The COVID-19 pandemic upended office life as we know it, forcing many companies and employees into remote work. For most businesses, this was not a seamless transition, but a frenetic scramble that required a patchwork of devices, software, and network configurations—all prime targets of opportunity for cybercriminals.
Now, with the pandemic (hopefully) waning, companies have begun to re-open their offices. But, if they were not prepared for remote work, are they prepared for returning to in-person business as usual?
While employees worked from home, Bring Your Own Device (BYOD) culture exposed companies to whatever malware lay latent on the personal computers, tablets, and smartphones. Furthermore, improperly secured work devices were exposed to whatever threats were on employee’s home networks and PCs. But devices are only half of this cybersecurity story. The other more important half is the humans behind those devices.
During remote work, employees fell to the level of their cybersecurity training. Without supervisors and IT professionals standing over their shoulders, training issues, such as poor phishing-detection abilities, compromised the security postures of many companies. Workarounds, such as unauthorized software and applications, proliferated. And finally, patches and critical updates did not get installed.
A recent Tessian report tells the tale. According to the email security firm, 56% of IT leaders think employees picked up bad cybersecurity habits from remote work and 54% worry some will bring infected devices into the office. Tessian also found that one in three employees thinks they can get away with riskier cybersecurity behavior while working remotely, and more than a quarter (27%) said they are afraid to tell IT if they make a mistake.
Ready or not, here they come
In part, this is a technical problem. Part two of this series will explore how IT can close the gaps that remote work may have opened in your company's security posture. But solving this technical problem does little to remedy the underlying human problem. That begins before your employees return to the office, and it emanates from the highest levels of your organization.
First, the C-suite needs to set the tone, sending the message that cybersecurity is a vital part of your company culture. To begin, codify your position on remote work. For some companies, a return to the office means an end to working from home. That could also mean an end to BYOD culture, a reintegration into the company’s cybersecurity infrastructure, and a commitment to continuous cybersecurity training (more on that later).
For other companies, setting the tone may mean accepting that the cat is out of the bag: Employees acquired a taste for flexible working arrangements, and many will want that flexibility to continue. Unfortunately, BYOD culture and risky or lax cybersecurity behavior will also continue—unless you stop them.
Regardless of which category your company occupies, the process of solving the human problem begins the same way: Involving IT long before employees return to the office. Give your IT department as much lead time as possible and listen closely to their concerns and requirements. Don’t just make it IT’s problem either. They face the tall order of re-training your entire team. Ideally, HR and supervisors should support that training, and it should begin well before employees return to the office.
Training that works
Now, you might be thinking: Great. We will run a one-hour training session before the employees return and we will be ready. Unfortunately, one-off training sessions may work in the short term, but their impact is transient, and they will do little to make cybersecurity a part of your company’s culture. Continuous cybersecurity training, however, will bring you closer. This type of cybersecurity training runs constantly, challenging your employees and identifying the ones who need additional help.
Continuous security training also serves a second purpose: It provides IT with real-time monitoring of your company’s cybersecurity posture. For example, if four out of five employees fail to identify a work-from-home themed phishing campaign, then management knows this emergent threat needs to be addressed with additional training.
Processes and training must also emphasize clear and simple communication channels and procedures for IT and cybersecurity. For example, let us say an employee receives an unexpected phone call from someone purporting to be in IT, requesting remote access to their PC. Does your employee know how to validate this request? Do they know how to report suspicious activity, or their own mistakes?
Finally, effective training emphasizes the why of cybersecurity. This might include:
- Loss of confidential employee information, such as social security numbers and addresses, in the event of a breach.
- Irreparable harm caused to customers.
- The financial costs associated with recovering from a cyber-attack, including costs associated with the technical recovery, as well as lost company revenue.
- Damage to the reputation of the company and/or employees in the event of a leak of sensitive data.
Continuous cybersecurity training solutions
Your IT department does not need to create a continuous cybersecurity training system from scratch. Software such as KnowBe4, which costs as little as a few dollars per user, gamifies continuous cybersecurity training. For example, KnowBe4 will send employees fake phishing email campaigns. Those who report them appropriately pass these small tests. Those who click on a campaign can be singled out for more cybersecurity training. Training courses are in video form and cover what to look out for, how to assess the safety of an email, and other best practices.
This type of training builds a culture of cybersecurity, one in which your employees are always on their toes, remaining vigilant while feeling empowered to report suspicious activity—or even their own errors. Furthermore, building a culture of cybersecurity gives your IT and security team extra eyes. Users will feel more comfortable reporting suspicious behavior, instead of ignoring or concealing it.
The alternative is an afternoon of training. Your employees may learn a few things, but usually the lessons end up gone with the free pizza, leaving your company to contend with the same vulnerabilities. Do not repeat the cybersecurity errors of the pandemic. Start building a culture of cybersecurity in your company today.