When the COVID-19 pandemic began back in March of 2020, many businesses shifted their IT priorities toward moving their workforces to a remote system. From procuring laptops and mobile devices to making changes to access and controls, the primary focus for much of the last year has been on keeping business moving forward and implementing tools to ensure employees can be productive at home.
And while working from home has become the “new normal” for many people, especially given that most companies are planning to keep some or all of their employees working offsite, so have more targeted attacks on businesses. According to one survey, about 60 percent of businesses have seen an increase in attempted cyberattacks, in particular phishing and social engineering attacks, credential theft, and account takeovers. And hackers are finding new ways to attempt to thwart traditional hybrid cloud security measures, which experts attribute in large part to the more relaxed attitudes toward security among employees.
The fact is, many people do not approach cybersecurity the same way at home as they do in the office. From working on unsecured Wifi connections that are shared with other family members, to working on personal devices and using unsecured file sharing or storage tools, many companies’ carefully managed and curated security protocols are losing their effectiveness.
With this in mind, many companies are changing their approach to cybersecurity, in particular when it comes to employee training. Because the majority of data breaches and cyberattacks stem from human error (clicking on a phishing email tops the list) companies that want to remain secure are putting employee training at the top of the priority list for 2021. And the approaches to training are also changing
Aligning Cybersecurity Training with the New Normal
For most people, cybersecurity training is the annual seminar (usually online) field with reminders about changing passwords and not responding to phishing messages. The overwhelming sentiment is that the IT department has a handle on security, and they don’t really need to be concerned about it.
Unfortunately, that lackadaisical attitude extends to their home office too. Many people forget that they don’t have all the same protections at home as they do in the office. That’s why going forward, security training needs to shift its focus and address the risks and protocols for remote work more thoroughly.
For example, new training programs should include guidance on:
Physical security. When employees work from home, who has access to their devices? Is the work area secure, and are laptops and phones password protected and secured when not in use? If an employee takes their work devices away from home, how are they ensuring the physical safety of those devices. Keep in mind that some of the U.S.’s largest data breaches have stemmed from stolen computers, so training needs to address best practices for physical security.
Video conferencing. With the rise of online video conferencing tools, hackers have a new tool for accessing sensitive information. Security training should include guidance on video conference best practices, including managing meeting attendees, naming conventions, and storing recordings. Employees should also be made aware of the potential for social engineering attacks based on information gathered from video meetings.
Securing personal devices. Policies regarding the use of personal devices and required security protocols should be reiterated and strengthened where necessary.
Securing home networks. Home Wi-Fi networks typically have much lower firewalls and fewer security protections than corporate networks, and it’s unrealistic to expect otherwise. However, employees need to be educated on how to best protect their home Wifi network, and what the expectations are in terms of protection. IT should consider providing a proven set of security controls, along with guidance on their effective use, rather than counting on employees to “bring their own security,” which may be inadequate at best.
Role-specific risks. One size doesn’t fit all when it comes to security training, and your employees need to receive training that’s relevant to their specific roles. For example, phishing emails may be targeted to finance or HR, and individuals in those areas need to be aware of their susceptibility to such attacks.
Above all, any security training program needs to be ongoing, and consistent. In today’s rapidly changing world, threats are constantly evolving and so are the best practices for mitigating them. The better prepared your workers are to recognize and respond to threats, the less likely your business is to fall victim to an attack and the losses that follow.
Ryan Kh is an experienced blogger, digital content & social marketer. Founder of Catalyst For Business and contributor to search giants like Yahoo Finance and MSN. He is passionate about covering topics like big data, business intelligence, startups & entrepreneurship. Follow him on twitter: @ryankhgb.