Before the pandemic, there were already 7 million people working remotely in the US, or about 3.4% of the population. As cases of coronavirus soared, so did remote work from home policy, with 70% of employees working remotely based on a PwC survey.
However, the shift to a remote work operation brings its own dangers. The use of employee-owned devices, unsecure connections, and improper device usage leave companies vulnerable to a host of network intrusions.
External threats to Remote Workers
According to the National Institute of Standards and Technology, organizations “should assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network.”
Some of the ways they can gain access include:
- Device loss or theft
- Social engineering tactics
- Malware and ransomware
- Zero-day exploits
- Macro and script attacks
- Botnet attacks
- Neglecting to stay on top of OS patches, antivirus updates, and other critical upgrades.
7 Online Security Awareness Tips for Employees
To minimize the risk of a network intrusion, it’s necessary to bolster your first line of defense against external threats: your employees working from home. Here are 5 ways you can educate your remote workers on best security practices.
1. Work on your cybersecurity messaging
The first step to a solid cybersecurity education is to get the messaging right. Too often, IT experts work in a bubble that is incomprehensible to the regular employee. As such, the message needs to be understandable, relatable and diversified.
Understandable – Avoid technical jargon that may confuse employees and cloud your message. When possible, use simplified terms that’s accessible to the non-tech minded layman, especially if the bulk of the organization is composed of senior members.
Relatable – When talking about external threats, make it less about the central network and more about personal computer safety and home network intrusion. This way, employees can personally relate to the danger if it’s framed in terms of their phone or laptop, and not some intangible server in corporate HQ. This also enables them to have a personal stake in the security plan: no one wants to be the reason for a data breach that affects the whole company.
Diversified – A simple email outlining everything may not be enough. Think how many emails the individual employee receives. By diversifying your communications strategy, you can ensure that employees read the message instead of dismissing it as just another announcement.
2. Encourage good device ownership
Whether it’s a corporate or personal device, employees need to be aware that their gadget acts as the gateway to the organization’s network. This makes it important to take care of their device and use it properly even in the confines of their home.
- Teach the difference between personal and corporate usage.
- Make it mandatory to have a work account that’s subject to monitoring, restricted installations, and web filtering.
- Beware of old-fashioned loss and theft.
- Make sure security patches and OS updates are followed.
A device management and monitoring solution, such as ours can help mitigate risk by automating the push updates and tracking the device’s status and location at all times. But this should only serve as a backup, and end-user security best practices should rest with the employee.
3. Teach them how to spot suspicious activity
Improve security sense by teaching them to watch for the following signs:
- New apps or programs that suddenly appear
- Strange pop-ups during startup, normal operation, or before shutdown
- The device slows down
- New extensions or tabs in the browser
- Loss of control of the mouse or keyboard
Encourage them to report suspicious signs immediately. Even if it turns out to be a false alarm, it might still be beneficial to the employee by clearing up errors in their device that hamper productivity.
4. Reinforce confidentiality
Working from home tends to make people more complacent, and this extends to security. Drill the importance of passwords and authentication even if they work in their PJs. Just because they’re relaxed doesn’t mean security has to be.
- Enact periodic and unique password changes.
- Teach them about the dangers of using universal passwords, and use real-world examples from past data breaches. They might even want to see if their personal account passwords have been pawned.
- Discuss the rationale behind VPNs, multi-factor authentication and other secure log-on processes, and why they are important despite being time-consuming.
- To combat unsecured storage of company data, provide concrete examples of stolen data incidents caused by an errant thumb drive or compromised personal Dropbox account.
5. Examine individual cases
Unlike an office environment with a controlled network, your employees’ home computer security can vary widely. Some may connect through their home Wi-Fi, while others may use mobile data while at the park, or log-on from the public Wi-Fi at a coffee shop. Some may have older devices that are no longer supported by security patches, and it may be necessary to address those concerns.
- Encourage employees to use their company-provided devices. If it’s BYOD, check the device brand and model year to see if there are outstanding exploits.
- Do a security sweep of home networks. For example, some older routers may have weaker WEP protocols instead of WPA-2, or some may even have the default password!
- Pay attention to nomad employees and devote a security policy for them, since roaming data or public Wi-Fi hotspots bring their own unique threats.
6. Take advantage of online cybersecurity courses
There are plenty of online resources when it comes to employee cybersecurity training, and not all of them have to be paid.
- The FTC website has learning resources for SMB owners and managers divided into 12 topics, as well as matching cybersecurity quizzes to test what you learned.
- This cyberdefense learning toolkit from the Department of Homeland Security is specifically designed for SMBs.
- The Center for Internet Security’s 20-step organizational control program teaches good cyber defense habits, identification of suspicious behavior, and generates a skills gap analysis.
- The Federal Virtual Training Environment provides a comprehensive 6-hour course for managerial-level members, divided into 30 modules.
- The National Institute of Standards and Technology has a list of free and low-cost online training content specifically designed for employees, including webinars, short courses, quizzes and certification.
- This webinar series from the National Cybersecurity Alliance releases one video every other month, starting in November 2019, and ending in November 2020.
- The National Counterintelligence and Security Center has a 3-episode training series that discusses hacking, real-world attack examples, and the five most common security threats for remote workers.
- ESET offers a free one-hour training course that teaches best practices for remote employees. The paid version includes dashboard tracking of employee progress, phishing simulator, and certification and Linkedin badges.
- FEMA’s IS-0906 course on workplace security awareness takes only 1 hour and tackles risks, prevention measures, and response actions for remote employees.
- Google has an interactive quiz to test employees’ awareness of phishing tactics.
7. Make it an ongoing conversation
On average, corporate workers spend up to a quarter of their workday on email-related tasks. This makes a one-shot email message about cybersecurity a poor choice, since they may not be able to appreciate the significance or absorb the information in one sitting.
- Use different approaches to cybersecurity education, such as regular announcements or newsletter updates.
- For each update, follow the KISS rule: Keep It Short and Simple. This way they can glean the message and retain the information amid their hectic day.
- Follow current trends. If there’s a new type of crypto-malware or exploit that crashes phones with a single message, make sure it reaches your members.
- Use eye-catching tactics each time to get them to absorb the message. Instead of listing dry statistics or do’s and don’ts, try colorful infographics. For long topics, try a video explanation.
- You can even try cybersecurity tests to see if the lessons stick. For example, as part of its email safety education, HP sends out test phishing messages and congratulates employees that report it to IT.
A good cybersecurity education allows your employees to see their significance in the overall scheme of things. Rather than being just another cog in the organization, they are the first set of eyes that guard against external threats. By encouraging vigilance and good security awareness, this is something that they can carry well beyond the confines of the office, even after things return to normal.