CISO Interview: How the pandemic helped us meet the needs of our employees

Next story

Almost eleven years. That is how long Daniel Chromek has been working for ESET. He started as a consultant, and now he manages the internal information security of the whole company. The coronavirus pandemic has brought one of the greatest challenges of his career: within a few days, Daniel and his team supported the move of hundreds of employees to home offices.


From Reaction to Transformation: Read our free CISO Handbook on the role of digitalization during the Covid-19 pandemic and in the future.

GET HANDBOOK

In February, around 800 employees daily worked at ESET’s offices in Slovakia. How many worked in the office by April?

About twenty. These were mainly some of the facilities staff, IT team and receptionists. The rest mostly work from home.

Looks like you succeeded in moving to home offices. Were you well-prepared for the changes to the mode of work?

More or less. It helped that we had been preparing the first measures since the end of January and updating our pandemic flu business continuity plan according to the situation. It included three different phases: monitoring the situation, moving to limited use of offices and total closure of the office. The document also helped us to identify who’s responsible for which steps, from getting relevant information about the pandemic to distributing protective equipment and communicating with employees.

Was there something you underestimated?

The number of devices that can be used for remote work. Eventually, some employees had to take a classic desktop with a monitor and other accessories. All of the desktop hard discs had to be encrypted, and new laptops needed to be prepared very fast, which was pretty demanding. Also, our iOS development department normally works on classic Mac workstations and MacBooks, which are not easy to get. I remember IT managers driving around to shops to get everything they needed and the IT team preparing everything necessary during one long weekend shift.

We also had trouble ensuring connectivity. Many of our systems are internal, so we lacked enough VPN licenses, which allow our employees to connect to the systems from home. Some departments were not used to working remotely, so we needed to prepare VPN profiles for them very fast.

Did you manage?

We did, eventually. However, we experienced problems with a part of our cloud infrastructure and systems. The vendors were not able to handle the increased demand from all existing and new customers in the first weeks. One of our cloud service providers told us that demand grew by 600%. We were told that our request was taken into account but that he simply could not cover it at that time. We had to manage with limited services in the first days.

Couldn’t you have done more to avoid a lack of VPN licenses?

Theoretically, but it’s complicated. Normally, VPN gateways are used by about 20% of our employees. We don’t need more of them; we would just be wasting money. But suddenly, the situation escalated very quickly, and 80% of our employees needed remote access.

The best preparation is to investigate the vendor’s readiness for such events – to ask what to expect if the work regime changes dramatically and you need to raise the number of licenses or services significantly. This applies not only to VPN providers, but also to cloud services or internet connectivity.

Minimalist infrastructure can be an advantage

As an international company, you had to deal with the situation in multiple markets affected by the pandemic too. Did some offices switch to remote work more smoothly than you did in Slovakia?

They did – mainly our offices that did not have any built-in workstations and had more time to prepare. The pandemic spread gradually, so we tried to warn colleagues in other countries. For example, when it turned out that medical equipment was immediately sold out in Europe, we informed our colleagues in Latin America. They had two bonus weeks to buy everything they needed. Paradoxically, the situation was best handled by our Milan colleagues, who were just moving into new offices. They had no infrastructure, only the space itself and Wi-Fi. They weren’t so dependent on the space at all.

Anyway, our pandemic flu continuity plan turned out to be very local-focused, which caused problems. We did not expect so many countries to be affected, nor the traffic among countries to stop. And so, it happened that some key people, including members of the Slovak top management, were on a business trip in the U.S. when the crisis started. This made their trip back home more complicated, and the demand for flight tickets was extremely high.

Statistics show that with the beginning of the crisis, the number of cyberattacks increased. Have you noticed too?

Definitely. The attackers take advantage of the fact that people are nervous and working from home, where they are not protected by network boxes. Our employees receive up to twice as many phishing emails, some of which are even tailored to ESET. Gone are the times when the attackers just wanted the recipient to click on something.

What does a made-to-measure phishing email look like?

The attackers used real names and contacts of employees. For example, our new country manager in Australia received a fake email, seemingly written by the CEO of ESET, asking her to perform certain tasks. Another harmful email came in April, when the sender asked for bank account details so that the employee could receive his wage.

We also had to educate our employees in media literacy and not to seek information or download data from suspicious sources. Not only can the information be false, but fake COVID-19 pages also distribute malicious software that can harm the computer. Also, new types of scams have appeared – for example, e-shops offering medical supplies the customer will never receive.

Think and explain twice

How do you tell people they should think twice while online so that they do not endanger internal security?

Awareness is essential. We regularly inform employees and even test how they respond to fraudulent emails. It turns out they mostly know the theory, and when they have enough time and peace of mind, they answer correctly – but as soon as they handle emails in haste or under pressure, they may forget everything and get tricked.

As soon as the coronavirus crisis started, we also offered psychological help. At the beginning of February, a special email address was set up, to which employees could send their questions privately. At first, people panicked a lot. For example, they were asking whether visitors from Japan could be infected. But it helped to explain things, and the situation calmed down. Our HR department played a substantial role, and we started to work more closely, since professional psychologists are a part of the team.

On the contrary, some people would prefer to stay completely offline. They don’t trust apps or the online environment itself – they’re, for example, afraid of being watched. Therefore, they refuse to use digital tools, which are a necessity when working remotely. How do you approach such fears?

Fortunately, this is not an issue at ESET. Paranoia from the online environment is largely generational, and the average age of our employees is relatively low. They are used to communicating online every day, whether via Skype or VOIP phone. To some extent, however, applications must be handled carefully and used in a setup that does not compromise internal security or privacy. Again, awareness and data protection play a crucial role.

Trust in the online environment also depends on how you talk to employees about digitalization. We always try to introduce new tools as something that will make one’s life easier and help the company. Every employee needs to be treated individually; for example, we communicate differently with people who are tech savvy versus those who are not so familiar with technology. In any case, trust in applications is a precondition for successful digitalization.

Apart from the new VPN licenses, what have you taken from the crisis?

We are all working remotely now, so we try to evaluate efficiency, improve team setups, and analyze new solutions we had adopted. The pandemic has finally forced us to switch to electronic signatures and rethink how tests for new hires are carried out. Until now, we have invited candidates to the offices, and they had to fill out paper questionnaires or complete certain tasks on our computers. Now we had to come up with an online solution, which we’re planning to keep in the future.

How do your employees react to such changes toward digitalization?

They appreciate them. Long before the crisis started, internal research had been showing us that our employees want more flexibility. We were wondering how to address their wishes. The crisis has helped us to move toward a more digitalized work environment and accelerated our decisions. We have found solutions that will help us in the long run. It’s high time to learn how to operate remotely because new generations are entering the market, and for them, flexibility will be a must.

We also learned that even when things get back to normal, we must be ready to return to the current fully remote setup – anytime. No one knows when we might need to do it next.