Raising Security Awareness in Cross-Cultural Work and Collaboration

In today’s global society, as multinational enterprises hire talent from around the world, maintaining the security of information resources has become a challenge. Organizations cannot assume that cybersecurity knowledge is interpreted in the same manner throughout all locations in which they have interests. Behavioral norms and values can also vary from one country to another and differ within different parts of a country.¹ Because of this, organizations may be concerned about the security of their data, especially if offshore employees have access to sensitive information such as personally identifiable information (PII), protected health information (PHI) or payment card data.

Hence, one of the goals of an organization should be to create a security mindset among all of its employees, no matter where they live. This mindset cannot be imposed, but rather should be methodically cultivated. A good strategy to develop required behavior within an organization is to design and implement a security awareness program that informs employees of the risk associated with their work activities and in their personal lives and teaches them to react according to the organization’s culture and security best practices. As hiring workers from other countries might be a change in the strategy of the organization, the organization must update its risk assessment and consider the potential threats of this new scenario. Conducting a survey of offshore employees can also help to identify the new risk the organization is facing.

Risk Assessment

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82 percent of reported breaches in the last year involved the human element.² The report indicates that whether the threat action is the use of stolen credentials, phishing, misuse or simply an error, people continue to play a large role in incidents and breaches. From this, it can be assumed that people still underestimate security risk and do not see the level of impact on the organization’s reputation; hence the importance of developing a security awareness program.

To integrate the human risk component into the design of a security awareness program, organizations must conduct risk assessments to identify the threats and vulnerabilities introduced, specifically when hiring workers based in a different country. The first step is to gather relevant information about the employee’s native country to gain an understanding of its legal requirements and the country’s security posture as the employees live there and are influenced by these factors. The legal and human resources (HR) teams may need to be engaged to analyze the probability and impact of the risk identified. Questions to ask during this process include:

• Does the country have regulations in place for information security, privacy and intellectual property?
• Does the country’s criminal code consider data theft, unauthorized disclosure of sensitive information and copyright infringement to be criminal offenses? What are the penalties?
• Does the country’s government enforce regulations by conducting inspections and audits? Are reported results made available to the public?
• Is there an office dedicated to managing national programs of security?
• Does the country have a national program to address cybersecurity threats?
• Does the country’s government publish a list of breaches of unsecured personally identifiable information (PII) and protected health information (PHI) affecting citizens? Does it investigate these cases?
• Is the country’s government committed to cybersecurity initiatives such as establishing an annual cybersecurity awareness month?
• Does the country have a monitoring mechanism in place for cyberthreats?
• How is the country ranked based on software piracy? Have there been any government efforts in regard to this? Are penalties or fines enforced in cases of infringement?

Based on survey results and the output of the risk assessment exercise, the organization can identify areas of possible concern and develop a tailored security awareness program.

Surveys

A survey is another mechanism to obtain a deeper understanding of international employees’ security attitudes and habits in an effort to identify behavioral risk. Questions may be posed to gather information about how employees engage with security in their daily work (and nonwork) lives. Survey questions should ask general information of the employees such as their departments and roles to identify security awareness deficiencies.

Some examples of specific questions to assess security awareness include: How familiar are you with our information security policies? Are you aware of any situation in our organization in which someone has shared user credentials with someone else? Do you feel comfortable reporting security incidents? In the past six months, have you installed unauthorized software?

To elicit more honest information, surveys should be anonymous. Employees may worry that their responses could result in punishment if deemed unsatisfactory. Survey questions should be reviewed and approved by legal and HR teams prior to deployment. In addition, surveys of local employees can be conducted, and the results can be compared with those obtained from international employees.

Security Program Implementation

Based on survey results and the output of the risk assessment exercise, the organization can identify areas of possible concern and develop a tailored security awareness program to help reduce human risk. The organization may need to customize security awareness courses and adapt materials for different audiences of international employees. The frequency and timing of awareness activities may also be changed to accommodate workers who live abroad, especially those living in a country that enforces different laws and regulations than the country of the organization’s headquarters.

For example, a new employee from a country that does not enforce data protection standards could manipulate a document that contains the organization’s network diagram to bypass the data loss protection (DLP) controls and send the file to a personal email account. The employee then might mention this to a work colleague who then might not follow the organization’s security incident reporting procedures and report the event. As the employee bypassed the DLP controls, no automatic alerts were sent to the security operations center. If the second employee had reported the security incident, an investigation would have been initiated and, as a result of that, disciplinary action would have been taken.

In this case, these employees may need to be educated about how to handle the organization’s information appropriately and comply with the cybersecurity incident reporting process. Refreshers on security practices should be given on a regular basis and the disciplinary actions for violating the information security policy should be made clear. In the case of an employee from a country with strong data protection laws, such behavior is less likely. However, employees could be victims of advanced phishing techniques, so it is recommended that the security awareness program include a refresher on this topic.

The implementation of a security awareness program requires a budget and other resources. If an organization operates in a regulated industry, such as banking or healthcare, it must comply with regulations to continue operating. Some of the regulations refer to cybersecurity controls; for instance, the US Centers for Medicare and Medicaid Services (CMS) has developed a document of requirements, known as the Minimum Acceptable Risk Standards for Exchanges,³ that is applicable to US Affordable Care Act (ACA) entities. This document includes awareness and training controls that are mandatory for organizations under its scope.

Although regulations may not have specific requirements for security awareness applicable to offshore employees, some mandate that organizations develop and implement an information security awareness training program for all employees working on behalf of the organization and involved in accessing, using, managing or developing information systems. Given that offshore employees may have this access, auditors can request evidence that organizations are aware of the security risk and if any actions to mitigate the identified risk have been implemented, including security awareness training for offshore employees in particular.

To be compliant with regulations, top management must be engaged to review, provide feedback on and approve the security awareness program because it is management’s responsibility to demonstrate leadership and commitment with respect to the information security management system (ISMS) by ensuring that the resources needed for the ISMS are available. According to the SANS 2022 Security Awareness Report, three action items are defined for greater leadership support: ⁴

1. Talk in terms of risk, focusing on demonstrating how security awareness is effectively managing the organization’s human risk
2. Create a sense of urgency, which involves leveraging data and statistics to demonstrate to leadership the need to address human risk.
3. Communicate the impact by collecting metrics about the impact and value of the awareness program and communicating them to leadership.

Measuring the level of maturity of an organization’s security awareness program is also recommended as this demonstrates to stakeholders that the organization is committed not only to effectively managing its human risk, but also improving its security awareness program.

This may enable leadership to better understand and regularly see the value that the program is providing.

After the program is deployed, organizations should review the results to ensure continuous improvement. Metrics should be designed to test and measure whether employees are being educated effectively and are changing their behaviors accordingly. In cases in which the values obtained do not meet the goals of the security awareness program, corrective actions may be implemented to improve the metrics. For example, if the number of cases of employees posting sensitive information on social media keeps growing despite the training, the organization should proceed with disciplinary actions that could serve as a deterrent for personnel to not violate the security policy. The SANS Institute, which specializes in information security, proposes a set of indicators to measure the progress of security awareness. ⁵ Some metrics include phishing simulation click and report rates, number of accidental loss events, and number of lost or stolen computers or devices each month.

Measuring the level of maturity of an organization’s security awareness program is also recommended as this demonstrates to stakeholders that the organization is committed not only to effectively managing its human risk, but also improving its security awareness program by targeting new threats or attacks that could potentially affect the confidentiality of its data. In the SANS model, levels of maturity are rated from nonexistent to having a metrics framework in place, which is the highest level of maturity.⁶

Conclusion

International employees can have excellent skills, knowledge and expertise in specific subjects, and organizations may be highly interested in hiring them; however, there can also be challenges ensuring security awareness in a multinational enterprise.

Designing a tailored security awareness program to reduce human risk is not a simple task. The program requires time, a budget and numerous resources to complete its implementation, specifically when it comes to hiring employees from abroad. An extensive analysis of the culture of the employee’s home country and attitudes and behavior toward information security should be conducted. Finally, organizations must involve top management in the implementation of these initiatives as they are responsible for ensuring that the necessary resources are available and assuring clients that the organization keeps their data secure.

Endnotes

¹ Ross, S. J.; Creating a Culture of Security, ISACA^®, USA, 2011, http://h04.v6pu.com/culture-of-security
² Verizon, 2022 Verizon Data Breach Investigations Report (DBIR), USA, 2022, http://www.verizon.com/business/en-gb/resources/reports/dbir
³ US Department of Health and Human Services Centers for Medicare and Medicaid Services, Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0, USA, 2020, http://www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20 
⁴ SANS Institute, 2022 SANS Security Awareness Report, USA, 2022, http://go.sans.org/lp-wp-2022-sans-security-awareness-report
⁵ Ibid.
⁶ Ibid.

VANESSA BRITT PEREZ REVILLA | CISA, CISM, CRISC, ISO/IEC 27001 LA

Is an information security professional at Tranzact in Lima, Peru, a Willis Towers Watson company. She has more than 15 years of experience in IT audit and information security with organizations in regulated industries and government institutions.