Remote Working: Is Lack Of Proper Training Causing Security Breaches?

Addressing the knowledge gap to arrest the rising danger of security risks

The general trend towards working from home has been accelerated by world events and it’s causing major headaches for cybersecurity professionals. Many organizations were simply unprepared to transition their workforce to a distributed model so rapidly, and many employees lack the education and knowledge they need to avoid cyberattacks and phishing scams.

One in five companies has reported a security breach traced to a remote worker, according to a Malwarebytes survey of more than 200 decision-makers in IT and cybersecurity roles at organizations across the US. A worrying 18% admitted that cybersecurity was not a priority for their employees, and 5% went even further, describing their remote workers as “a security risk” and “oblivious to security best practices”.
 

The use of personal devices for work is all too common. Many remote workers are adopting new software tools to boost productivity and collaboration but foregoing the necessary security and privacy analysis. 

This growth in potential attack surface is making life difficult for those tasked with company security. To arrest the rising danger of malware infections, ransomware proliferation, and data theft, companies must address the knowledge gap. 

Cybercriminals Are Seizing This Opportunity

The current climate is close to ideal for hackers and cybercriminals intent on disrupting, extorting, and stealing from organizations. Most people are struggling to juggle their home and work lives, fending off distractions to get through the workday. There’s massive uncertainty and fear as the pandemic drags on. Many phishing scams have been tailored to exploit the situation by preying on people’s fears and posing as government departments or other official bodies sending pandemic-related messages.

Removed from the watchful eye of IT departments and robbed of the option to turn around and ask a colleague for advice, it should come as no surprise that more and more people are succumbing to cleverly crafted phishing attacks. 

The use of personal devices and new cloud software and services that are often beyond the reach of security systems and staff is exacerbating what is already a bad situation. 

As remote workers struggle to do their best, admonishment is not the answer. Employees simply need the right support and training.

The Separation Between Work and Home

It takes time to adjust to working from home. Employers should do everything they can to ease the transition. This starts with encouraging employees to set up safe, defined spaces for work where they have some privacy. Ensure that remote workers are equipped with the devices, software tools, and other equipment they need to do the job. Help them to maintain a barrier between home life and work, with clearly delineated policies on devices and apps.

Remote IT should review and configure secure logins, ideally with multifactor authentication. It’s vital to restrict access to data wherever possible. Employ VPN services and virtualization to create secure tunnels to employees and prevent the spread of company data onto potentially insecure devices. Help employees configure their home setups to ensure they are suitably secure. Encrypt sensitive data, wherever it resides, in transit and at rest.

Provide thorough, easily accessible guides to show people how to securely log in to systems, configure devices, and use essential software. This can help to alleviate some of the burdens on overstretched IT people and free them up to deal with more serious queries and incidents. 

Ensure that remote workers have a clear point of contact and understand how to report any security issues they encounter and where to direct questions they may have.

Security Awareness Training and Support

There’s only so much that cybersecurity professionals and IT staff can do; ultimately remote workers must learn about best practices for strong security hygiene. A regular program of security awareness training is crucial, and your regular program should be bolstered with advice that specifically caters with working from home and the associated risks. There should be clear policies in place, which are reinforced in a practical fashion during training sessions. 

Employees should be regularly and randomly tested on their resilience and knowledge. Mock phishing attacks – literally phishing your own employees – are an excellent way to test the efficacy of training and highlight workers in need of a refresher. Make sure to model good behavior, so employees understand what’s expected of them. Call out and reward workers who show awareness and successfully apply what they’ve learned. 

Since employees are already struggling with a stressful situation, it’s probably wise to think twice about disciplining those who make mistakes. Instead, reach out and see what you can do to help and support them to do better.

The rise of remote working, called “the paperless office” about 20 years ago, pointed to the future -- it just happened a little faster than many expected, so it’s best to adjust your longer-term planning and focus on adapting to the new reality. 

To avoid falling victim to a data breach, ransomware, or some other security incident, it’s time to pull together and get everyone to take some responsibility for company security. With the right training and support in place, your workforce can evolve to be vigilant and resilient, which will stand your company in good stead for whatever the future holds.

Stu Sjouwerman is Founder and CEO of KnowBe4. He was Co-Founder of Sunbelt Software. Stu is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses. Visit www.knowbe4.com Connect Stu Sjouwerman Follow @StuAllard