and Security) has several free security awareness resources, including one for helping your team WFH securely (fun fact: contrary to ".org" in its domain name, SANS is a for-profit organization). They also have a lot of other free, high quality security resources worth checking out. Another great source of quality resources is the Federal Trade Commission (FTC). Their Cybersecurity for Small Business resource pack covers a lot of security best practices ranging from managing vendors to handling ransomware. And if you wanted to gamify the security awareness experience for your team, check out the National Initiative for Cybersecurity Careers and Studies's (NICCS) Cybersecurity Trivia Game. The trivia game is a great starting point for assessing everyone's security knowledge and seeing where's room for improvement.
3) Have your "Security Czar" hold weekly office hours
You do have a "Security Czar", right? In all seriousness, appoint someone to be the Czar if you don't have one. Or, rotate the role on a monthly basis amongst members of the engineering and security teams. Part of the Czar's duties is to hold weekly office hours to meet with anyone and everyone in the org who has security questions and or concerns. And more broadly, the office hours helps foster and reinforce best practices from a designated expert.
4) Deputize volunteer security leads for each department
Now everyone in your company doesn't need to be an InfoSec expert. But, everyone should be well-versed in security best practices and have a high degree of security awareness. One way to ensure everyone is keeping their security awareness sharp is to deputize volunteer security leads for each department.
Ideally, each lead won't get drunk off of the extra "power" and responsibilities they get, but the leads are responsible for doing weekly check-ins with their teams and giving quick status updates to the Security Czar. That way, everyone is aware of any potential near-misses, vulnerabilities, or errors that might have come up throughout the week.
5) Dedicate a Slack/Teams/Google Hangout channel to all things security
Regardless of your AIM 2.0 preferences (yeah, we went there in comparing Slack, Microsoft Teams, and Google Hangout as 21st century versions of AOL Instant Messenger), there should be a channel or group dedicated to security (especially for sharing news and the latest best practices). Everyone in your organization should be in the group chat so that they can stay abreast of the latest ongoings and ask questions / get clarification if they encounter something in their work that triggers their security Spidey Senses.