With the pandemic increasing the number of employees working from home to about 70%, based on a PwC survey, remote work brings its own dangers. The use of employee-owned devices, unsecure connections, and improper device usage leave companies vulnerable to a host of network intrusions. This is where training employees about cybersecurity awareness is a must.
Why is Cybersecurity Awareness Important?
According to the National Institute of Standards and Technology, organizations “should assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network.”
Some of the ways they can gain access include:
- Device loss or theft
- Social engineering tactics
- Phishing
- Malware and ransomware
- Zero-day exploits
- Macro and script attacks
- Botnet attacks
- Neglecting to stay on top of OS patches, antivirus updates, and other critical upgrades.
7 Cybersecurity Awareness Best Practices for Employees
For minimizing the risk of a network intrusion, it’s necessary to bolster your first line of defense against external threats, aka training your employees on cybersecurity awareness. Here are 7 ways you can educate your remote workers on best security practices.
Make Cybersecurity Clear To Your Employees
The first step to getting employees acquainted with cybersecurity education is to outline a clear message about what is occurring in your company regarding cybersecurity. Such a message needs to be understandable, relatable, and diversified.
- Understandable – Avoid technical jargon that may confuse employees and cloud your message. When possible, use simplified terms that are accessible to the non-tech-minded layman.
- Relatable – When talking about external threats, make it less about the central network and more about personal computer safety and home network intrusion. This way, employees can personally relate to the danger if it’s framed in terms of their phone or laptop.This enables them to have a personal stake in the security plan: no one wants to be the reason for a data breach that affects the whole company.
- Diversified – A simple email outlining everything may not be enough. Think about how many emails the individual employee receives. By diversifying your communications strategy, you can ensure that employees read the message instead of dismissing it as just another announcement.
Encourage Taking Great Care Over Your Devices
A Forrester survey found that 15% of company breaches are caused by lost or missing devices. Whether it’s a corporate or personal device, training your employees about cybersecurity includes bringing awareness that their gadget acts as a gateway to your organization’s network. This makes it important to take care of their device and use it properly even in the confines of their home.
Help increase good device ownership by conducting the following:
- Teach the difference between personal and corporate usage.
- Make it mandatory to have a work account that’s subject to monitoring, restricted installations, and web filtering.
- Beware of old-fashioned loss and theft.
- Make sure security patches and OS updates are followed.
A device management and monitoring solution, such as our Multi-OS Device Remote Management can help mitigate risk by automating the push updates and tracking the device’s status and its location at all times. But this should only serve as a backup, and end-user security best practices should rest with the employee.
Teach Employees How to Spot Suspicious Activity
Improve your employees' eyes in spotting suspicious activities to enhance their cybersecurity awareness by teaching them to watch for the following signs:
- Sudden appearance of new apps or programs on their devices
- Strange pop-ups during startup, normal operation, or before shutdown
- The device slows down
- New extensions or tabs in the browser
- Loss of control of the mouse or keyboard
Encourage your employees to report suspicious signs immediately. Even if it turns out to be a false alarm, it might still be beneficial to the employee by clearing up errors in their device that hamper productivity.
Reinforce Confidentiality
Working from home tends to make people more complacent, and this extends to cybersecurity. Drill the importance of passwords and authentication even if they work in their PJs. Just because they’re relaxed doesn’t mean security has to be.
To avoid cybersecurity threats regarding confidentiality, train your employees by conducting the following:
- Enact periodic and unique password changes.
- Teach employees about the dangers of using universal passwords, and use real-world examples from past data breaches. They might even want to see if their personal account passwords have been pawned.
- Discuss the rationale behind VPNs, multi-factor authentication, and other secure log-on processes, and why they are important despite being time-consuming.
- To combat unsecured storage of company data, provide concrete examples of stolen data incidents caused by an errant thumb drive or compromised personal Dropbox account.
Examine Individual Cases of Cybersecurity Breaches
Unlike an office environment with a controlled network, your employees’ home computer security can vary widely. Some may connect through their home Wi-Fi, while others may use connections from the public Wi-Fi at a coffee shop.
Some may have older devices that are no longer supported by security patches, and it may be necessary to address those concerns by:
- Encouraging employees to use their company-provided devices. If it’s BYOD, check the device brand and model year to see if there are outstanding exploits.
- Do a security sweep of home networks. For example, some older routers may have weaker WEP protocols instead of WPA-2, or some may even have the default password!
- Pay attention to nomad employees and devise a security policy for them, since roaming data or public Wi-Fi hotspots bring their unique threats.
Take Advantage of Online Cybersecurity Courses
There are plenty of online resources when it comes to training employees on cybersecurity awareness, and not all of them have to be paid.
For management:
- The FTC (Federal Trade Commission) website has educational resources for small business owners and managers.They also have cybersecurity quizzes to test what you learned.
- This cyberdefense learning toolkit from the Department of Homeland Security is specifically designed for small business owners as well.
- The Center for Internet Security’s 20-step organizational control program teaches good cyber defense habits, identification of suspicious behavior, and generates a skills gap analysis.
- The Federal Virtual Training Environment provides a comprehensive 6-hour course for managerial-level members, divided into 30 modules.
For employees:
- The National Institute of Standards and Technology has a list of free and low-cost online training content specifically designed for employees, including webinars, short courses, quizzes, and certification.
- This webinar series from the National Cybersecurity Alliance releases one video every other month, starting in November 2019, and ending in November 2020.
- ESET offers a free one-hour training course that teaches best practices for remote employees. The paid version includes dashboard tracking of employee progress, phishing simulator, and certification and Linkedin badges.
- FEMA’s IS-0906 course on workplace security awareness takes only 1 hour and tackles risks, prevention measures, and response actions for remote employees.
Make Cybersecurity Awareness an Ongoing Conversation
On average, corporate workers spend up to a quarter of their workday on email-related tasks. This makes a one-shot email message about cybersecurity a poor choice, since they may not be able to appreciate the significance or absorb the information in one sitting.
Here are some best practices to take with outlining a cybersecurity announcement to your employees:
- Use different approaches to cybersecurity education, such as regular announcements or newsletter updates.
- For each update, follow the KISS rule: Keep It Short and Simple. This way they can glean the message and retain the information amid their hectic day.
- Follow current trends. If there’s a new type of crypto-malware or exploit that crashes phones with a single message, make sure it reaches your members.
- Use eye-catching tactics each time to get them to absorb the message. Instead of listing dry statistics or do’s and don’ts, try colorful infographics. For long topics, try a video explanation.
- You can even try cybersecurity tests to see if the lessons stick. For example, as part of its email safety education, HP sends out test phishing messages and congratulates employees that report it to IT.
Final Thoughts
Training your employees about cybersecurity awareness allows them to understand how they play a role in protecting your company. . Rather than being just another cog in the organization, they are the first set of eyes that guard against external threats. By encouraging vigilance and good cybersecurity awareness, is something that they can carry well beyond the confines of the office, even after things return to normal.
Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.